Overview

overview

10

Static

static

1

HAVOC.rar

windows10-2004-x64

10

HAVOC.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    117s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-02-2024 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HAVOC.rar

  • Size

    16.8MB

  • MD5

    83252ecd7c7fb9d73666babf11028e88

  • SHA1

    eee5fb070e365b029d25df28f54573dd47e3f4b5

  • SHA256

    6875f12af60ba6a8cdba7d0de127c23eae6c98f981abc66cf5c8b7fc74b83df9

  • SHA512

    3d1ac511af08749508b8edbe5450cb4928d7bd5a86180b323746c4e902c6d2ab064de6020f1d693c7910edd55723cfe52c43275c9a9dfee868abe83fa81d9dc6

  • SSDEEP

    393216:gT3eEuG8i1NQ8nJ8he2jBIkmM968MLs9BPEJvBwgeI5WbVXAXwY3h:59Fi1NlChbVCs9BPEJpT5OXAgY3h

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1210097168828862514/qiMfB8pbI0VGmLbCJI5y8HimVnNMcTPgOOb0GXnBUBDvOTpqayQ7-E9CYaH-x55WGvwc

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\HAVOC.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HAVOC.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1856
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:688
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HAVOC\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Read Before Use.txt
      1⤵
        PID:1064
      • C:\Users\Admin\Desktop\HAVOC\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc.exe
        "C:\Users\Admin\Desktop\HAVOC\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\HAVOC\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc.exe
        Filesize

        392KB

        MD5

        36e9a2e99f37e82fe3e2a364d2fba865

        SHA1

        b09efd3439561f7de7b04d62d6c580c5be3e9b78

        SHA256

        83f5f98bc4c0ba87b31259771f35c5822bca2185d90aae6fc174ba816625f1e0

        SHA512

        da94b2c19995991530b8395ec8fa7d12572bcbaaf94ee290c4d74da36ef91503d057368e0c3de8066a68fdce3ba2bef95b1c821754ab55e0226a6b1de73541dd

        Download Submit

      • C:\Users\Admin\Desktop\HAVOC\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Read Before Use.txt
        Filesize

        143B

        MD5

        debdb28ccd7c400149c7d35c03f31a92

        SHA1

        cb2cbc7c1e1c7d9884d53c61b4704b14d185a237

        SHA256

        2b07fc5bdef73b169d8038a11f39912e74e78cfa81b6f69716a0f492b8925ab8

        SHA512

        b9b553672f6490b0cc1ffe39092d60810d21044686769ddf70ca9bbd6c52e4f4539acf22d9b85218284e0588ed2ac5baac82a5b93cf4f84296c1ff3b1f68591e

        Download Submit

      • memory/5016-27-0x0000026527F10000-0x0000026527F78000-memory.dmp

        Filesize

        416KB

        Download

      • memory/5016-28-0x00007FF82F390000-0x00007FF82FE52000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5016-29-0x00000265424E0000-0x00000265424F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-31-0x00007FF82F390000-0x00007FF82FE52000-memory.dmp

        Filesize

        10.8MB

        Download