Overview

overview

10

Static

static

10

Impact.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-02-2024 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Impact.exe

  • Size

    6.3MB

  • MD5

    5016a909cca6b4aa3be2ca91413d6ab9

  • SHA1

    de7c31eb75b193b814f06644683ae5d577318414

  • SHA256

    dbe484df5c3d55bed8b6a40b64ca3a1795d2c8aca6205608d21d5472ade4165e

  • SHA512

    086d0df5d5b24609d4948bfacac11bfa1b89393cf754807af8fc28d79835b506e3969e2859edf3fd2c3cb764ea5efb32857f1efbf35400d39efa05e8713b9e2c

  • SSDEEP

    98304:IB38757d1xzB92ETr/SG/e6ML0kySVPziZ42xBTBcSn7JNXjEFsZg53B:Gs7D1xH3/SG/KL0fSNmZ9xhBj7zzes6X

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1212027959540457552/KZYDUhyrYD0YKoaYSriiRB70eS31tcZwPEG7XxhVIMPDkD1TJ9jRjQvtazcExm8q18DW

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Impact.exe
    "C:\Users\Admin\AppData\Local\Temp\Impact.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
      "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
    Filesize

    231KB

    MD5

    cfff8715abce162a4c2ea732b32976c2

    SHA1

    cd7ae0bc75abb2a311edfdb978be74625cbb956d

    SHA256

    0bd085ac75679b2d2f0f78574916cba674346d581e6f7ff95887220a90f4feef

    SHA512

    05c3868fabbb19f6531b067e9450b5ace162966f0cbe5a5855db4026906e4b86f70c7385fbb2ad704b6ebc04185ec480d28aacdb29bf51561b19ed1573361122

    Download Submit

  • memory/3708-5-0x0000000000400000-0x0000000000A54000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/4940-6-0x0000021244A60000-0x0000021244AA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4940-7-0x00007FFE108C0000-0x00007FFE112AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4940-8-0x000002125EFB0000-0x000002125EFC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4940-10-0x00007FFE108C0000-0x00007FFE112AC000-memory.dmp

    Filesize

    9.9MB

    Download