Overview

overview

10

Static

static

10

CrxckrInstaller.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    84s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-03-2024 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrxckrInstaller.exe

  • Size

    296KB

  • MD5

    dc1210b8ce592d38a6e6bbaac8d3f64c

  • SHA1

    8b6ad187ee837db5e924a972943355ed1c82cb7d

  • SHA256

    63a623df9e58f6705946b5473ab20fdad8dcdd93800b7ca8351fae0bf5c635ce

  • SHA512

    c07c5f4543eb59282333f19c29b6eaaa76f003cb38da03969b7d73b0755619150d0d2b0b5c4bfdd045806e6cf54652ee10262b6aa465bc95b65735cce5ef176d

  • SSDEEP

    6144:NloZM+rIkd8g+EtXHkv/iD4Ev9KiAfboixUyzzqtmb8e1mhi:PoZtL+EP8Ev9KiAfboixUyzzqov

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:820
    • C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:1856
      • C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\CrxckrInstaller.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
            PID:2800
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:212

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrxckrInstaller.exe.log
          Filesize

          1KB

          MD5

          53ea0a2251276ba7ae39b07e6116d841

          SHA1

          5f591af152d71b2f04dfc3353a1c96fd4153117d

          SHA256

          3f7b0412c182cbdefb3eedafe30233d209d734b1087234ac15409636006b3302

          SHA512

          cf63abfe61389f241755eef4b8ed0f41701568b79d1263e885f8989ce3eca6bf9f8d5805b4cc7304aaaa5c7e14122b0d15bd9948e47108107bbb7219fd498306

          Download Submit

        • memory/592-10-0x00007FFE0EDB0000-0x00007FFE0F79C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/592-9-0x00000270EEBF0000-0x00000270EEC00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/592-8-0x00007FFE0EDB0000-0x00007FFE0F79C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/704-7-0x00007FFE0EDB0000-0x00007FFE0F79C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/704-6-0x00007FFE0EDB0000-0x00007FFE0F79C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2192-11-0x00007FFE0EDB0000-0x00007FFE0F79C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2192-12-0x00000184FCBF0000-0x00000184FCC00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2192-13-0x00007FFE0EDB0000-0x00007FFE0F79C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4536-0-0x000002C58CB60000-0x000002C58CBB0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4536-4-0x00007FFE1F300000-0x00007FFE1FCEC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4536-2-0x000002C5A7160000-0x000002C5A7170000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4536-1-0x00007FFE1F300000-0x00007FFE1FCEC000-memory.dmp

          Filesize

          9.9MB

          Download