Analysis

  • max time kernel
    63s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 23:14

General

  • Target

    mw3loader.exe

  • Size

    229KB

  • MD5

    a31efc937dcb33a570c243ef7be4423f

  • SHA1

    ef838ad887d34664d97f9c0c6e7b728daac897a2

  • SHA256

    801455f1721ad65f4d62e40d9d4d05f5a1b520e569b05a7e8daf1c7be86fac6d

  • SHA512

    0d2552a3af17c9ec4dd17b895a28eeb9a99ec0af3d4826825f04a4358a137c12a45efe213919237c0ec0a80e284578d4eeef0e97b650a4b6b2930ba42ee7b611

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD4XGI9ecjfUY1gevPe2jb8e1mnesi:noZtL+EP8XGI9ecjfUY1gevPewX

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mw3loader.exe
    "C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3132
    • C:\Users\Admin\AppData\Local\Temp\mw3loader.exe
      "C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
    • C:\Users\Admin\AppData\Local\Temp\mw3loader.exe
      "C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2088

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mw3loader.exe.log

        Filesize

        1KB

        MD5

        8094b248fe3231e48995c2be32aeb08c

        SHA1

        2fe06e000ebec919bf982d033c5d1219c1f916b6

        SHA256

        136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

        SHA512

        bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

      • memory/952-6-0x00007FFBD7910000-0x00007FFBD83D1000-memory.dmp

        Filesize

        10.8MB

      • memory/952-7-0x0000013CC7D30000-0x0000013CC7D40000-memory.dmp

        Filesize

        64KB

      • memory/952-8-0x00007FFBD7910000-0x00007FFBD83D1000-memory.dmp

        Filesize

        10.8MB

      • memory/1684-9-0x00007FFBD7910000-0x00007FFBD83D1000-memory.dmp

        Filesize

        10.8MB

      • memory/1684-10-0x00007FFBD7910000-0x00007FFBD83D1000-memory.dmp

        Filesize

        10.8MB

      • memory/4012-0-0x000001531FD90000-0x000001531FDD0000-memory.dmp

        Filesize

        256KB

      • memory/4012-1-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

        Filesize

        10.8MB

      • memory/4012-2-0x000001533A3F0000-0x000001533A400000-memory.dmp

        Filesize

        64KB

      • memory/4012-4-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

        Filesize

        10.8MB