Analysis
-
max time kernel
133s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
CRACKED-V4 (UPD).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CRACKED-V4 (UPD).exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
CRACKED-V4 (UPD).exe
-
Size
58.1MB
-
MD5
2d3eebbf8c1a46b2f8443982b64ec61a
-
SHA1
3ed59d3cb1c6c7b91187043a98026de5904f9dd7
-
SHA256
1361f85f419e83f50a754cd8ca3d2c974eb60f6733dc634d7b74eb2ec63d418f
-
SHA512
8a3ec42aa1de6e31befd9de6ebba448bfc7d6216615c08740db000787f03a92bc31311718a309a1862bb753bcfc7a0c72a02fe2cc1b5752cd7ded82954cf9db7
-
SSDEEP
1572864:CRW/tqZfvql5cfSrbpFKCpPI93FvjafI/er3zpAEc34aD:C4/gfvcKSDpuv9eLtANr
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1231217325349539862/UF6Bqsegib1o7XkqaC2yU85lBNFVct0_272MJ_fHEZgoE2JpF2ZBlfNBWwPSL0-KJR4z
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000d000000014b27-46.dat family_umbral behavioral1/memory/2856-251-0x0000000001350000-0x0000000001390000-memory.dmp family_umbral -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts MINER.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 2916 MINER.exe 2856 STEALER.exe -
Loads dropped DLL 7 IoCs
pid Process 1420 CRACKED-V4 (UPD).exe 1420 CRACKED-V4 (UPD).exe 2744 taskmgr.exe 1420 CRACKED-V4 (UPD).exe 1420 CRACKED-V4 (UPD).exe 1420 CRACKED-V4 (UPD).exe 1420 CRACKED-V4 (UPD).exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe MINER.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2916 set thread context of 2760 2916 MINER.exe 47 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2020 sc.exe 2488 sc.exe 2612 sc.exe 2336 sc.exe 2840 sc.exe 3000 sc.exe 2648 sc.exe 2684 sc.exe 2664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2916 MINER.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2916 MINER.exe 2916 MINER.exe 2916 MINER.exe 2916 MINER.exe 2916 MINER.exe 2916 MINER.exe 2916 MINER.exe 2916 MINER.exe 2760 dialer.exe 2760 dialer.exe 2916 MINER.exe 2744 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2744 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2744 taskmgr.exe Token: SeDebugPrivilege 2760 dialer.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2856 STEALER.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3048 wmic.exe Token: SeSecurityPrivilege 3048 wmic.exe Token: SeTakeOwnershipPrivilege 3048 wmic.exe Token: SeLoadDriverPrivilege 3048 wmic.exe Token: SeSystemProfilePrivilege 3048 wmic.exe Token: SeSystemtimePrivilege 3048 wmic.exe Token: SeProfSingleProcessPrivilege 3048 wmic.exe Token: SeIncBasePriorityPrivilege 3048 wmic.exe Token: SeCreatePagefilePrivilege 3048 wmic.exe Token: SeBackupPrivilege 3048 wmic.exe Token: SeRestorePrivilege 3048 wmic.exe Token: SeShutdownPrivilege 3048 wmic.exe Token: SeDebugPrivilege 3048 wmic.exe Token: SeSystemEnvironmentPrivilege 3048 wmic.exe Token: SeRemoteShutdownPrivilege 3048 wmic.exe Token: SeUndockPrivilege 3048 wmic.exe Token: SeManageVolumePrivilege 3048 wmic.exe Token: 33 3048 wmic.exe Token: 34 3048 wmic.exe Token: 35 3048 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe 2744 taskmgr.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 1420 wrote to memory of 2916 1420 CRACKED-V4 (UPD).exe 28 PID 1420 wrote to memory of 2916 1420 CRACKED-V4 (UPD).exe 28 PID 1420 wrote to memory of 2916 1420 CRACKED-V4 (UPD).exe 28 PID 1420 wrote to memory of 2916 1420 CRACKED-V4 (UPD).exe 28 PID 2736 wrote to memory of 2196 2736 cmd.exe 38 PID 2736 wrote to memory of 2196 2736 cmd.exe 38 PID 2736 wrote to memory of 2196 2736 cmd.exe 38 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2916 wrote to memory of 2760 2916 MINER.exe 47 PID 2760 wrote to memory of 436 2760 dialer.exe 5 PID 2760 wrote to memory of 480 2760 dialer.exe 6 PID 1420 wrote to memory of 2856 1420 CRACKED-V4 (UPD).exe 58 PID 1420 wrote to memory of 2856 1420 CRACKED-V4 (UPD).exe 58 PID 1420 wrote to memory of 2856 1420 CRACKED-V4 (UPD).exe 58 PID 1420 wrote to memory of 2856 1420 CRACKED-V4 (UPD).exe 58 PID 2760 wrote to memory of 496 2760 dialer.exe 7 PID 436 wrote to memory of 2104 436 winlogon.exe 59 PID 436 wrote to memory of 2104 436 winlogon.exe 59 PID 436 wrote to memory of 2104 436 winlogon.exe 59 PID 2672 wrote to memory of 2080 2672 cmd.exe 60 PID 2672 wrote to memory of 2080 2672 cmd.exe 60 PID 2672 wrote to memory of 2080 2672 cmd.exe 60 PID 2760 wrote to memory of 504 2760 dialer.exe 8 PID 2760 wrote to memory of 2104 2760 dialer.exe 59 PID 2760 wrote to memory of 596 2760 dialer.exe 9 PID 2760 wrote to memory of 672 2760 dialer.exe 10 PID 2760 wrote to memory of 748 2760 dialer.exe 11 PID 2760 wrote to memory of 820 2760 dialer.exe 12 PID 2760 wrote to memory of 860 2760 dialer.exe 13 PID 2760 wrote to memory of 976 2760 dialer.exe 15 PID 2760 wrote to memory of 276 2760 dialer.exe 16 PID 2760 wrote to memory of 356 2760 dialer.exe 17 PID 2760 wrote to memory of 1080 2760 dialer.exe 18 PID 2760 wrote to memory of 1124 2760 dialer.exe 19 PID 2760 wrote to memory of 1184 2760 dialer.exe 20 PID 2760 wrote to memory of 1212 2760 dialer.exe 21 PID 2760 wrote to memory of 2172 2760 dialer.exe 24 PID 2760 wrote to memory of 2276 2760 dialer.exe 25 PID 2760 wrote to memory of 2744 2760 dialer.exe 29 PID 2760 wrote to memory of 2468 2760 dialer.exe 33 PID 2760 wrote to memory of 2856 2760 dialer.exe 58 PID 2760 wrote to memory of 2104 2760 dialer.exe 59 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 496 wrote to memory of 2856 496 lsass.exe 58 PID 2856 wrote to memory of 3048 2856 STEALER.exe 61 PID 2856 wrote to memory of 3048 2856 STEALER.exe 61 PID 2856 wrote to memory of 3048 2856 STEALER.exe 61 PID 2760 wrote to memory of 3048 2760 dialer.exe 61 PID 2760 wrote to memory of 3048 2760 dialer.exe 61 PID 2760 wrote to memory of 2768 2760 dialer.exe 62
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 32⤵PID:2104
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵PID:2468
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1184
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
PID:860
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:276
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:356
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1080
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1124
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2172
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2276
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:496
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe"C:\Users\Admin\AppData\Local\Temp\CRACKED-V4 (UPD).exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
- Drops file in Windows directory
PID:2196
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2020
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2488
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2612
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2336
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2840
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RVUILGKT"4⤵
- Launches sc.exe
PID:3000
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RVUILGKT" binpath= "C:\ProgramData\qapetckhvsnw\exiffkcmhtzm.exe" start= "auto"4⤵
- Launches sc.exe
PID:2664
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RVUILGKT"4⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MINER.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵PID:2080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\STEALER.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-438403989523208313-1978641336-762313142-1155045398-1489166070-2928636611727153623"1⤵PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5c2fdd4a1979ec3e039f8fbfd49ba6be4
SHA1f4e99d1ffe37782f0b41c6f9f33ce8fc8e5975c8
SHA256bc571671d79792df1ded4352473296596e33a70fecb923b55606b7e4f1a991e8
SHA5127f911e540512969a81766b25d17a77e0cb0d40b5ac08a973f05564f1d646077cbe66de01eb9af667ce6db56410d35ad0e98a0b1775248a45b307347b68249d4a
-
Filesize
1006B
MD57aeaa41fa4e4167fbe447ccd449e3fff
SHA1e25a42c3f4f93a6374b5c8c1c7c508719fcfb505
SHA25618fd1d0d60be8a9c7344ff152cd48999d46f0a983dc206b7ca718055addfd3c3
SHA5124f6a1fc575abf7a5e43d74847711417631b823df3b94e54f2082d5765a05f0f211772e80aa1601658912f6dae79d0a8062ae788598ba03c577f381fabf1d9660
-
Filesize
231KB
MD5395a42e56b6b43b7e1b54b7ced631900
SHA1299d60e4bc3db4b1b6fd8c1bc09fb0d8ef352059
SHA256d1d026a5437d47bc6b5d8a81678254196256bbfe452708248a18502443357a6e
SHA512e2222ac9fccb6dca0d11d79661236034a1406478a2705272c0c8d72f12bdc58f944286a8f4c934352de5b5e0509530e633f71410f9309af201295865fe10c357