Analysis

  • max time kernel
    47s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 21:52

General

  • Target

    Nezure.exe

  • Size

    8.3MB

  • MD5

    4efce9b6099fa6bfc272b5e192fe16cc

  • SHA1

    d5495d7d0593a0258bb50325eb0381cec5decd19

  • SHA256

    185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1

  • SHA512

    0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f

  • SSDEEP

    196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nezure.exe
    "C:\Users\Admin\AppData\Local\Temp\Nezure.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\Nezur.exe
      "C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
      2⤵
      • Executes dropped EXE
      PID:4568
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"
          4⤵
          • Creates scheduled task(s)
          PID:1692
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2924
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3940
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:896
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4492
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1200
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4512
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4152
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
          PID:3056
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:3940
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
          3⤵
            PID:4888
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
              4⤵
              • Creates scheduled task(s)
              PID:4492
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
            3⤵
              PID:728
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                4⤵
                • Creates scheduled task(s)
                PID:3484
          • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
            "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
            2⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4844
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1596
            • C:\Windows\SYSTEM32\attrib.exe
              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
              3⤵
              • Views/modifies file attributes
              PID:1508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1676
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2368
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" computersystem get totalphysicalmemory
              3⤵
                PID:3092
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                3⤵
                  PID:2028
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4512
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic" path win32_VideoController get name
                  3⤵
                  • Detects videocard installed
                  PID:5096
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3872
                  • C:\Windows\system32\PING.EXE
                    ping localhost
                    4⤵
                    • Runs ping.exe
                    PID:2836
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
              1⤵
                PID:2164
              • C:\Windows\system32\wbem\WmiApSrv.exe
                C:\Windows\system32\wbem\WmiApSrv.exe
                1⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                PID:3444

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                567d7fef99fd45b4def9fa7b093384e2

                SHA1

                e6a0a4657276cca5142193ad980e34d1ed382f41

                SHA256

                7ec7b5f3f860f6b4a326dcc883a2bd3f57bac0a5774418b48e3ef54c2cd2893c

                SHA512

                f45b7876ae0e3eac9dee187f2b901da361caf20e2aebc545408a95f6926a2b3a13233392d085487a76e6972784877637576bf8f9b644c0d59cea02f9177aa711

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                6d3e9c29fe44e90aae6ed30ccf799ca8

                SHA1

                c7974ef72264bbdf13a2793ccf1aed11bc565dce

                SHA256

                2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                SHA512

                60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                948B

                MD5

                74a6b79d36b4aae8b027a218bc6e1af7

                SHA1

                0350e46c1df6934903c4820a00b0bc4721779e5f

                SHA256

                60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

                SHA512

                60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                276798eeb29a49dc6e199768bc9c2e71

                SHA1

                5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                SHA256

                cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                SHA512

                0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

              • C:\Users\Admin\AppData\Local\Temp\Client.exe

                Filesize

                578KB

                MD5

                1984de1def2a649295eb4683cef7b145

                SHA1

                b3772c1d98f1d18bafd8cf4781f65fc17f20811a

                SHA256

                ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2

                SHA512

                8b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65

              • C:\Users\Admin\AppData\Local\Temp\Nezur.exe

                Filesize

                7.9MB

                MD5

                754c5ad19cb3bc21a58bccf028bc2b86

                SHA1

                66fe0f66d80023b347707248abe6e44e5f9d98ce

                SHA256

                8445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b

                SHA512

                fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790

              • C:\Users\Admin\AppData\Local\Temp\Umbral.exe

                Filesize

                230KB

                MD5

                9e9bbff99af7ac67d8bd79f854bd569c

                SHA1

                cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6

                SHA256

                e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c

                SHA512

                7b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5h0atbg.kx2.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Windows\xdwd.dll

                Filesize

                136KB

                MD5

                16e5a492c9c6ae34c59683be9c51fa31

                SHA1

                97031b41f5c56f371c28ae0d62a2df7d585adaba

                SHA256

                35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                SHA512

                20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

              • memory/1668-30-0x0000000000E30000-0x0000000000EC6000-memory.dmp

                Filesize

                600KB

              • memory/1668-37-0x00007FFDA2EB0000-0x00007FFDA3971000-memory.dmp

                Filesize

                10.8MB

              • memory/1668-224-0x00007FFDA2EB0000-0x00007FFDA3971000-memory.dmp

                Filesize

                10.8MB

              • memory/1668-192-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

                Filesize

                48KB

              • memory/3508-48-0x000002B1FF920000-0x000002B1FF942000-memory.dmp

                Filesize

                136KB

              • memory/4056-2-0x00007FFDA2EB0000-0x00007FFDA3971000-memory.dmp

                Filesize

                10.8MB

              • memory/4056-1-0x0000000000C50000-0x000000000149C000-memory.dmp

                Filesize

                8.3MB

              • memory/4056-36-0x00007FFDA2EB0000-0x00007FFDA3971000-memory.dmp

                Filesize

                10.8MB

              • memory/4056-0-0x00007FFDA2EB3000-0x00007FFDA2EB5000-memory.dmp

                Filesize

                8KB

              • memory/4568-35-0x00007FF6EBFA0000-0x00007FF6ED2F9000-memory.dmp

                Filesize

                19.3MB

              • memory/4844-67-0x00000208764B0000-0x00000208764CE000-memory.dmp

                Filesize

                120KB

              • memory/4844-101-0x00000208767A0000-0x00000208767B2000-memory.dmp

                Filesize

                72KB

              • memory/4844-100-0x0000020876480000-0x000002087648A000-memory.dmp

                Filesize

                40KB

              • memory/4844-34-0x000002085BF70000-0x000002085BFB0000-memory.dmp

                Filesize

                256KB

              • memory/4844-66-0x0000020876420000-0x0000020876470000-memory.dmp

                Filesize

                320KB

              • memory/4844-65-0x0000020876720000-0x0000020876796000-memory.dmp

                Filesize

                472KB