Analysis

  • max time kernel
    76s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 01:54

General

  • Target

    UNBANNED-GG-PERM-10-18-23/loader.exe

  • Size

    365KB

  • MD5

    cbd720ad4f7be1c099ec22f56ee61dd6

  • SHA1

    9989030c7ea1756e1834c464688d418e773919fc

  • SHA256

    20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

  • SHA512

    2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

  • SSDEEP

    6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 59 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UNBANNED-GG-PERM-10-18-23\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\UNBANNED-GG-PERM-10-18-23\loader.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2320
    • \??\c:\users\admin\appdata\local\temp\unbanned-gg-perm-10-18-23\loader.exe 
      c:\users\admin\appdata\local\temp\unbanned-gg-perm-10-18-23\loader.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2088
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4256
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1252
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:612
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              PID:452
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:316
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      564179149fffb757d47df20f39bf841e

      SHA1

      455dbd93e7a5f8bb8e3a7b15d22aa0cf9c8b1bdb

      SHA256

      0d1624f286111c651fc10785fa0a16fbe807e411948b6e8731ad89573434282f

      SHA512

      104e7b9f4750d992d86b947b9ca6d22d921cacc842b295c79153aa71cfba3b40f1c738ecedb36c2cdcfd93af96bf7dc5de1d9d2b62ba1b3ec540a4a306e9fd25

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      b6c6d532091f6de047c1a68a4b69bf10

      SHA1

      01439b14f2158014ef0255092f4c11a136483889

      SHA256

      39931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11

      SHA512

      b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d

    • C:\Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      f036e37d72127c78d5392d57a5c08ba8

      SHA1

      e7161eb0868b12b9201f33edfeb9e970ea1ae2e1

      SHA256

      d058d6585d0db0748d23bea1a2b86ef2261ef42734b8e88e90e0711fc500dbe9

      SHA512

      eb5ee17a586e63c45c91a417a31fca49db3c626e68889657580f169f5ff5274c174d42f4a48fb018209234ecfd32ae8f3ae584d07b4c0964784d06fc7b62bd43

    • C:\Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      3679a36450cd4187debd64c86d8204ce

      SHA1

      92e269e802fcde3780881d7884386d359163f95c

      SHA256

      c1da5c34627b46d31d5a56d2fede8773ab085eb8cdc6572c9d17c251576435f3

      SHA512

      c9ee9f229cb32c88b109764f075f19eeff9a7aecd8d5a2dd765eb5176a257982c55023de0f37ddc72aee0c92089a191e061d571a3b3301280665e16001c32813

    • \??\c:\users\admin\appdata\local\temp\unbanned-gg-perm-10-18-23\loader.exe 

      Filesize

      230KB

      MD5

      d23ca81d16873706f5e26fbac64eaee9

      SHA1

      c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee

      SHA256

      007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7

      SHA512

      4a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4

    • memory/316-61-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-60-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-59-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-50-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-58-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-57-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-62-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-56-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-51-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/316-52-0x000001DBB4090000-0x000001DBB4091000-memory.dmp

      Filesize

      4KB

    • memory/452-46-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1252-47-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2088-48-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2320-49-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2320-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/4040-15-0x00007FFBEE3B0000-0x00007FFBEEE71000-memory.dmp

      Filesize

      10.8MB

    • memory/4040-11-0x00007FFBEE3B0000-0x00007FFBEEE71000-memory.dmp

      Filesize

      10.8MB

    • memory/4040-10-0x0000022619760000-0x00000226197A0000-memory.dmp

      Filesize

      256KB

    • memory/4040-9-0x00007FFBEE3B3000-0x00007FFBEE3B5000-memory.dmp

      Filesize

      8KB

    • memory/4256-25-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB