Malware Analysis Report

2024-10-10 10:00

Sample ID 240617-kef9hawglr
Target Saransk.exe
SHA256 75f18abe6b6d94ca03e91c6eddbfaee49827e731ba78e62f4f47e890fb9dbe53
Tags
umbral stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75f18abe6b6d94ca03e91c6eddbfaee49827e731ba78e62f4f47e890fb9dbe53

Threat Level: Known bad

The file Saransk.exe was found to be: Known bad.

Malicious Activity Summary

umbral stealer

Detect Umbral payload

Umbral family

Umbral

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 08:30

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 08:30

Reported

2024-06-17 08:31

Platform

win11-20240508-en

Max time kernel

59s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Saransk.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Saransk.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Saransk.exe

"C:\Users\Admin\AppData\Local\Temp\Saransk.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp

Files

memory/4724-0-0x0000022A4E320000-0x0000022A4E360000-memory.dmp

memory/4724-1-0x00007FF949803000-0x00007FF949805000-memory.dmp

memory/4724-2-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 cd56e155edf53e5728c46b6c9eb9c413
SHA1 14b1b0f090803c9ee39797aed4af13dc7849566d
SHA256 70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a
SHA512 a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 3569ff1aa5310102ef02c312ca4dbe9a
SHA1 4124b1e805d5c487bf86182d19ed22bed6cf44ac
SHA256 3ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b
SHA512 c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d

memory/4724-21-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp