Analysis Overview
SHA256
75f18abe6b6d94ca03e91c6eddbfaee49827e731ba78e62f4f47e890fb9dbe53
Threat Level: Known bad
The file Saransk.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral family
Umbral
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-17 08:30
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 08:30
Reported
2024-06-17 08:31
Platform
win11-20240508-en
Max time kernel
59s
Max time network
58s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Saransk.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Saransk.exe
"C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
Files
memory/4724-0-0x0000022A4E320000-0x0000022A4E360000-memory.dmp
memory/4724-1-0x00007FF949803000-0x00007FF949805000-memory.dmp
memory/4724-2-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | cd56e155edf53e5728c46b6c9eb9c413 |
| SHA1 | 14b1b0f090803c9ee39797aed4af13dc7849566d |
| SHA256 | 70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a |
| SHA512 | a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 3569ff1aa5310102ef02c312ca4dbe9a |
| SHA1 | 4124b1e805d5c487bf86182d19ed22bed6cf44ac |
| SHA256 | 3ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b |
| SHA512 | c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d |
memory/4724-21-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp