Malware Analysis Report

2024-10-10 10:00

Sample ID 240621-ctl5aszemn
Target nezurupdateopenfirst.exe
SHA256 db8e7fa7eaa81e51c4d220c4b2b0902cd7825e0178f7ec81f93089ecabc33861
Tags
umbral stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db8e7fa7eaa81e51c4d220c4b2b0902cd7825e0178f7ec81f93089ecabc33861

Threat Level: Known bad

The file nezurupdateopenfirst.exe was found to be: Known bad.

Malicious Activity Summary

umbral stealer

Detect Umbral payload

Umbral

Umbral family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 02:22

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 02:22

Reported

2024-06-21 02:22

Platform

win10v2004-20240508-en

Max time kernel

24s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nezurupdateopenfirst.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nezurupdateopenfirst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nezurupdateopenfirst.exe

"C:\Users\Admin\AppData\Local\Temp\nezurupdateopenfirst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1076-0-0x000001A594D00000-0x000001A594D40000-memory.dmp

memory/1076-1-0x00007FFB82733000-0x00007FFB82735000-memory.dmp

memory/1076-2-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

memory/1076-3-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp