Malware Analysis Report

2024-10-10 09:55

Sample ID 240711-t1ykcaxcrf
Target dead.payload
SHA256 7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8
Tags
umbral stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8

Threat Level: Known bad

The file dead.payload was found to be: Known bad.

Malicious Activity Summary

umbral stealer

Umbral family

Detect Umbral payload

Umbral

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 16:32

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 16:32

Reported

2024-07-11 16:32

Platform

win7-20240708-en

Max time kernel

16s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dead.exe C:\Windows\system32\WerFault.exe
PID 2348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dead.exe C:\Windows\system32\WerFault.exe
PID 2348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dead.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dead.exe

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2348 -s 544

Network

N/A

Files

memory/2348-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

memory/2348-1-0x0000000001360000-0x00000000013A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 16:32

Reported

2024-07-11 16:32

Platform

win10v2004-20240709-en

Max time kernel

27s

Max time network

29s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dead.exe

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\UnpublishRestart.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/1592-0-0x00007FF921A73000-0x00007FF921A75000-memory.dmp

memory/1592-1-0x000001E876440000-0x000001E876486000-memory.dmp

memory/1592-2-0x00007FF921A70000-0x00007FF922531000-memory.dmp

memory/1592-3-0x00007FF921A70000-0x00007FF922531000-memory.dmp

memory/3912-4-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp

memory/3912-6-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp

memory/3912-5-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp

memory/3912-7-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp

memory/3912-8-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp

memory/3912-9-0x00007FF921860000-0x00007FF921AE3000-memory.dmp

memory/3912-10-0x00007FF8FD950000-0x00007FF8FD960000-memory.dmp

memory/3912-11-0x00007FF921860000-0x00007FF921AE3000-memory.dmp

memory/3912-14-0x00007FF921860000-0x00007FF921AE3000-memory.dmp

memory/3912-13-0x00007FF921860000-0x00007FF921AE3000-memory.dmp

memory/3912-12-0x00007FF8FD950000-0x00007FF8FD960000-memory.dmp

memory/3912-15-0x00007FF921860000-0x00007FF921AE3000-memory.dmp

memory/3912-16-0x00007FF921860000-0x00007FF921AE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 fb6b84720afe4cdbb9cb985699ac1556
SHA1 749d076cd41e21b9cf50e18c0927cd3e950edb6e
SHA256 1057f8c144545ada96cd5dc2b446484497b4f19ce34eb659d09801bf188e094f
SHA512 0f02050e3656729756335c7ad7fcc523004bef75e99c06754189403dfceaef22110f22c7372b7ecb0319bd51ce47e6e635f1a9827dbddb1966393a74d35f841c

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 d09c6c44514eef4f9b26c3b5d9bee89c
SHA1 f925949bb80977e81ed1676fde9dd8b33f38162e
SHA256 0dfac34c15cc35f11a85eda77c621ef5cdd1db1f6babf75f6a116f260445410f
SHA512 f7a6ab02870e2677faffafb41264154068701f2105c286b543697a4a73915b9bf377c9991079d4e8e3bf651b0b4bcb545b2590abecf9f408ddd191b66a32102a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a64a3dd9cf245c2da61147b569f4d1c7
SHA1 9bc78af7a4a5a3c0b40656440cc3bd4091fc6454
SHA256 f7bc9994fd498b15c10b63f2235d9e22cdac855d22f0703ebad326c53976702e
SHA512 75083515381e110e1cac7e9306c9cd26ff2892f3c903614ad30a19df7a4cb4ab8d29f0800290a3bf27c2ddb9d74bfad3c1d8735bdab8540a2564e87580aff2e0