Analysis Overview
SHA256
7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8
Threat Level: Known bad
The file dead.payload was found to be: Known bad.
Malicious Activity Summary
Umbral family
Detect Umbral payload
Umbral
Unsigned PE
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 16:32
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 16:32
Reported
2024-07-11 16:32
Platform
win7-20240708-en
Max time kernel
16s
Max time network
16s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\dead.exe | C:\Windows\system32\WerFault.exe |
| PID 2348 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\dead.exe | C:\Windows\system32\WerFault.exe |
| PID 2348 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\dead.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dead.exe
"C:\Users\Admin\AppData\Local\Temp\dead.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2348 -s 544
Network
Files
memory/2348-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp
memory/2348-1-0x0000000001360000-0x00000000013A6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 16:32
Reported
2024-07-11 16:32
Platform
win10v2004-20240709-en
Max time kernel
27s
Max time network
29s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dead.exe
"C:\Users\Admin\AppData\Local\Temp\dead.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\UnpublishRestart.docx" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/1592-0-0x00007FF921A73000-0x00007FF921A75000-memory.dmp
memory/1592-1-0x000001E876440000-0x000001E876486000-memory.dmp
memory/1592-2-0x00007FF921A70000-0x00007FF922531000-memory.dmp
memory/1592-3-0x00007FF921A70000-0x00007FF922531000-memory.dmp
memory/3912-4-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp
memory/3912-6-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp
memory/3912-5-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp
memory/3912-7-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp
memory/3912-8-0x00007FF8FFAF0000-0x00007FF8FFB00000-memory.dmp
memory/3912-9-0x00007FF921860000-0x00007FF921AE3000-memory.dmp
memory/3912-10-0x00007FF8FD950000-0x00007FF8FD960000-memory.dmp
memory/3912-11-0x00007FF921860000-0x00007FF921AE3000-memory.dmp
memory/3912-14-0x00007FF921860000-0x00007FF921AE3000-memory.dmp
memory/3912-13-0x00007FF921860000-0x00007FF921AE3000-memory.dmp
memory/3912-12-0x00007FF8FD950000-0x00007FF8FD960000-memory.dmp
memory/3912-15-0x00007FF921860000-0x00007FF921AE3000-memory.dmp
memory/3912-16-0x00007FF921860000-0x00007FF921AE3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | fb6b84720afe4cdbb9cb985699ac1556 |
| SHA1 | 749d076cd41e21b9cf50e18c0927cd3e950edb6e |
| SHA256 | 1057f8c144545ada96cd5dc2b446484497b4f19ce34eb659d09801bf188e094f |
| SHA512 | 0f02050e3656729756335c7ad7fcc523004bef75e99c06754189403dfceaef22110f22c7372b7ecb0319bd51ce47e6e635f1a9827dbddb1966393a74d35f841c |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | d09c6c44514eef4f9b26c3b5d9bee89c |
| SHA1 | f925949bb80977e81ed1676fde9dd8b33f38162e |
| SHA256 | 0dfac34c15cc35f11a85eda77c621ef5cdd1db1f6babf75f6a116f260445410f |
| SHA512 | f7a6ab02870e2677faffafb41264154068701f2105c286b543697a4a73915b9bf377c9991079d4e8e3bf651b0b4bcb545b2590abecf9f408ddd191b66a32102a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | a64a3dd9cf245c2da61147b569f4d1c7 |
| SHA1 | 9bc78af7a4a5a3c0b40656440cc3bd4091fc6454 |
| SHA256 | f7bc9994fd498b15c10b63f2235d9e22cdac855d22f0703ebad326c53976702e |
| SHA512 | 75083515381e110e1cac7e9306c9cd26ff2892f3c903614ad30a19df7a4cb4ab8d29f0800290a3bf27c2ddb9d74bfad3c1d8735bdab8540a2564e87580aff2e0 |