Overview

overview

10

Static

static

10

dead.exe

windows7-x64

10

dead.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dead.exe

  • Size

    254KB

  • MD5

    41a555bbc081356100cafdd006d3c096

  • SHA1

    bf4f81ed8b698b9865098fccabff0bbbe3ca3255

  • SHA256

    7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8

  • SHA512

    1bc00d609264c523ab114e845a26edb9a611b927a583730880916f04efeee9c37c4529559a47854e422ab8530ab8edbb87754a755f50939c29e5a14e4b74efbc

  • SSDEEP

    6144:+4oZo8KbOUtoAXAEeDh0x7axHU3FmRaW8ejI82V:9oZAOUo90ufIl

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 41 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dead.exe
    "C:\Users\Admin\AppData\Local\Temp\dead.exe"
    1⤵
      PID:552
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\CompleteStop.xlsx"
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3076
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CompressCopy.pcx
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      375B

      MD5

      ab7d2c1cbbc2d7b4f7e5bb1c8c6ea2bb

      SHA1

      3d371c9c52babc38d75ffbb6c2b7a2166a712e89

      SHA256

      871bc318ff1901a0c531c49cb2cfcfe20356910e06d962db53b1d9f9cbb6e25f

      SHA512

      3f10a61d85dc0f659fbf250442ad141e2093ce18316e3868d3bd2fda8e02075b0cd32a02e38d4a2789efe256a2cd339e838408cecab5483fee462b11a4f07a5f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
      Filesize

      3KB

      MD5

      d7570734da99e97b5b1f9c0ed769f219

      SHA1

      b5c70e166289dba00275d3c5ec2f93c0be273089

      SHA256

      c4cbff22972713643c29c6751d82cf167e5623d6098e184cec217c2c86721e92

      SHA512

      e1cd99aeead32b449f361cf216a7ff2734ed7bbf31207d0e7f6de1c773fb7efcb9c344f29abb275a9686a930f246290d66631e97831582a50922bc0c1e9dff48

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
      Filesize

      3KB

      MD5

      244fc07e9d3169e926525db86974cb59

      SHA1

      600e2e6c0af8ccdd9949b4aa8d68bec5d64a2a72

      SHA256

      f36dcab0e40f5d88dbc2e0cf8f6e6f5934494e450da8d5157a182eb99c7f8b2f

      SHA512

      16ee5ee69853343c35a16ced5fbbbcff6ad65fe6dbc7c5fc8df0bf4812be62e6a4a9b949645dcf41d5c38ebfe24002d47abf8781413733d2817e9875a290cb56

      Download Submit

    • memory/552-1-0x00007FFA08DB3000-0x00007FFA08DB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/552-2-0x00007FFA08DB0000-0x00007FFA09871000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/552-3-0x00007FFA08DB0000-0x00007FFA09871000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/552-0-0x000001CFD6160000-0x000001CFD61A6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3076-5-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-7-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-9-0x00007FFA08C90000-0x00007FFA08F60000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3076-10-0x00007FF9E4C40000-0x00007FF9E4C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-11-0x00007FFA08C90000-0x00007FFA08F60000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3076-12-0x00007FF9E4C40000-0x00007FF9E4C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-13-0x00007FFA08C90000-0x00007FFA08F60000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3076-14-0x00007FFA08C90000-0x00007FFA08F60000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3076-15-0x00007FFA08C90000-0x00007FFA08F60000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3076-8-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-6-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-4-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-60-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-59-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-63-0x00007FFA08C90000-0x00007FFA08F60000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3076-62-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-61-0x00007FF9E71F0000-0x00007FF9E7200000-memory.dmp

      Filesize

      64KB

      Download