Malware Analysis Report

2024-10-10 09:55

Sample ID 240711-vftlbsvhnp
Target dead.payload
SHA256 7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8
Tags
umbral stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8

Threat Level: Known bad

The file dead.payload was found to be: Known bad.

Malicious Activity Summary

umbral stealer

Umbral family

Umbral

Detect Umbral payload

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-11 16:56

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 16:56

Reported

2024-07-11 16:56

Platform

win7-20240704-en

Max time kernel

23s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\dead.exe C:\Windows\system32\WerFault.exe
PID 2516 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\dead.exe C:\Windows\system32\WerFault.exe
PID 2516 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\dead.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dead.exe

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2516 -s 548

Network

N/A

Files

memory/2516-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

memory/2516-1-0x0000000000C50000-0x0000000000C96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 16:56

Reported

2024-07-11 16:57

Platform

win10v2004-20240709-en

Max time kernel

30s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Processes

C:\Users\Admin\AppData\Local\Temp\dead.exe

"C:\Users\Admin\AppData\Local\Temp\dead.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4164-0-0x000002093E870000-0x000002093E8B6000-memory.dmp

memory/4164-1-0x00007FFB4A883000-0x00007FFB4A885000-memory.dmp

memory/4164-2-0x00007FFB4A880000-0x00007FFB4B341000-memory.dmp

memory/4164-3-0x00007FFB4A880000-0x00007FFB4B341000-memory.dmp