Overview

overview

10

Static

static

3

1ca1a71f45...d3.exe

windows7-x64

10

1ca1a71f45...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ca1a71f457d22db79dd70bc2e89042480791cc90e944f12c6c909b11d0c47d3.exe

  • Size

    357KB

  • MD5

    a710588ee1e23934331a582c95feb624

  • SHA1

    2201b586e9f124680b0aac1d36e25f55d4ddc9e2

  • SHA256

    1ca1a71f457d22db79dd70bc2e89042480791cc90e944f12c6c909b11d0c47d3

  • SHA512

    48afa80587490b70b1c744e76a0513700f5fa5adc70368be3bd0f3deb519087c961fadcf75dbbdb85c3d423bdadc4dd4807fdc5cf7a582828be5041529f0d3b0

  • SSDEEP

    6144:e+BI+HMbm5wk3F2jac8/3rzFW6QWP1zJG1S6+hnvgstJo:eAI8MboQaJ/bzFpGQ6+

Score
10/10
umbralxwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

times-cingular.gl.at.ply.gg:34763

Attributes
  • Install_directory

    %AppData%

  • install_file

    cvchost.exe

Extracted

Family

umbral

C2

https://ptb.discord.com/api/webhooks/1280534631719899197/_7_ESHHAWN6Qwt0AhmjGDQjpogj1YTyUsp04Llns_zEZS2n4Urjnv2EJPdmMICGTMI2B

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ca1a71f457d22db79dd70bc2e89042480791cc90e944f12c6c909b11d0c47d3.exe
    "C:\Users\Admin\AppData\Local\Temp\1ca1a71f457d22db79dd70bc2e89042480791cc90e944f12c6c909b11d0c47d3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Local\Temp\MincedPon 2.3.exe
      "C:\Users\Admin\AppData\Local\Temp\MincedPon 2.3.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MincedPon 2.3.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MincedPon 2.3.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cvchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cvchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
    • C:\Users\Admin\AppData\Local\Temp\MincedPon.exe
      "C:\Users\Admin\AppData\Local\Temp\MincedPon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MincedPon.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:780
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
          PID:1284
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2260
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          3⤵
          • Detects videocard installed
          PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MincedPon 2.3.exe
      Filesize

      63KB

      MD5

      aa19ff49e3ccdcb59051ec8282d22fb6

      SHA1

      96befbcf0769b42e486956260a76423941bd3cbb

      SHA256

      5746b78a291e9a9a28e37debb19ade8d5262c651cddc3b218d9aa6b57bf8cf48

      SHA512

      4b0d39fa6f1c3f2bfabd81171c908e5920a260cc60284acfb58daa47b8aa96745837ebe8d496ba32087ac39cdcc8d82a0368acf93638ba9eb9a38304cad10cb0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MincedPon.exe
      Filesize

      229KB

      MD5

      e611fc181db4d5a238907a34ec296e2a

      SHA1

      91cd54dcf69c39fde93b6967a3be52c75953583d

      SHA256

      1ff7775f1b00fbe5d8b0500094ed64201a8404719ed3fc975b9545b37450b141

      SHA512

      d928f494d0431689d409474584299bded23ff91580dd9f2e78fedb3ecd6b3d33b93a1cf2d82e02eae5ea367f06852db8942cd2166c843a609e372ba73aafa024

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      c153dbd37a84d6b3d23d04c681638333

      SHA1

      a97ef569eee26c03294886b314437131d5069d8b

      SHA256

      28e0b7d460dde77832f68ea99be96db88b778ac206e48fd3ef33e6b60b45d300

      SHA512

      0db4fc431e85a564d7307e7b4f83f780defa0c8bbcb465900f664cff9dcc411afd67546d6ce31903fb43bb9d2bf5a275ea068cee93cc1927b627d97a8770b942

      Download Submit

    • memory/2140-16-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-13-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-1-0x0000000001160000-0x00000000011C0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2140-0-0x000007FEF4F03000-0x000007FEF4F04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2260-78-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2628-21-0x000000001B300000-0x000000001B5E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2628-22-0x0000000002030000-0x0000000002038000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2712-12-0x00000000010C0000-0x0000000001100000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2808-14-0x0000000000330000-0x0000000000346000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2808-15-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2808-69-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2872-45-0x0000000002410000-0x0000000002418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3028-28-0x000000001B420000-0x000000001B702000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3028-29-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

      Filesize

      32KB

      Download