Analysis

  • max time kernel
    21s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 18:49

General

  • Target

    Bloxtrap.exe

  • Size

    231KB

  • MD5

    30e78c99e6dadf3e214426fad0aa70ad

  • SHA1

    e7c69f6df99f06632a451d633e615f274b5eaed6

  • SHA256

    e347a40fb7e3ef7705992bce042a420c6fd25913aa931e6fd78ad91b6024e0ee

  • SHA512

    7c93c81962a0930821bc972578f1cdd5b0309005d5ef63a52ea28cfd6dab8dac5364b57c5cb9360b3166a724c4c4bbf30d48f78f09b435c7c8b9c8676e8bb859

  • SSDEEP

    6144:8loZM+rIkd8g+EtXHkv/iD4o1me/1+mpusl3ySXLqb8e1mFOi:aoZtL+EP8o1me/1+mpusl3ySXK6

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bloxtrap.exe
    "C:\Users\Admin\AppData\Local\Temp\Bloxtrap.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2320-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

    Filesize

    4KB

  • memory/2320-1-0x0000000001070000-0x00000000010B0000-memory.dmp

    Filesize

    256KB

  • memory/2320-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

    Filesize

    9.9MB

  • memory/2320-3-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

    Filesize

    9.9MB