Overview

overview

10

Static

static

7

nvngx_dlss.dll

windows10-2004-x64

10

Resubmissions

29-10-2024 01:53

241029-ca9fgsscme 10

29-10-2024 01:45

241029-b6rpwazmhj 10

Analysis

  • max time kernel
    1151s
  • max time network
    1134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nvngx_dlss.dll

  • Size

    5.8MB

  • MD5

    8de5c0e5b2257874f05b2dbca186dc6a

  • SHA1

    1e76d52f66d37e804a6c0b93e242fcf2a402705c

  • SHA256

    788cf3cb6aaba23ae7735a80b0ac34ea62ccdac8851b94ad0a185137c2b72297

  • SHA512

    75e5724ed2b28e1294a042a05c082346be5a1186f6a8547ba5b9ddd623c5a37872f36c637833133fa88d00e237fffaa619c35976bed558cd66f32b4c153026f5

  • SSDEEP

    98304:Es2V9unkmnmFZZb5U39X0VFCb5cFUH+MRKqzFRShhDzij5IZdaaaU4ksdW80t/5:E9unjnu/beiQMU15UhNej5IsUOdWD15

Score
10/10
umbralevasionstealerthemidatrojan

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\nvngx_dlss.dll,#1
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Blocklisted process makes network request
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\SoftwareDistribution\nvsvc64.exe
      "C:\Windows\SoftwareDistribution\nvsvc64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SoftwareDistribution\nvsvc64.exe
    Filesize

    231KB

    MD5

    db91000fe7eb1d5e6d6ec2282b9df079

    SHA1

    796efefed175006f206fe83ecd0e1a0755347646

    SHA256

    a44fd93c951d382db9062769546c27f46edf147e20b4bbf0ee965a228573c030

    SHA512

    594dd398418b54abc626da9865b5ffff50052e52b9f628dce7409fee5eadc8d9364f28a8d6739f59d6d161cdbb093c2d029692ad981f77a818c5894dafab8e28

    Download Submit

  • memory/2920-21-0x00000193D61B0000-0x00000193D61F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2920-22-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2920-23-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2920-25-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4864-0-0x0000000180000000-0x0000000180EA8000-memory.dmp

    Filesize

    14.7MB

    Download

  • memory/4864-1-0x00007FF81CAF0000-0x00007FF81CAF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4864-2-0x0000000180000000-0x0000000180EA8000-memory.dmp

    Filesize

    14.7MB

    Download