Overview

overview

10

Static

static

3

Nursultan.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    1375s
  • max time network
    1438s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02-11-2024 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan.exe

  • Size

    18.0MB

  • MD5

    5878d63d3f8a1f0dd1c17785a0be6527

  • SHA1

    a5070c225197ced6dffbd6ac7e07f0684b1494fa

  • SHA256

    30dee505f1e0ed6775e7db746625146df390188525c6829f8e97120c7a1abf1d

  • SHA512

    79c4529ca0e45d9bf803f2b070823bda9ea2d4098bb093074deffb9b2c5e453df19e22acd53490463c073b01e39b536b4fd3b7551d8eba24512dee1d21c4788b

  • SSDEEP

    6144:Q4+P/wHVBnnt/B2hz3GNZUBhndmJJ7tFpY:mCVxz2hz3QUbdmbt

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4912
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3308
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:648
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:740
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious behavior: EnumeratesProcesses
        PID:2440
    • C:\Users\Admin\AppData\Local\Temp\Mintex Recode.exe
      "C:\Users\Admin\AppData\Local\Temp\Mintex Recode.exe"
      2⤵
      • Executes dropped EXE
      PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    020d1cbef5aeb22088c0faff8d76af4e

    SHA1

    93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

    SHA256

    cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

    SHA512

    1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    33b9cbbd311b1038a2fe77fc34881b9a

    SHA1

    fc4e8920c2d331eae5221e9a447f9f014a4757aa

    SHA256

    ad6678b57a8d0613cf904de72314ef16b5f01a7da506a38d91bc187ca133bdc0

    SHA512

    104a8f99447fbb13589fa9c0e7187329a59ac77725378ecbd74d51ba41c3a501c948002ef06b39301d98d4b42553bc728583b376942311473a65ece0ab519230

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    9d31edea05c7742882bcad5d976646fc

    SHA1

    ce497f89b17783a1d7e12f2676c6bd2cc1e530f8

    SHA256

    d22685ae2cda7eeceb3f6c55d4c1820a6b5e473c4b0595e0560bda8006622075

    SHA512

    780559170eb419b319f0b624b464c69a9019edbb53c55e1a2dbce4d6ec6fed79606e6d10422f76170db1dc7f97eed33b2566f9faa5b0a5f438a82a0126c9a697

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    5e5f62e4181fc5b4bb396ed02e7565a5

    SHA1

    12cdc8d227f80556a1a8cade17749faf0935e726

    SHA256

    a5e104d85df6e578d392b57dfb049e469666257494edeff39a3c7b91e5fe0fb3

    SHA512

    8fa76714e69217f0f4412691b2e5cac85f49fb4bfcb39c2585b17cf4f62468f51f907aacc658d8b187b4eb53aa7ce7e2bd86a9f3ede6a3a4518d6effeda05772

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8e1fdd1b66d2fee9f6a052524d4ddca5

    SHA1

    0a9d0994559d1be2eecd8b0d6960540ca627bdb6

    SHA256

    4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

    SHA512

    5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Mintex Recode.exe
    Filesize

    231KB

    MD5

    a4f0117e79f95e9a09595ba300e922ff

    SHA1

    957cc40b3457ea7cb4d3e2692c17706b4eb06f73

    SHA256

    595d3473286dcd48b589fda29331113194ef5d983d74b0d243db05e4629e7f62

    SHA512

    d185b39a6473c7f92f54da5a7ec25c48c0dacbac14f3ffa7bf8f2c4d504642bda683d7e073c05f2752a2a2656a1535dec7a28121671fccd23474a156f5de741d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    Filesize

    231KB

    MD5

    8769f93eee17e857106cab8c172b03a6

    SHA1

    5c4fe6795f45842dea48d484f3103cbfa7281f7e

    SHA256

    765634711effd2a02e13cf9f90def8bd2f8c2da3290691560f728eeaf095e8f3

    SHA512

    b86996d98d7292db73da8df8340e6229b6663774ccbbe53d6673f3078f6775ec510ab7630c064272f9f0def8509245fb994fdbe976d13e3d53cbe656310278e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3fujox3.w0n.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/380-47-0x000002127DBA0000-0x000002127DBC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4072-35-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4072-89-0x0000018BB0AA0000-0x0000018BB0AAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4072-64-0x0000018BB0AB0000-0x0000018BB0ACE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4072-30-0x0000018B96630000-0x0000018B96670000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4072-62-0x0000018BB0DC0000-0x0000018BB0E36000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4072-110-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4072-90-0x0000018BB0D90000-0x0000018BB0DA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4072-63-0x0000018BB0D40000-0x0000018BB0D90000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4432-32-0x0000000000AE0000-0x0000000000B20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4432-46-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4432-34-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-0-0x00007FFEABC93000-0x00007FFEABC95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4800-1-0x0000000000B90000-0x0000000000BC6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4800-111-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-33-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download