Overview

overview

10

Static

static

3

gorebox.exe

windows10-ltsc 2021-x64

10

Resubmissions

01-12-2024 09:35

241201-lkjggsyqhy 10

01-12-2024 09:26

241201-ld8g2ayqdx 10

Analysis

  • max time kernel
    12s
  • max time network
    16s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01-12-2024 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gorebox.exe

  • Size

    431KB

  • MD5

    4522fc4ba239805a83c7209452595423

  • SHA1

    1a57d4e9a57bc7ef167d01928afeeab07bbd25c5

  • SHA256

    7bef7c9f99847e7c368be124992565c4bcd089948d5b1ca1d1c46911c625a5b1

  • SHA512

    a60cca224cfa06659089682637493f968c7de035b3aabcfb224eda4e50873d0c2198f9797a5acf28b7e92ea71ff246aed616fd8ce56d787679f54b6bfcee31cd

  • SSDEEP

    6144:DahOl8p0yN90QEvNIPbKK6lyO0YYO/2IKuaiTPH2g9mfCImdp2vg0FM:DiKty90tyTK5T0YYdIKoCgkfdmP

Score
10/10
umbraldiscoveryexecutionpersistencespywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1312707054921842768/isqncLMa7kda5iILpNOk1bl-iVzctRU9oXMRs4eMThSQUfAbARPXl6CGuwMfCK3fZjSE

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gorebox.exe
    "C:\Users\Admin\AppData\Local\Temp\gorebox.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GoreBox.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GoreBox.exe
      2⤵
      • Executes dropped EXE
      PID:1460
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gorerrrr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gorerrrr.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gorerrrr.exe"
        3⤵
        • Views/modifies file attributes
        PID:4812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gorerrrr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3652
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:8
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2032
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5092
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3780
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2560
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious behavior: EnumeratesProcesses
        PID:1984
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gorerrrr.exe" && pause
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\system32\PING.EXE
          ping localhost
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    c5863331e1077e9059593bb11af4e3ff

    SHA1

    eded7cd11db222a763960b502afd1ce758816af2

    SHA256

    91f6e903e52e2fd1583b34f7c288bcaba0327e458dfa805e982176962a4ff60a

    SHA512

    d93aa719ce89a25a73652d2163e2bf2a53b8b0579c3ce6f03b1d972aceac684e8cc22477ea7901f6d76b87d405e16621df2a612f5360d2aac63694d3f34a03fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    494de073067224860ddfa87f20c1fcd5

    SHA1

    139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

    SHA256

    5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

    SHA512

    2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71942225419386ac509d153f679d4a68

    SHA1

    b2e1b1cba65e2a0b1b231a5a8b085e5b5294bbb3

    SHA256

    bc4f5ba67c4a53622f5618f2998a6c5c422daeea4a697f393d2a6667c4ab878b

    SHA512

    4195908338bee9870b0bbf29351b218a6e73da4d86073e148e128a0fa0269698ff1af0e1c4bc6b9ac3d2b2c4da23ead5acc6d0eb5c26a6095bf31b4491042912

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GoreBox.exe
    Filesize

    651KB

    MD5

    5b23e32cdf5236587cf71ce4b5f001a6

    SHA1

    f9ab18bb610b5e999320e422f4fffd05ed08209a

    SHA256

    11cfef86247a1725b6ac0ad49bb40217d6758c2fae04041f7aa1b73c68795d72

    SHA512

    82859dc2637ec91af549cb402afafc1a2f09c73b7046eecaf81b366abd7b003f74f12b50b198ed79e49beb56f1117e2b9164d05bd9a650858db80075d39fee42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gorerrrr.exe
    Filesize

    272KB

    MD5

    e1b7b9efc6568dae97cc07ef9091a202

    SHA1

    ce3b24b39626d18e2f9098deb353519d31e8018d

    SHA256

    19877af49af352c9430fb6fb3fb08aabfc4692c0dcf225cd8d71f8503d01891e

    SHA512

    b79989e692e067953a83346d3fdf6e155b4f96dd27823c220a4e0e77cf599d46ea52fbd458e1b968255226bbd89e99c8e776b90a92663f311dd533e672cf6996

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z5z3wz4h.5m3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1092-9-0x00007FFDA6A93000-0x00007FFDA6A95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1092-37-0x000001E069ED0000-0x000001E069F46000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1092-38-0x000001E069F50000-0x000001E069FA0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1092-39-0x000001E069E70000-0x000001E069E8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1092-10-0x000001E067790000-0x000001E0677DA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1092-65-0x000001E069EB0000-0x000001E069EC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1092-64-0x000001E069E60000-0x000001E069E6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1092-11-0x00007FFDA6A90000-0x00007FFDA7552000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1092-85-0x00007FFDA6A90000-0x00007FFDA7552000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3652-12-0x000001E442090000-0x000001E4420B2000-memory.dmp

    Filesize

    136KB

    Download