Overview

overview

10

Static

static

10

2025-03-25...ck.exe

windows7-x64

10

2025-03-25...ck.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe

  • Size

    973KB

  • MD5

    97b25ff717bbbec7863bab2e6a7cf1cb

  • SHA1

    45577be5cff8877bdfecaa3e53c9d4f87800a60c

  • SHA256

    a73097a2473040ef00430e3bf37e00253d2a92e83ffa91fd8439d20e22760c6c

  • SHA512

    b1b855185741999e2fb0071d305873f5b21bf6e82e43770cea897d6376602180ecd7691584bf726fdb5b3db1b7b5f2c120566b32cd6d395e9b9b6c0ef7ac51b2

  • SSDEEP

    24576:N5r3iOAYe5xyrXKYZd8nixN/pSUCpM2W1GvgmyeRvJ:ui5xC61GyovJ

Score
10/10
umbraldiscoverypersistencestealer

Malware Config

Signatures

  • Detect Umbral payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Users\Admin\AppData\Local\Temp\ûûû.exe
      "C:\Users\Admin\AppData\Local\Temp\ûûû.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
    • C:\Users\Admin\AppData\Local\Temp\dll.exe
      "C:\Users\Admin\AppData\Local\Temp\dll.exe"
      2⤵
      • Executes dropped EXE
      PID:5820
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:5764
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:4980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      436KB

      MD5

      9d40061e58fdf0e3c3bfbe8541ec83bd

      SHA1

      06f1f81d6278af3afe79e44120d2604fbe2ec022

      SHA256

      a15c7f4653ded3d0c1639e3409f3f5a583c7e446b71f9b585aff305d02403f6e

      SHA512

      1d132b65d840a1b6012cd33a5011c33ad77d8c8f4d78d149acd041e10ac24e591156d868ceb02147ea33530a284d614e3b4937ba6f5d9e07fac78000828c3603

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dll.exe
      Filesize

      301KB

      MD5

      ea5800c82ef7b0929307948391709539

      SHA1

      a85be900314791905a77b6f97ce9cb2754ad16ff

      SHA256

      4aeaf773e3d50df877f407d547d9a42d49c2263e414710bdf04c968cd628a502

      SHA512

      b4b77c999c637b7f5204f2c643794532e541577e377e01d42ce5025f6c20408555788619c348a26b8a4974ee978abc105ebed8b89b800627bee31655503fca43

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ûûû.exe
      Filesize

      227KB

      MD5

      54e5d52122e173e267bae183e51a883a

      SHA1

      61074f26a9dd5aeaea6e208b461196f19392c903

      SHA256

      e4566da9e8ce5469834e93fc6d2ea6558c069ec30c0652b94f423d61719ef876

      SHA512

      5c0a776c33c150a14d1547b6485d616752f32852f1d99b2a614a2413bf91376873d9d53fac9511d7a2e4b14c431278baceaceab8dd547cd7ada96fda40898fe2

      Download Submit

    • memory/2008-19-0x00007FFA87A63000-0x00007FFA87A65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2008-22-0x000001905B180000-0x000001905B1C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3988-33-0x0000000000400000-0x00000000004FB000-memory.dmp

      Filesize

      1004KB

      Download

    • memory/5764-38-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download

    • memory/5764-39-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download

    • memory/5820-30-0x00000000003C0000-0x0000000000412000-memory.dmp

      Filesize

      328KB

      Download

    • memory/5820-34-0x00007FFA87A60000-0x00007FFA88521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5820-36-0x00007FFA87A60000-0x00007FFA88521000-memory.dmp

      Filesize

      10.8MB

      Download