Overview

overview

10

Static

static

3

NostalgiaPaste.rar

windows7-x64

3

NostalgiaPaste.rar

windows10-2004-x64

7

InjectionLibrary.dll

windows7-x64

1

InjectionLibrary.dll

windows10-2004-x64

1

NostalgiaPaste.exe

windows7-x64

10

NostalgiaPaste.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NostalgiaPaste.exe

  • Size

    614KB

  • MD5

    863ccaa8f5615fd603e3df9e08d433c6

  • SHA1

    58e5ac27b4c8ce04b705fbd4fc267c7c96ae8438

  • SHA256

    b502a581b8b5f291508791631fbd40853edc952572eaa214086f6a91694a284a

  • SHA512

    715dccca665ffc88da761fc2ae0a9a01a477c3546b86fc0922ca033b4826f44b42c2c718b1adec2c26e9736e3e81c144ef5f5161706daa3acbabe8b0f952a906

  • SSDEEP

    12288:3l/5a8Yv+Gk+IRvmf8lDATKwRP7NaaWSxpumTFzoLIOnrDjfBlfrkfVNaw9mmrz6:3P9rGbIRuf8lkRP7NaLGNoLbjfBl4NN7

Score
10/10
umbralspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1181984415631556658/BCw2PGM7G2P1INjg20jIb3iks900bskPUiI8iXan-y9H-QjeQliGxPeRcMF8V8-SmGiy

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NostalgiaPaste.exe
    "C:\Users\Admin\AppData\Local\Temp\NostalgiaPaste.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe
      "C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        3⤵
        • Detects videocard installed
        PID:2224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        3⤵
          PID:2412
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2220
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:280
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2424

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1928-56-0x000007FEECE80000-0x000007FEED81D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1928-54-0x0000000002910000-0x0000000002990000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1928-59-0x0000000002910000-0x0000000002990000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1928-58-0x0000000002910000-0x0000000002990000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1928-55-0x0000000002810000-0x0000000002818000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1928-52-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1928-53-0x000007FEECE80000-0x000007FEED81D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1928-61-0x0000000002910000-0x0000000002990000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1928-57-0x0000000002910000-0x0000000002990000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1928-60-0x000007FEECE80000-0x000007FEED81D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2156-31-0x0000000004840000-0x0000000004880000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2156-5-0x0000000004840000-0x0000000004880000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2156-18-0x0000000074E00000-0x00000000754EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2156-32-0x0000000004840000-0x0000000004880000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2156-3-0x0000000004840000-0x0000000004880000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2156-4-0x0000000000630000-0x000000000064C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2156-1-0x0000000074E00000-0x00000000754EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2156-0-0x0000000000090000-0x00000000001E0000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2156-2-0x0000000000600000-0x0000000000601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2156-6-0x0000000001F90000-0x0000000001FCE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2248-85-0x000007FEECE80000-0x000007FEED81D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2248-89-0x0000000002C20000-0x0000000002CA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2248-91-0x000007FEECE80000-0x000007FEED81D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2248-86-0x0000000002C20000-0x0000000002CA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2248-90-0x0000000002C20000-0x0000000002CA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2248-88-0x0000000002C20000-0x0000000002CA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2248-87-0x000007FEECE80000-0x000007FEED81D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2272-33-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2272-14-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2272-111-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2272-13-0x0000000000A50000-0x0000000000A90000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2272-34-0x0000000000530000-0x00000000005B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2272-15-0x0000000000530000-0x00000000005B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2308-74-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2308-75-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2308-79-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2308-73-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2308-76-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2308-77-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2308-78-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2412-107-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2412-106-0x0000000002CC0000-0x0000000002D40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2412-100-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2412-103-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2412-104-0x0000000002CC0000-0x0000000002D40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2412-105-0x0000000002CC0000-0x0000000002D40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2412-101-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2412-102-0x0000000002CC0000-0x0000000002D40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2568-43-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2568-46-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2568-41-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2568-44-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2568-42-0x0000000000500000-0x0000000000508000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2568-39-0x000000001B520000-0x000000001B802000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2568-40-0x000007FEED820000-0x000007FEEE1BD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2568-45-0x0000000002900000-0x0000000002980000-memory.dmp

        Filesize

        512KB

        Download