umbral | 419f948e7da8922465cefdda7d2a6b86adf6a6165c8bcf79963e5b2fd8a8f7d5

Analysis

max time kernel
190s
max time network
192s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
05-02-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222.exe
Size

227KB
MD5

2d609a4bb5b23b1811bf7f18c8d86504
SHA1

b3c21506848edd61dcc21e71ecbba740a9929f5b
SHA256

419f948e7da8922465cefdda7d2a6b86adf6a6165c8bcf79963e5b2fd8a8f7d5
SHA512

a73c96bba173c30e64a6d49a9da26b49fca44828f7d3aaa14d4070d1b55b0d0a891e3ba42565c6e94d4ebf085cbb6742b7f5c6956d1019d8fd4cdf07d13953e0
SSDEEP

6144:+loZMorIkd8g+EtXHkv/iD44Z44KInDAvZMK7bCpHb8e1mp8i:ooZHL+EP84Z44KInDAvZMK7bC9qV

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4504-0-0x0000011F4C720000-0x0000011F4C760000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4116	wmic.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
308	powershell.exe
308	powershell.exe
308	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	2222.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeIncreaseQuotaPrivilege	2820	powershell.exe
Token: SeSecurityPrivilege	2820	powershell.exe
Token: SeTakeOwnershipPrivilege	2820	powershell.exe
Token: SeLoadDriverPrivilege	2820	powershell.exe
Token: SeSystemProfilePrivilege	2820	powershell.exe
Token: SeSystemtimePrivilege	2820	powershell.exe
Token: SeProfSingleProcessPrivilege	2820	powershell.exe
Token: SeIncBasePriorityPrivilege	2820	powershell.exe
Token: SeCreatePagefilePrivilege	2820	powershell.exe
Token: SeBackupPrivilege	2820	powershell.exe
Token: SeRestorePrivilege	2820	powershell.exe
Token: SeShutdownPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeSystemEnvironmentPrivilege	2820	powershell.exe
Token: SeRemoteShutdownPrivilege	2820	powershell.exe
Token: SeUndockPrivilege	2820	powershell.exe
Token: SeManageVolumePrivilege	2820	powershell.exe
Token: 33	2820	powershell.exe
Token: 34	2820	powershell.exe
Token: 35	2820	powershell.exe
Token: 36	2820	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeIncreaseQuotaPrivilege	3416	wmic.exe
Token: SeSecurityPrivilege	3416	wmic.exe
Token: SeTakeOwnershipPrivilege	3416	wmic.exe
Token: SeLoadDriverPrivilege	3416	wmic.exe
Token: SeSystemProfilePrivilege	3416	wmic.exe
Token: SeSystemtimePrivilege	3416	wmic.exe
Token: SeProfSingleProcessPrivilege	3416	wmic.exe
Token: SeIncBasePriorityPrivilege	3416	wmic.exe
Token: SeCreatePagefilePrivilege	3416	wmic.exe
Token: SeBackupPrivilege	3416	wmic.exe
Token: SeRestorePrivilege	3416	wmic.exe
Token: SeShutdownPrivilege	3416	wmic.exe
Token: SeDebugPrivilege	3416	wmic.exe
Token: SeSystemEnvironmentPrivilege	3416	wmic.exe
Token: SeRemoteShutdownPrivilege	3416	wmic.exe
Token: SeUndockPrivilege	3416	wmic.exe
Token: SeManageVolumePrivilege	3416	wmic.exe
Token: 33	3416	wmic.exe
Token: 34	3416	wmic.exe
Token: 35	3416	wmic.exe
Token: 36	3416	wmic.exe
Token: SeIncreaseQuotaPrivilege	3416	wmic.exe
Token: SeSecurityPrivilege	3416	wmic.exe
Token: SeTakeOwnershipPrivilege	3416	wmic.exe
Token: SeLoadDriverPrivilege	3416	wmic.exe
Token: SeSystemProfilePrivilege	3416	wmic.exe
Token: SeSystemtimePrivilege	3416	wmic.exe
Token: SeProfSingleProcessPrivilege	3416	wmic.exe
Token: SeIncBasePriorityPrivilege	3416	wmic.exe
Token: SeCreatePagefilePrivilege	3416	wmic.exe
Token: SeBackupPrivilege	3416	wmic.exe
Token: SeRestorePrivilege	3416	wmic.exe
Token: SeShutdownPrivilege	3416	wmic.exe
Token: SeDebugPrivilege	3416	wmic.exe
Token: SeSystemEnvironmentPrivilege	3416	wmic.exe
Token: SeRemoteShutdownPrivilege	3416	wmic.exe
Token: SeUndockPrivilege	3416	wmic.exe
Token: SeManageVolumePrivilege	3416	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2820	4504	2222.exe	74
PID 4504 wrote to memory of 2820	4504	2222.exe	74
PID 4504 wrote to memory of 1000	4504	2222.exe	77
PID 4504 wrote to memory of 1000	4504	2222.exe	77
PID 4504 wrote to memory of 1328	4504	2222.exe	79
PID 4504 wrote to memory of 1328	4504	2222.exe	79
PID 4504 wrote to memory of 308	4504	2222.exe	82
PID 4504 wrote to memory of 308	4504	2222.exe	82
PID 4504 wrote to memory of 3416	4504	2222.exe	93
PID 4504 wrote to memory of 3416	4504	2222.exe	93
PID 4504 wrote to memory of 3504	4504	2222.exe	86
PID 4504 wrote to memory of 3504	4504	2222.exe	86
PID 4504 wrote to memory of 2328	4504	2222.exe	92
PID 4504 wrote to memory of 2328	4504	2222.exe	92
PID 4504 wrote to memory of 4884	4504	2222.exe	91
PID 4504 wrote to memory of 4884	4504	2222.exe	91
PID 4504 wrote to memory of 4116	4504	2222.exe	90
PID 4504 wrote to memory of 4116	4504	2222.exe	90

C:\Users\Admin\AppData\Local\Temp\2222.exe
"C:\Users\Admin\AppData\Local\Temp\2222.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2222.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3504
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2328
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6610f29d5b8a402fa6cd37a8d1e591e4

SHA1
07f24c2684e1389ae6daf5861d7bf2ba0c5d6d74

SHA256
fdabb39c18dec79bbea3061aecbb88fe8496b11e4d924407c0fc970c5ad75898

SHA512
68f4825e5e0f90eb68f0b4ae0249662aeec32265498ee299677513ef4a874bf3afc1c890f6a1831d32b7b1ed0e30271bdee6cd26ee389a40ee7940671315c7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc39914b91c8c29f4d6a86f5dd2ca8d7

SHA1
2740d091d71dac02fd726678317d23b41abe56dd

SHA256
268e2f30cb266210956d7d33bab2e40be960d73abe4e70f4e72c809dddbc18ef

SHA512
c8e029ac53c8222481db3662c9c407e311d0d8afb65215201c8bbf32e3d887ad25d8ed1921733cb49ea6cdf535fc23146116b41b0d92fda0b066ddf87f05e16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a68f76cb0ba41097b6c9c288d365c61

SHA1
9c12facdb22d5960a59d74e094c0ca7acff65929

SHA256
6aaf9e8e97a5b4100517c008f67bdaac0035e843c0e3a66d890639d5e5d48d52

SHA512
76ed38e9eb2cd140740f593a641f34b5890a3eee44a3d7372fef9a68cd76fc8e81e67579aa50cdbccc4689f23de4ddf915340e11b9bd5b74f7d5566f19d23ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d71b28fe48aa1fe6339edc1d83234c7

SHA1
9d12184a5d5c7a4185f3042b2d945d858550c5e0

SHA256
cc368be868f4c45407cdf85a58872fff5951c0613e800f1f2b7ed9994e4a0a95

SHA512
c44f786c66a107930207bcc8fab5b303a816b65c809887bfe53b51704ff2db5632a1136dc95d9f4b5a43409bbea257d42188e3996c6033193853bbe52b8436b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nswc4obf.wsc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/308-172-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/308-169-0x000001D83A880000-0x000001D83A890000-memory.dmp

Filesize
64KB

Download
memory/308-168-0x000001D83A880000-0x000001D83A890000-memory.dmp

Filesize
64KB

Download
memory/308-136-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/308-140-0x000001D83A880000-0x000001D83A890000-memory.dmp

Filesize
64KB

Download
memory/308-141-0x000001D83A880000-0x000001D83A890000-memory.dmp

Filesize
64KB

Download
memory/1000-63-0x0000013550C20000-0x0000013550C30000-memory.dmp

Filesize
64KB

Download
memory/1000-60-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/1000-62-0x0000013550C20000-0x0000013550C30000-memory.dmp

Filesize
64KB

Download
memory/1000-88-0x0000013550C20000-0x0000013550C30000-memory.dmp

Filesize
64KB

Download
memory/1000-91-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/1328-131-0x000001DA9FF10000-0x000001DA9FF20000-memory.dmp

Filesize
64KB

Download
memory/1328-101-0x000001DA9FF10000-0x000001DA9FF20000-memory.dmp

Filesize
64KB

Download
memory/1328-129-0x000001DA9FF10000-0x000001DA9FF20000-memory.dmp

Filesize
64KB

Download
memory/1328-134-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/1328-97-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/1328-102-0x000001DA9FF10000-0x000001DA9FF20000-memory.dmp

Filesize
64KB

Download
memory/2820-55-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-14-0x00000288DA4E0000-0x00000288DA556000-memory.dmp

Filesize
472KB

Download
memory/2820-8-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-7-0x00000288C1CB0000-0x00000288C1CD2000-memory.dmp

Filesize
136KB

Download
memory/2820-9-0x00000288C1BF0000-0x00000288C1C00000-memory.dmp

Filesize
64KB

Download
memory/2820-50-0x00000288C1BF0000-0x00000288C1C00000-memory.dmp

Filesize
64KB

Download
memory/2820-11-0x00000288C1BF0000-0x00000288C1C00000-memory.dmp

Filesize
64KB

Download
memory/2820-27-0x00000288C1BF0000-0x00000288C1C00000-memory.dmp

Filesize
64KB

Download
memory/4504-130-0x0000011F66D10000-0x0000011F66D20000-memory.dmp

Filesize
64KB

Download
memory/4504-174-0x0000011F4E390000-0x0000011F4E39A000-memory.dmp

Filesize
40KB

Download
memory/4504-0-0x0000011F4C720000-0x0000011F4C760000-memory.dmp

Filesize
256KB

Download
memory/4504-93-0x0000011F4E3C0000-0x0000011F4E410000-memory.dmp

Filesize
320KB

Download
memory/4504-95-0x0000011F4E370000-0x0000011F4E38E000-memory.dmp

Filesize
120KB

Download
memory/4504-1-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/4504-175-0x0000011F4E410000-0x0000011F4E422000-memory.dmp

Filesize
72KB

Download
memory/4504-100-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/4504-2-0x0000011F66D10000-0x0000011F66D20000-memory.dmp

Filesize
64KB

Download
memory/4504-210-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/4884-183-0x000001DEADE00000-0x000001DEADE10000-memory.dmp

Filesize
64KB

Download
memory/4884-180-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/4884-205-0x00007FFFAFD20000-0x00007FFFB070C000-memory.dmp

Filesize
9.9MB

Download
memory/4884-204-0x000001DEADE00000-0x000001DEADE10000-memory.dmp

Filesize
64KB

Download
memory/4884-184-0x000001DEADE00000-0x000001DEADE10000-memory.dmp

Filesize
64KB

Download
memory/4884-211-0x000001DEADE00000-0x000001DEADE10000-memory.dmp

Filesize
64KB

Download