umbral | d646794ea3c663854047a79206ef3dc27f16c01162248a95d8d52927c05f1889

Analysis

max time kernel
202s
max time network
283s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
09-02-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guilded_ums.exe
Size

227KB
MD5

adbb1ff2093cd75f5d386ed3071f732a
SHA1

cbec205579e47cfab72873a13f3021b56c111b68
SHA256

d646794ea3c663854047a79206ef3dc27f16c01162248a95d8d52927c05f1889
SHA512

236f6fcda0a5808d63e34bb5c542196212d039bb739ed9c0902a0c899d01bfb47403561d6a9e69668e5e5055a42c46daf46910364d5a74be5c4cca2f84dd24ec
SSDEEP

6144:dloZMxNXg+dOntLnEPfdMXGkVW2U7X8gtoGnnG+Tb8e1mai:/oZxEOn0mGkVW2U7X8gtoGnnGEw

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/880-0-0x00000263F02C0000-0x00000263F0300000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	guilded_ums.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5056	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4148	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2352	powershell.exe
2352	powershell.exe
2352	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	guilded_ums.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeIncreaseQuotaPrivilege	2352	powershell.exe
Token: SeSecurityPrivilege	2352	powershell.exe
Token: SeTakeOwnershipPrivilege	2352	powershell.exe
Token: SeLoadDriverPrivilege	2352	powershell.exe
Token: SeSystemProfilePrivilege	2352	powershell.exe
Token: SeSystemtimePrivilege	2352	powershell.exe
Token: SeProfSingleProcessPrivilege	2352	powershell.exe
Token: SeIncBasePriorityPrivilege	2352	powershell.exe
Token: SeCreatePagefilePrivilege	2352	powershell.exe
Token: SeBackupPrivilege	2352	powershell.exe
Token: SeRestorePrivilege	2352	powershell.exe
Token: SeShutdownPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeSystemEnvironmentPrivilege	2352	powershell.exe
Token: SeRemoteShutdownPrivilege	2352	powershell.exe
Token: SeUndockPrivilege	2352	powershell.exe
Token: SeManageVolumePrivilege	2352	powershell.exe
Token: 33	2352	powershell.exe
Token: 34	2352	powershell.exe
Token: 35	2352	powershell.exe
Token: 36	2352	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeIncreaseQuotaPrivilege	460	wmic.exe
Token: SeSecurityPrivilege	460	wmic.exe
Token: SeTakeOwnershipPrivilege	460	wmic.exe
Token: SeLoadDriverPrivilege	460	wmic.exe
Token: SeSystemProfilePrivilege	460	wmic.exe
Token: SeSystemtimePrivilege	460	wmic.exe
Token: SeProfSingleProcessPrivilege	460	wmic.exe
Token: SeIncBasePriorityPrivilege	460	wmic.exe
Token: SeCreatePagefilePrivilege	460	wmic.exe
Token: SeBackupPrivilege	460	wmic.exe
Token: SeRestorePrivilege	460	wmic.exe
Token: SeShutdownPrivilege	460	wmic.exe
Token: SeDebugPrivilege	460	wmic.exe
Token: SeSystemEnvironmentPrivilege	460	wmic.exe
Token: SeRemoteShutdownPrivilege	460	wmic.exe
Token: SeUndockPrivilege	460	wmic.exe
Token: SeManageVolumePrivilege	460	wmic.exe
Token: 33	460	wmic.exe
Token: 34	460	wmic.exe
Token: 35	460	wmic.exe
Token: 36	460	wmic.exe
Token: SeIncreaseQuotaPrivilege	460	wmic.exe
Token: SeSecurityPrivilege	460	wmic.exe
Token: SeTakeOwnershipPrivilege	460	wmic.exe
Token: SeLoadDriverPrivilege	460	wmic.exe
Token: SeSystemProfilePrivilege	460	wmic.exe
Token: SeSystemtimePrivilege	460	wmic.exe
Token: SeProfSingleProcessPrivilege	460	wmic.exe
Token: SeIncBasePriorityPrivilege	460	wmic.exe
Token: SeCreatePagefilePrivilege	460	wmic.exe
Token: SeBackupPrivilege	460	wmic.exe
Token: SeRestorePrivilege	460	wmic.exe
Token: SeShutdownPrivilege	460	wmic.exe
Token: SeDebugPrivilege	460	wmic.exe
Token: SeSystemEnvironmentPrivilege	460	wmic.exe
Token: SeRemoteShutdownPrivilege	460	wmic.exe
Token: SeUndockPrivilege	460	wmic.exe
Token: SeManageVolumePrivilege	460	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4760	880	guilded_ums.exe	72
PID 880 wrote to memory of 4760	880	guilded_ums.exe	72
PID 880 wrote to memory of 2352	880	guilded_ums.exe	74
PID 880 wrote to memory of 2352	880	guilded_ums.exe	74
PID 880 wrote to memory of 2556	880	guilded_ums.exe	77
PID 880 wrote to memory of 2556	880	guilded_ums.exe	77
PID 880 wrote to memory of 4792	880	guilded_ums.exe	79
PID 880 wrote to memory of 4792	880	guilded_ums.exe	79
PID 880 wrote to memory of 3916	880	guilded_ums.exe	81
PID 880 wrote to memory of 3916	880	guilded_ums.exe	81
PID 880 wrote to memory of 460	880	guilded_ums.exe	83
PID 880 wrote to memory of 460	880	guilded_ums.exe	83
PID 880 wrote to memory of 452	880	guilded_ums.exe	86
PID 880 wrote to memory of 452	880	guilded_ums.exe	86
PID 880 wrote to memory of 2396	880	guilded_ums.exe	88
PID 880 wrote to memory of 2396	880	guilded_ums.exe	88
PID 880 wrote to memory of 4200	880	guilded_ums.exe	90
PID 880 wrote to memory of 4200	880	guilded_ums.exe	90
PID 880 wrote to memory of 5056	880	guilded_ums.exe	92
PID 880 wrote to memory of 5056	880	guilded_ums.exe	92
PID 880 wrote to memory of 1944	880	guilded_ums.exe	94
PID 880 wrote to memory of 1944	880	guilded_ums.exe	94
PID 1944 wrote to memory of 4148	1944	cmd.exe	96
PID 1944 wrote to memory of 4148	1944	cmd.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe
"C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe"
  2⤵
  - Views/modifies file attributes
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:452
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed4db1ca6c9bb5e9f59a6e484803692c

SHA1
88b6e82f9ed50b402d4f1c9ad4f37c91d3d30a2e

SHA256
dd327de5ce239614ed37e96a2894742010eb1891376badcffb65dfc42c5b70c2

SHA512
ca416ac70656a9e699c91e59b841b776ae64b5e560c574f35871cd4e4bfeba3cb053e11a1798d3e4c0a5370306553957877190178ce2fc8a65ca4f1b3fa477fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf967ed8949076098d2db61d62cc9729

SHA1
d37487b634ec2b7c4c3b98d598c0787993d6c768

SHA256
71cff85cc7aaf1cee8d4102f6cf73ebed8cdccae7a34bad04404885a841e386b

SHA512
a05c50460133cad13cf2f3db70e4aeedd97f1018b6b3a7b5bfa727f8b428f25eded732047c3b116fa6ae0bb3c125ccdf94443d3d572e167d43e86453fa15a371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a2bf5c8f0658dba1e790b48ad66def7

SHA1
5839e59e75fb1076dbb7e69c45e04d59be43393d

SHA256
0788d2305812b6739e16a3b03efc25b151413e19c6b5609d57f5056bdfbbf8e7

SHA512
43082683bb8b382c32b2e8e54ec35b3befaafcc694d65c6b72914bd9919073cb741dfafcc86a749a14ca7409254f2d086c725d17d308a4ad4debbb0e640d49ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5efe48fa82e033b10b42754748ab4a16

SHA1
ee1aa09fa38dd7308c7251dd0b7777bb996bbc93

SHA256
4282837ad9f8af6bc7e03e7e82c6df76f842bf2f13151597eada6957ee9577df

SHA512
412d2904c3dfea4a0ba0109e18f4363dc0c0bc49ea8306c2098692cd9a5336ecbc4080538d9109796214d1f111559b057b4449ad60760a49ba4baaa6e8aad749

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2whxjkk.rhj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/880-168-0x00000263F2A70000-0x00000263F2A82000-memory.dmp

Filesize
72KB

Download
memory/880-167-0x00000263F2940000-0x00000263F294A000-memory.dmp

Filesize
40KB

Download
memory/880-203-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/880-2-0x00000263F2960000-0x00000263F2970000-memory.dmp

Filesize
64KB

Download
memory/880-99-0x00000263F2960000-0x00000263F2970000-memory.dmp

Filesize
64KB

Download
memory/880-0-0x00000263F02C0000-0x00000263F0300000-memory.dmp

Filesize
256KB

Download
memory/880-1-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/880-93-0x00000263F2920000-0x00000263F293E000-memory.dmp

Filesize
120KB

Download
memory/880-92-0x00000263F2970000-0x00000263F29C0000-memory.dmp

Filesize
320KB

Download
memory/880-85-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-53-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-6-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-49-0x000001D909FB0000-0x000001D909FC0000-memory.dmp

Filesize
64KB

Download
memory/2352-8-0x000001D909FB0000-0x000001D909FC0000-memory.dmp

Filesize
64KB

Download
memory/2352-9-0x000001D909FB0000-0x000001D909FC0000-memory.dmp

Filesize
64KB

Download
memory/2352-26-0x000001D909FB0000-0x000001D909FC0000-memory.dmp

Filesize
64KB

Download
memory/2352-10-0x000001D90A1F0000-0x000001D90A212000-memory.dmp

Filesize
136KB

Download
memory/2352-13-0x000001D922830000-0x000001D9228A6000-memory.dmp

Filesize
472KB

Download
memory/2556-61-0x00000259661D0000-0x00000259661E0000-memory.dmp

Filesize
64KB

Download
memory/2556-86-0x00000259661D0000-0x00000259661E0000-memory.dmp

Filesize
64KB

Download
memory/2556-89-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-59-0x00000259661D0000-0x00000259661E0000-memory.dmp

Filesize
64KB

Download
memory/2556-58-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/3916-135-0x00000248C7E30000-0x00000248C7E40000-memory.dmp

Filesize
64KB

Download
memory/3916-134-0x00000248C7E30000-0x00000248C7E40000-memory.dmp

Filesize
64KB

Download
memory/3916-161-0x00000248C7E30000-0x00000248C7E40000-memory.dmp

Filesize
64KB

Download
memory/3916-162-0x00000248C7E30000-0x00000248C7E40000-memory.dmp

Filesize
64KB

Download
memory/3916-165-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/3916-132-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/4200-176-0x0000012A50D90000-0x0000012A50DA0000-memory.dmp

Filesize
64KB

Download
memory/4200-198-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/4200-195-0x0000012A50D90000-0x0000012A50DA0000-memory.dmp

Filesize
64KB

Download
memory/4200-177-0x0000012A50D90000-0x0000012A50DA0000-memory.dmp

Filesize
64KB

Download
memory/4200-174-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-101-0x000001EF9B780000-0x000001EF9B790000-memory.dmp

Filesize
64KB

Download
memory/4792-124-0x000001EF9B780000-0x000001EF9B790000-memory.dmp

Filesize
64KB

Download
memory/4792-100-0x000001EF9B780000-0x000001EF9B790000-memory.dmp

Filesize
64KB

Download
memory/4792-125-0x000001EF9B780000-0x000001EF9B790000-memory.dmp

Filesize
64KB

Download
memory/4792-128-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-96-0x00007FFE88E60000-0x00007FFE8984C000-memory.dmp

Filesize
9.9MB

Download