umbral | d646794ea3c663854047a79206ef3dc27f16c01162248a95d8d52927c05f1889

Analysis

max time kernel
192s
max time network
281s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
09-02-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guilded_ums.exe
Size

227KB
MD5

adbb1ff2093cd75f5d386ed3071f732a
SHA1

cbec205579e47cfab72873a13f3021b56c111b68
SHA256

d646794ea3c663854047a79206ef3dc27f16c01162248a95d8d52927c05f1889
SHA512

236f6fcda0a5808d63e34bb5c542196212d039bb739ed9c0902a0c899d01bfb47403561d6a9e69668e5e5055a42c46daf46910364d5a74be5c4cca2f84dd24ec
SSDEEP

6144:dloZMxNXg+dOntLnEPfdMXGkVW2U7X8gtoGnnG+Tb8e1mai:/oZxEOn0mGkVW2U7X8gtoGnnGEw

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral3/memory/956-0-0x000002080A050000-0x000002080A090000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	guilded_ums.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4716	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2192	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	guilded_ums.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	3616	wmic.exe
Token: SeSecurityPrivilege	3616	wmic.exe
Token: SeTakeOwnershipPrivilege	3616	wmic.exe
Token: SeLoadDriverPrivilege	3616	wmic.exe
Token: SeSystemProfilePrivilege	3616	wmic.exe
Token: SeSystemtimePrivilege	3616	wmic.exe
Token: SeProfSingleProcessPrivilege	3616	wmic.exe
Token: SeIncBasePriorityPrivilege	3616	wmic.exe
Token: SeCreatePagefilePrivilege	3616	wmic.exe
Token: SeBackupPrivilege	3616	wmic.exe
Token: SeRestorePrivilege	3616	wmic.exe
Token: SeShutdownPrivilege	3616	wmic.exe
Token: SeDebugPrivilege	3616	wmic.exe
Token: SeSystemEnvironmentPrivilege	3616	wmic.exe
Token: SeRemoteShutdownPrivilege	3616	wmic.exe
Token: SeUndockPrivilege	3616	wmic.exe
Token: SeManageVolumePrivilege	3616	wmic.exe
Token: 33	3616	wmic.exe
Token: 34	3616	wmic.exe
Token: 35	3616	wmic.exe
Token: 36	3616	wmic.exe
Token: SeIncreaseQuotaPrivilege	3616	wmic.exe
Token: SeSecurityPrivilege	3616	wmic.exe
Token: SeTakeOwnershipPrivilege	3616	wmic.exe
Token: SeLoadDriverPrivilege	3616	wmic.exe
Token: SeSystemProfilePrivilege	3616	wmic.exe
Token: SeSystemtimePrivilege	3616	wmic.exe
Token: SeProfSingleProcessPrivilege	3616	wmic.exe
Token: SeIncBasePriorityPrivilege	3616	wmic.exe
Token: SeCreatePagefilePrivilege	3616	wmic.exe
Token: SeBackupPrivilege	3616	wmic.exe
Token: SeRestorePrivilege	3616	wmic.exe
Token: SeShutdownPrivilege	3616	wmic.exe
Token: SeDebugPrivilege	3616	wmic.exe
Token: SeSystemEnvironmentPrivilege	3616	wmic.exe
Token: SeRemoteShutdownPrivilege	3616	wmic.exe
Token: SeUndockPrivilege	3616	wmic.exe
Token: SeManageVolumePrivilege	3616	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 5052	956	guilded_ums.exe	74
PID 956 wrote to memory of 5052	956	guilded_ums.exe	74
PID 956 wrote to memory of 2188	956	guilded_ums.exe	76
PID 956 wrote to memory of 2188	956	guilded_ums.exe	76
PID 956 wrote to memory of 4516	956	guilded_ums.exe	79
PID 956 wrote to memory of 4516	956	guilded_ums.exe	79
PID 956 wrote to memory of 4884	956	guilded_ums.exe	81
PID 956 wrote to memory of 4884	956	guilded_ums.exe	81
PID 956 wrote to memory of 4444	956	guilded_ums.exe	84
PID 956 wrote to memory of 4444	956	guilded_ums.exe	84
PID 956 wrote to memory of 3616	956	guilded_ums.exe	85
PID 956 wrote to memory of 3616	956	guilded_ums.exe	85
PID 956 wrote to memory of 3228	956	guilded_ums.exe	88
PID 956 wrote to memory of 3228	956	guilded_ums.exe	88
PID 956 wrote to memory of 200	956	guilded_ums.exe	90
PID 956 wrote to memory of 200	956	guilded_ums.exe	90
PID 956 wrote to memory of 2736	956	guilded_ums.exe	92
PID 956 wrote to memory of 2736	956	guilded_ums.exe	92
PID 956 wrote to memory of 4716	956	guilded_ums.exe	95
PID 956 wrote to memory of 4716	956	guilded_ums.exe	95
PID 956 wrote to memory of 4688	956	guilded_ums.exe	96
PID 956 wrote to memory of 4688	956	guilded_ums.exe	96
PID 4688 wrote to memory of 2192	4688	cmd.exe	98
PID 4688 wrote to memory of 2192	4688	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5052	attrib.exe

C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe
"C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe"
  2⤵
  - Views/modifies file attributes
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3228
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4716
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f25b729f7579ad56617d0746e5de9c30

SHA1
93825d34826b42270ffe84bcf2648ded370a3ffb

SHA256
c520eee12c9f419f151ed15418581c130b48c1b98f7bc09a431944b8769acea1

SHA512
51036da0379decb82a8c3880bbc64f02d2527d1dc346f481c705807352bf091fa10fde77800785819f7ec391ec0597df95b901a1d0b914c1b8fdaa1edb902f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c97618a98df1a037d7afd87bbaa7fba

SHA1
ca9414aba8f42be8554ccf67802b782c453a9a62

SHA256
a6fa666398c8a6b91671b4325562eba3fdc8cb8334bde5f33d032d20cf4ec793

SHA512
a28d4b2613c72ecb961417ffa4aa93435ae3e4d9c220129c6680f56fdc5572418b0c8b5d35ebb185f64a1d2c6b42d1135d4bfb2fec9652d6720ac16542f05db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dee2b742476d86c35ad40f2a0f6525ca

SHA1
c2be2f5872375e70537d3b35e40a475098994336

SHA256
5b7cc12d40176c62dbee08e33bf3e0b69753b99314c0603411a92de7688b8228

SHA512
06bdf59dc313780fe7f248dc544db29c67c89489d082c3a52fc8a13381d5310c55a4c850b2f9fcd1838dc6b6c665304dc41349cb04edb8283563b4b0df0834f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e80f7281cd71ea616ddfd7c038f3b30f

SHA1
8ccb611f8e44f9e1d0168ca76238fcc057174506

SHA256
e406a15a6e940295399569fb23c4cb1c490f7f4f6ce072447353055dadac92de

SHA512
da12ccfb1fa14b634074c1969859c3d6f111f4001d4dc34d2f86f88259185f6a159fc4d16e9cbe05037dfaf5a981bd4e83c89c186cac4dafd6499e1626891218

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqu5d2ws.2a4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/956-94-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/956-0-0x000002080A050000-0x000002080A090000-memory.dmp

Filesize
256KB

Download
memory/956-170-0x00000208245E0000-0x00000208245F2000-memory.dmp

Filesize
72KB

Download
memory/956-169-0x000002080A4F0000-0x000002080A4FA000-memory.dmp

Filesize
40KB

Download
memory/956-105-0x0000020824660000-0x0000020824670000-memory.dmp

Filesize
64KB

Download
memory/956-2-0x0000020824660000-0x0000020824670000-memory.dmp

Filesize
64KB

Download
memory/956-91-0x0000020824840000-0x000002082485E000-memory.dmp

Filesize
120KB

Download
memory/956-205-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/956-90-0x0000020824610000-0x0000020824660000-memory.dmp

Filesize
320KB

Download
memory/956-1-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-26-0x00000210DB4A0000-0x00000210DB4B0000-memory.dmp

Filesize
64KB

Download
memory/2188-7-0x00000210DB4A0000-0x00000210DB4B0000-memory.dmp

Filesize
64KB

Download
memory/2188-52-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-49-0x00000210DB4A0000-0x00000210DB4B0000-memory.dmp

Filesize
64KB

Download
memory/2188-9-0x00000210DB4A0000-0x00000210DB4B0000-memory.dmp

Filesize
64KB

Download
memory/2188-6-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-10-0x00000210DB3E0000-0x00000210DB402000-memory.dmp

Filesize
136KB

Download
memory/2188-13-0x00000210DB6B0000-0x00000210DB726000-memory.dmp

Filesize
472KB

Download
memory/2736-197-0x000001D6501F0000-0x000001D650200000-memory.dmp

Filesize
64KB

Download
memory/2736-179-0x000001D6501F0000-0x000001D650200000-memory.dmp

Filesize
64KB

Download
memory/2736-200-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-178-0x000001D6501F0000-0x000001D650200000-memory.dmp

Filesize
64KB

Download
memory/2736-176-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/4444-163-0x0000014E12720000-0x0000014E12730000-memory.dmp

Filesize
64KB

Download
memory/4444-137-0x0000014E12720000-0x0000014E12730000-memory.dmp

Filesize
64KB

Download
memory/4444-136-0x0000014E12720000-0x0000014E12730000-memory.dmp

Filesize
64KB

Download
memory/4444-134-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/4444-164-0x0000014E12720000-0x0000014E12730000-memory.dmp

Filesize
64KB

Download
memory/4444-167-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-87-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-58-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-59-0x000001F6EC240000-0x000001F6EC250000-memory.dmp

Filesize
64KB

Download
memory/4516-60-0x000001F6EC240000-0x000001F6EC250000-memory.dmp

Filesize
64KB

Download
memory/4516-84-0x000001F6EC240000-0x000001F6EC250000-memory.dmp

Filesize
64KB

Download
memory/4884-127-0x0000023433C00000-0x0000023433C10000-memory.dmp

Filesize
64KB

Download
memory/4884-96-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download
memory/4884-100-0x0000023433C00000-0x0000023433C10000-memory.dmp

Filesize
64KB

Download
memory/4884-106-0x0000023433C00000-0x0000023433C10000-memory.dmp

Filesize
64KB

Download
memory/4884-126-0x0000023433C00000-0x0000023433C10000-memory.dmp

Filesize
64KB

Download
memory/4884-130-0x00007FFB88960000-0x00007FFB8934C000-memory.dmp

Filesize
9.9MB

Download