umbral | d646794ea3c663854047a79206ef3dc27f16c01162248a95d8d52927c05f1889

Analysis

max time kernel
205s
max time network
284s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
09-02-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guilded_ums.exe
Size

227KB
MD5

adbb1ff2093cd75f5d386ed3071f732a
SHA1

cbec205579e47cfab72873a13f3021b56c111b68
SHA256

d646794ea3c663854047a79206ef3dc27f16c01162248a95d8d52927c05f1889
SHA512

236f6fcda0a5808d63e34bb5c542196212d039bb739ed9c0902a0c899d01bfb47403561d6a9e69668e5e5055a42c46daf46910364d5a74be5c4cca2f84dd24ec
SSDEEP

6144:dloZMxNXg+dOntLnEPfdMXGkVW2U7X8gtoGnnG+Tb8e1mai:/oZxEOn0mGkVW2U7X8gtoGnnGEw

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral5/memory/4124-0-0x00000219BF7D0000-0x00000219BF810000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	guilded_ums.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1076	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
240	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1972	powershell.exe
1972	powershell.exe
3124	powershell.exe
3124	powershell.exe
2260	powershell.exe
2260	powershell.exe
1644	powershell.exe
1644	powershell.exe
6132	powershell.exe
6132	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	guilded_ums.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeIncreaseQuotaPrivilege	1576	wmic.exe
Token: SeSecurityPrivilege	1576	wmic.exe
Token: SeTakeOwnershipPrivilege	1576	wmic.exe
Token: SeLoadDriverPrivilege	1576	wmic.exe
Token: SeSystemProfilePrivilege	1576	wmic.exe
Token: SeSystemtimePrivilege	1576	wmic.exe
Token: SeProfSingleProcessPrivilege	1576	wmic.exe
Token: SeIncBasePriorityPrivilege	1576	wmic.exe
Token: SeCreatePagefilePrivilege	1576	wmic.exe
Token: SeBackupPrivilege	1576	wmic.exe
Token: SeRestorePrivilege	1576	wmic.exe
Token: SeShutdownPrivilege	1576	wmic.exe
Token: SeDebugPrivilege	1576	wmic.exe
Token: SeSystemEnvironmentPrivilege	1576	wmic.exe
Token: SeRemoteShutdownPrivilege	1576	wmic.exe
Token: SeUndockPrivilege	1576	wmic.exe
Token: SeManageVolumePrivilege	1576	wmic.exe
Token: 33	1576	wmic.exe
Token: 34	1576	wmic.exe
Token: 35	1576	wmic.exe
Token: 36	1576	wmic.exe
Token: SeIncreaseQuotaPrivilege	1576	wmic.exe
Token: SeSecurityPrivilege	1576	wmic.exe
Token: SeTakeOwnershipPrivilege	1576	wmic.exe
Token: SeLoadDriverPrivilege	1576	wmic.exe
Token: SeSystemProfilePrivilege	1576	wmic.exe
Token: SeSystemtimePrivilege	1576	wmic.exe
Token: SeProfSingleProcessPrivilege	1576	wmic.exe
Token: SeIncBasePriorityPrivilege	1576	wmic.exe
Token: SeCreatePagefilePrivilege	1576	wmic.exe
Token: SeBackupPrivilege	1576	wmic.exe
Token: SeRestorePrivilege	1576	wmic.exe
Token: SeShutdownPrivilege	1576	wmic.exe
Token: SeDebugPrivilege	1576	wmic.exe
Token: SeSystemEnvironmentPrivilege	1576	wmic.exe
Token: SeRemoteShutdownPrivilege	1576	wmic.exe
Token: SeUndockPrivilege	1576	wmic.exe
Token: SeManageVolumePrivilege	1576	wmic.exe
Token: 33	1576	wmic.exe
Token: 34	1576	wmic.exe
Token: 35	1576	wmic.exe
Token: 36	1576	wmic.exe
Token: SeIncreaseQuotaPrivilege	4436	wmic.exe
Token: SeSecurityPrivilege	4436	wmic.exe
Token: SeTakeOwnershipPrivilege	4436	wmic.exe
Token: SeLoadDriverPrivilege	4436	wmic.exe
Token: SeSystemProfilePrivilege	4436	wmic.exe
Token: SeSystemtimePrivilege	4436	wmic.exe
Token: SeProfSingleProcessPrivilege	4436	wmic.exe
Token: SeIncBasePriorityPrivilege	4436	wmic.exe
Token: SeCreatePagefilePrivilege	4436	wmic.exe
Token: SeBackupPrivilege	4436	wmic.exe
Token: SeRestorePrivilege	4436	wmic.exe
Token: SeShutdownPrivilege	4436	wmic.exe
Token: SeDebugPrivilege	4436	wmic.exe
Token: SeSystemEnvironmentPrivilege	4436	wmic.exe
Token: SeRemoteShutdownPrivilege	4436	wmic.exe
Token: SeUndockPrivilege	4436	wmic.exe
Token: SeManageVolumePrivilege	4436	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 5172	4124	guilded_ums.exe	77
PID 4124 wrote to memory of 5172	4124	guilded_ums.exe	77
PID 4124 wrote to memory of 1972	4124	guilded_ums.exe	79
PID 4124 wrote to memory of 1972	4124	guilded_ums.exe	79
PID 4124 wrote to memory of 3124	4124	guilded_ums.exe	82
PID 4124 wrote to memory of 3124	4124	guilded_ums.exe	82
PID 4124 wrote to memory of 2260	4124	guilded_ums.exe	83
PID 4124 wrote to memory of 2260	4124	guilded_ums.exe	83
PID 4124 wrote to memory of 1644	4124	guilded_ums.exe	85
PID 4124 wrote to memory of 1644	4124	guilded_ums.exe	85
PID 4124 wrote to memory of 1576	4124	guilded_ums.exe	88
PID 4124 wrote to memory of 1576	4124	guilded_ums.exe	88
PID 4124 wrote to memory of 4436	4124	guilded_ums.exe	90
PID 4124 wrote to memory of 4436	4124	guilded_ums.exe	90
PID 4124 wrote to memory of 4076	4124	guilded_ums.exe	92
PID 4124 wrote to memory of 4076	4124	guilded_ums.exe	92
PID 4124 wrote to memory of 6132	4124	guilded_ums.exe	94
PID 4124 wrote to memory of 6132	4124	guilded_ums.exe	94
PID 4124 wrote to memory of 1076	4124	guilded_ums.exe	97
PID 4124 wrote to memory of 1076	4124	guilded_ums.exe	97
PID 4124 wrote to memory of 1532	4124	guilded_ums.exe	98
PID 4124 wrote to memory of 1532	4124	guilded_ums.exe	98
PID 1532 wrote to memory of 240	1532	cmd.exe	100
PID 1532 wrote to memory of 240	1532	cmd.exe	100

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5172	attrib.exe

C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe
"C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe"
  2⤵
  - Views/modifies file attributes
  PID:5172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6132
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1076
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\guilded_ums.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f872f6c9232f591431202b641ba1ded

SHA1
a7623c472df4bab5ad67cc09ed7ea4937ee16575

SHA256
ab03f8e51cc9b874fc797646edeb914f38e1ea06fa2e88fabc17f058512877e1

SHA512
d7b5490002bbe77de860fa63c9bcdbdb5df90172ddea776baeb9d142ec06d788636bc3db15eed2180601cf918a528e19150b6e4d7f69a095722515513934917b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f483da6a7abf0b23ea65b605a004618a

SHA1
43725925beedb39f56c4438393048e7766aed109

SHA256
ac2bd5ce2758b9d03c87ae6b2641ac97e354d13fb63a559b6d6f905df01249e6

SHA512
8850ed36499ec2599e7368c8a04f64cea27bab49d8de71c8d65733e4c9d4bb86aa30b81e3b4bd7396ef7dba52e484e82fdbb7cfdb4003c44ee2abfb478beca63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0k3c1k4t.gr5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1644-81-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/1644-77-0x0000022B65150000-0x0000022B65160000-memory.dmp

Filesize
64KB

Download
memory/1644-78-0x0000022B65150000-0x0000022B65160000-memory.dmp

Filesize
64KB

Download
memory/1644-76-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/1972-18-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/1972-13-0x00000168B7F80000-0x00000168B7F90000-memory.dmp

Filesize
64KB

Download
memory/1972-15-0x00000168B7F80000-0x00000168B7F90000-memory.dmp

Filesize
64KB

Download
memory/1972-14-0x00000168B7F80000-0x00000168B7F90000-memory.dmp

Filesize
64KB

Download
memory/1972-10-0x00000168B7F00000-0x00000168B7F22000-memory.dmp

Filesize
136KB

Download
memory/1972-12-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/2260-65-0x00000184FEFD0000-0x00000184FEFE0000-memory.dmp

Filesize
64KB

Download
memory/2260-41-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/2260-42-0x00000184FEFD0000-0x00000184FEFE0000-memory.dmp

Filesize
64KB

Download
memory/2260-67-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/3124-32-0x000001C976E70000-0x000001C976E80000-memory.dmp

Filesize
64KB

Download
memory/3124-35-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/3124-20-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/3124-22-0x000001C976E70000-0x000001C976E80000-memory.dmp

Filesize
64KB

Download
memory/3124-21-0x000001C976E70000-0x000001C976E80000-memory.dmp

Filesize
64KB

Download
memory/4124-38-0x00000219DA060000-0x00000219DA0D6000-memory.dmp

Filesize
472KB

Download
memory/4124-83-0x00000219C14F0000-0x00000219C14FA000-memory.dmp

Filesize
40KB

Download
memory/4124-40-0x00000219DA0E0000-0x00000219DA0FE000-memory.dmp

Filesize
120KB

Download
memory/4124-39-0x00000219D9FE0000-0x00000219DA030000-memory.dmp

Filesize
320KB

Download
memory/4124-33-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/4124-0-0x00000219BF7D0000-0x00000219BF810000-memory.dmp

Filesize
256KB

Download
memory/4124-2-0x00000219BFCA0000-0x00000219BFCB0000-memory.dmp

Filesize
64KB

Download
memory/4124-43-0x00000219BFCA0000-0x00000219BFCB0000-memory.dmp

Filesize
64KB

Download
memory/4124-84-0x00000219C1520000-0x00000219C1532000-memory.dmp

Filesize
72KB

Download
memory/4124-104-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/4124-1-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/6132-97-0x0000023C1E320000-0x0000023C1E330000-memory.dmp

Filesize
64KB

Download
memory/6132-99-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download
memory/6132-95-0x00007FF9876D0000-0x00007FF988192000-memory.dmp

Filesize
10.8MB

Download