Overview

overview

10

Static

static

10

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    231KB

  • MD5

    c534087d8b0da713f69ff7674465bb17

  • SHA1

    f2ecb66437aa0ec06cce908428b6b891aed74071

  • SHA256

    9bfbe65dc852646119cde7e50ba948d7fae6d80f2bc6483273478f398a726f97

  • SHA512

    f7165e561a0f76b524e3db552e09caf44f3ef5200934e5de45163df386a0d769674148e741107acf5b92aa4b9e34c54cc5582d955da3892dc5986aef51bf4815

  • SSDEEP

    6144:xloZMArIkd8g+EtXHkv/iD434SD34QWRJ6KyvSgR1EPab8e1m0i:DoZHL+EP8oE34QWRJ63vSgR1E+m

Score
10/10
umbralspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1640 -s 1880
      2⤵
        PID:1108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      ed43763bc9d1e273d942c28b4872c558

      SHA1

      8aa12f48474767a5c66296157c0711cd9b8ac8f8

      SHA256

      1a762cf840ce618e4dd6b3c32892f0b7e21951b260f1eeca8234b6a89acd8c9b

      SHA512

      5fd3bfb4fc7acf78976047e98867f87af5967cf20ee4bf6a6b5d9cd4f018c5e33c63a912633afa7ea7fcbaa99c5ec7997a3d1fc4717b657bf672d00682ef0969

      Download Submit

    • memory/1160-50-0x000007FEED5C0000-0x000007FEEDF5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1160-49-0x0000000002510000-0x0000000002590000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1160-48-0x0000000002510000-0x0000000002590000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1160-47-0x0000000002510000-0x0000000002590000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1160-46-0x000007FEED5C0000-0x000007FEEDF5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1160-45-0x000007FEED5C0000-0x000007FEEDF5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1604-13-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1604-12-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1604-9-0x000000001B450000-0x000000001B732000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1604-15-0x000007FEED5C0000-0x000007FEEDF5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1604-11-0x0000000002390000-0x0000000002398000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1604-16-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1604-17-0x000007FEED5C0000-0x000007FEEDF5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1604-10-0x000007FEED5C0000-0x000007FEEDF5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1604-14-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1640-1-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1640-2-0x000000001B180000-0x000000001B200000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1640-3-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1640-4-0x000000001B180000-0x000000001B200000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1640-0-0x00000000009A0000-0x00000000009E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2700-23-0x000000001B270000-0x000000001B552000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2700-25-0x000007FEECC20000-0x000007FEED5BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2700-31-0x000007FEECC20000-0x000007FEED5BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2700-29-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2700-28-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2700-27-0x000007FEECC20000-0x000007FEED5BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2700-26-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2700-30-0x00000000025B0000-0x0000000002630000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2700-24-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2840-56-0x000007FEECC20000-0x000007FEED5BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2840-57-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-58-0x000007FEECC20000-0x000007FEED5BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2840-59-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-60-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-61-0x000007FEECC20000-0x000007FEED5BD000-memory.dmp

      Filesize

      9.6MB

      Download