umbral | d62d20e29a48e72a734f508da7e9f846d4ce86c508e1e35f5d6bf1bb79bb0903

Analysis

max time kernel
133s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
21-03-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aqua.exe
Size

229KB
MD5

832b0f69e45599345ea82ccb17b9dc2b
SHA1

095d58cb166db0b4cedfd6a608b486aabe973539
SHA256

d62d20e29a48e72a734f508da7e9f846d4ce86c508e1e35f5d6bf1bb79bb0903
SHA512

5627bfc2cff426cd75981616e263cded8bd1531a2301303199dca1a2836dacc42070767631bc2a766fc2187a81a002fd06c241531277adf4b07a2aead4dbb0ba
SSDEEP

6144:lloZMHrIkd8g+EtXHkv/iD4IXu/cCFdWtj+ctBI4kb8e1maHi:noZIL+EP8IXu/cCFdWtj+ctBIxQ

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4344-0-0x0000023742970000-0x00000237429B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
3	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2112	wmic.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
952	powershell.exe
952	powershell.exe
4704	powershell.exe
4704	powershell.exe
1748	powershell.exe
1748	powershell.exe
124	powershell.exe
124	powershell.exe
584	powershell.exe
584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	aqua.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	124	powershell.exe
Token: SeIncreaseQuotaPrivilege	4188	wmic.exe
Token: SeSecurityPrivilege	4188	wmic.exe
Token: SeTakeOwnershipPrivilege	4188	wmic.exe
Token: SeLoadDriverPrivilege	4188	wmic.exe
Token: SeSystemProfilePrivilege	4188	wmic.exe
Token: SeSystemtimePrivilege	4188	wmic.exe
Token: SeProfSingleProcessPrivilege	4188	wmic.exe
Token: SeIncBasePriorityPrivilege	4188	wmic.exe
Token: SeCreatePagefilePrivilege	4188	wmic.exe
Token: SeBackupPrivilege	4188	wmic.exe
Token: SeRestorePrivilege	4188	wmic.exe
Token: SeShutdownPrivilege	4188	wmic.exe
Token: SeDebugPrivilege	4188	wmic.exe
Token: SeSystemEnvironmentPrivilege	4188	wmic.exe
Token: SeRemoteShutdownPrivilege	4188	wmic.exe
Token: SeUndockPrivilege	4188	wmic.exe
Token: SeManageVolumePrivilege	4188	wmic.exe
Token: 33	4188	wmic.exe
Token: 34	4188	wmic.exe
Token: 35	4188	wmic.exe
Token: 36	4188	wmic.exe
Token: SeIncreaseQuotaPrivilege	4188	wmic.exe
Token: SeSecurityPrivilege	4188	wmic.exe
Token: SeTakeOwnershipPrivilege	4188	wmic.exe
Token: SeLoadDriverPrivilege	4188	wmic.exe
Token: SeSystemProfilePrivilege	4188	wmic.exe
Token: SeSystemtimePrivilege	4188	wmic.exe
Token: SeProfSingleProcessPrivilege	4188	wmic.exe
Token: SeIncBasePriorityPrivilege	4188	wmic.exe
Token: SeCreatePagefilePrivilege	4188	wmic.exe
Token: SeBackupPrivilege	4188	wmic.exe
Token: SeRestorePrivilege	4188	wmic.exe
Token: SeShutdownPrivilege	4188	wmic.exe
Token: SeDebugPrivilege	4188	wmic.exe
Token: SeSystemEnvironmentPrivilege	4188	wmic.exe
Token: SeRemoteShutdownPrivilege	4188	wmic.exe
Token: SeUndockPrivilege	4188	wmic.exe
Token: SeManageVolumePrivilege	4188	wmic.exe
Token: 33	4188	wmic.exe
Token: 34	4188	wmic.exe
Token: 35	4188	wmic.exe
Token: 36	4188	wmic.exe
Token: SeIncreaseQuotaPrivilege	1000	wmic.exe
Token: SeSecurityPrivilege	1000	wmic.exe
Token: SeTakeOwnershipPrivilege	1000	wmic.exe
Token: SeLoadDriverPrivilege	1000	wmic.exe
Token: SeSystemProfilePrivilege	1000	wmic.exe
Token: SeSystemtimePrivilege	1000	wmic.exe
Token: SeProfSingleProcessPrivilege	1000	wmic.exe
Token: SeIncBasePriorityPrivilege	1000	wmic.exe
Token: SeCreatePagefilePrivilege	1000	wmic.exe
Token: SeBackupPrivilege	1000	wmic.exe
Token: SeRestorePrivilege	1000	wmic.exe
Token: SeShutdownPrivilege	1000	wmic.exe
Token: SeDebugPrivilege	1000	wmic.exe
Token: SeSystemEnvironmentPrivilege	1000	wmic.exe
Token: SeRemoteShutdownPrivilege	1000	wmic.exe
Token: SeUndockPrivilege	1000	wmic.exe
Token: SeManageVolumePrivilege	1000	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 952	4344	aqua.exe	80
PID 4344 wrote to memory of 952	4344	aqua.exe	80
PID 4344 wrote to memory of 4704	4344	aqua.exe	82
PID 4344 wrote to memory of 4704	4344	aqua.exe	82
PID 4344 wrote to memory of 1748	4344	aqua.exe	84
PID 4344 wrote to memory of 1748	4344	aqua.exe	84
PID 4344 wrote to memory of 124	4344	aqua.exe	86
PID 4344 wrote to memory of 124	4344	aqua.exe	86
PID 4344 wrote to memory of 4188	4344	aqua.exe	90
PID 4344 wrote to memory of 4188	4344	aqua.exe	90
PID 4344 wrote to memory of 1000	4344	aqua.exe	93
PID 4344 wrote to memory of 1000	4344	aqua.exe	93
PID 4344 wrote to memory of 3836	4344	aqua.exe	95
PID 4344 wrote to memory of 3836	4344	aqua.exe	95
PID 4344 wrote to memory of 584	4344	aqua.exe	97
PID 4344 wrote to memory of 584	4344	aqua.exe	97
PID 4344 wrote to memory of 2112	4344	aqua.exe	99
PID 4344 wrote to memory of 2112	4344	aqua.exe	99

C:\Users\Admin\AppData\Local\Temp\aqua.exe
"C:\Users\Admin\AppData\Local\Temp\aqua.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\aqua.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:124
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:584
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c237b9c731fbd910e5e413a26f23fd62

SHA1
5545ff908e45e74a5d9e8b02569f7448d08a1f26

SHA256
8abcef5905198da5872e05d4ea1365f83202455ad2db2b3bbd566e8c985ff1c0

SHA512
c875e380b23c40be495bcefc855aa6ff8139e4433eacc98f76f79fa620429a550625260ca3b4b95ce3bbf36a37e20e0e9277dea35255cf68930b93c13b67be05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rylvsgsk.beq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/124-85-0x0000023B26380000-0x0000023B264CF000-memory.dmp

Filesize
1.3MB

Download
memory/124-72-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/124-86-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/124-83-0x0000023B0DC90000-0x0000023B0DCA0000-memory.dmp

Filesize
64KB

Download
memory/124-81-0x0000023B0DC90000-0x0000023B0DCA0000-memory.dmp

Filesize
64KB

Download
memory/584-107-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/584-106-0x000001EAA5260000-0x000001EAA53AF000-memory.dmp

Filesize
1.3MB

Download
memory/584-101-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/584-102-0x000001EAA50E0000-0x000001EAA50F0000-memory.dmp

Filesize
64KB

Download
memory/584-103-0x000001EAA50E0000-0x000001EAA50F0000-memory.dmp

Filesize
64KB

Download
memory/584-104-0x000001EAA50E0000-0x000001EAA50F0000-memory.dmp

Filesize
64KB

Download
memory/952-13-0x0000019BFDFA0000-0x0000019BFDFB0000-memory.dmp

Filesize
64KB

Download
memory/952-12-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/952-15-0x0000019BFDFA0000-0x0000019BFDFB0000-memory.dmp

Filesize
64KB

Download
memory/952-16-0x0000019BFDFA0000-0x0000019BFDFB0000-memory.dmp

Filesize
64KB

Download
memory/952-19-0x0000019BFE650000-0x0000019BFE79F000-memory.dmp

Filesize
1.3MB

Download
memory/952-20-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/952-11-0x0000019BFE160000-0x0000019BFE182000-memory.dmp

Filesize
136KB

Download
memory/952-14-0x0000019BFDFA0000-0x0000019BFDFB0000-memory.dmp

Filesize
64KB

Download
memory/1748-48-0x00000236D7EC0000-0x00000236D7ED0000-memory.dmp

Filesize
64KB

Download
memory/1748-47-0x00000236D7EC0000-0x00000236D7ED0000-memory.dmp

Filesize
64KB

Download
memory/1748-43-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/1748-67-0x00000236D7EC0000-0x00000236D7ED0000-memory.dmp

Filesize
64KB

Download
memory/1748-69-0x00000236D7ED0000-0x00000236D801F000-memory.dmp

Filesize
1.3MB

Download
memory/1748-70-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/4344-0-0x0000023742970000-0x00000237429B0000-memory.dmp

Filesize
256KB

Download
memory/4344-1-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/4344-2-0x0000023742E70000-0x0000023742E80000-memory.dmp

Filesize
64KB

Download
memory/4344-112-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/4344-39-0x000002375D140000-0x000002375D1B6000-memory.dmp

Filesize
472KB

Download
memory/4344-71-0x0000023742E70000-0x0000023742E80000-memory.dmp

Filesize
64KB

Download
memory/4344-40-0x000002375D210000-0x000002375D260000-memory.dmp

Filesize
320KB

Download
memory/4344-89-0x000002375D1C0000-0x000002375D1D2000-memory.dmp

Filesize
72KB

Download
memory/4344-88-0x000002375D0E0000-0x000002375D0EA000-memory.dmp

Filesize
40KB

Download
memory/4344-42-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/4344-41-0x000002375D110000-0x000002375D12E000-memory.dmp

Filesize
120KB

Download
memory/4704-36-0x0000026BA1430000-0x0000026BA157F000-memory.dmp

Filesize
1.3MB

Download
memory/4704-22-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/4704-23-0x0000026BA1420000-0x0000026BA1430000-memory.dmp

Filesize
64KB

Download
memory/4704-24-0x0000026BA1420000-0x0000026BA1430000-memory.dmp

Filesize
64KB

Download
memory/4704-37-0x00007FFEE0640000-0x00007FFEE1102000-memory.dmp

Filesize
10.8MB

Download
memory/4704-34-0x0000026BA1420000-0x0000026BA1430000-memory.dmp

Filesize
64KB

Download