Analysis
-
max time kernel
30s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 20:12
General
-
Target
Umbral.exe
-
Size
230KB
-
MD5
da7d94f96e8b7f035020b7721e968ec1
-
SHA1
a30abe39a9e27e5eb76fb509eb4f9edeb7c36f5e
-
SHA256
23d651ed623affcb1b71457c07c4f887a6ac44b04ceef74850292ab38d1b3287
-
SHA512
181bf779331cbe6f456a44963004e84d8850e1a61350bae66c4e5001d185740c5fbab44b536e3e055871029db23409db376778488ea1d0098ac89786387bd6e2
-
SSDEEP
3072:WP+1vofuiMY9QF1c7ROhOtXrLmBGIgXyPyTuuu5bO4ickEw8eFJMwT0kE/0RQ:lQ9Q4XYuTuuufS8eFJLhE
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1140-0-0x000002C0D43B0000-0x000002C0D43F0000-memory.dmp family_umbral -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{586C6061-FA9B-11EE-AD03-C6A716FA46EC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1352 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1352 iexplore.exe 1352 iexplore.exe 3192 IEXPLORE.EXE 3192 IEXPLORE.EXE 3192 IEXPLORE.EXE 3192 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1352 wrote to memory of 3192 1352 iexplore.exe 91 PID 1352 wrote to memory of 3192 1352 iexplore.exe 91 PID 1352 wrote to memory of 3192 1352 iexplore.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵PID:1140
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DisconnectConfirm.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3192
-