Analysis
-
max time kernel
7s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
stealer v2.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
stealer v2.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
stealer v2.exe
Resource
win11-20240412-en
Errors
General
-
Target
stealer v2.exe
-
Size
678KB
-
MD5
942c8ba962017c3f597a54c44c9f57be
-
SHA1
bc06cee1fc7c218fe0732f6e13c95cb141fd3b2d
-
SHA256
fe9b415107f164c76a286b93f647b0501fb83e4dd7f839ab7fec9639c55084ae
-
SHA512
dee865eca7a6a206c1b197e711494118e6fb696ea3497971ea50222550202eb062d30d49f1814c57d80756fc4cb4c340119a65c895acc9f54f6c1c3820517de8
-
SSDEEP
12288:Riny90J6VGAQWUJFRjynsW+xUid6IeJO70Nv9cpzolz/:RoyJCNJFlysPd6RJOC4zolz/
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1231373922524598342/SZ4ChwOih600qv0UuiVxKSVU3wzAKLa2uHxdzmR7pdCC3h5QB7aPcVnGRyY3wZSRS0VF
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3988-51-0x000000001B2D0000-0x000000001B310000-memory.dmp family_umbral -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation stealer.exe -
Executes dropped EXE 1 IoCs
pid Process 2320 stealer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" stealer v2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 5044 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4908 powershell.exe 4908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2320 stealer.exe Token: SeDebugPrivilege 4908 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2648 wrote to memory of 3008 2648 stealer v2.exe 84 PID 2648 wrote to memory of 3008 2648 stealer v2.exe 84 PID 3008 wrote to memory of 2320 3008 cmd.exe 86 PID 3008 wrote to memory of 2320 3008 cmd.exe 86 PID 2320 wrote to memory of 4908 2320 stealer.exe 97 PID 2320 wrote to memory of 4908 2320 stealer.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SYSTEM32\cmd.execmd /c "stealer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exestealer.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'4⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6793.tmp.bat""4⤵PID:4996
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:5044
-
-
-
-
-
C:\Windows\task.exeC:\Windows\task.exe1⤵PID:3988
-
C:\Windows\system32\schtasks.exeschtasks /run /TN Update2⤵PID:4856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
671KB
MD5bdb421db1041dff30935a0c368f0316e
SHA115786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA5120280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
170B
MD52052f8eb3d55d5a3db3e3ff93149506e
SHA17b5b80e4b565e7dfb2b63fe9769d1895030834a0
SHA256fda5b368fe922464fae79b3a1bb0b7183540d3a204b5ac44a6c4061dd739f222
SHA512629bf082709a75d05357ab2c9b204c915bb2dd38e1ecaf76565c2a4b96427448d8133b9f6210f24c2b271c28216ec52278cf951ce9db54080f6a0525370a8a38