Analysis
-
max time kernel
9s -
max time network
10s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-04-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
stealer v2.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
stealer v2.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
stealer v2.exe
Resource
win11-20240412-en
General
-
Target
stealer v2.exe
-
Size
678KB
-
MD5
942c8ba962017c3f597a54c44c9f57be
-
SHA1
bc06cee1fc7c218fe0732f6e13c95cb141fd3b2d
-
SHA256
fe9b415107f164c76a286b93f647b0501fb83e4dd7f839ab7fec9639c55084ae
-
SHA512
dee865eca7a6a206c1b197e711494118e6fb696ea3497971ea50222550202eb062d30d49f1814c57d80756fc4cb4c340119a65c895acc9f54f6c1c3820517de8
-
SSDEEP
12288:Riny90J6VGAQWUJFRjynsW+xUid6IeJO70Nv9cpzolz/:RoyJCNJFlysPd6RJOC4zolz/
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1231373922524598342/SZ4ChwOih600qv0UuiVxKSVU3wzAKLa2uHxdzmR7pdCC3h5QB7aPcVnGRyY3wZSRS0VF
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral3/memory/4100-121-0x00000000028A0000-0x00000000028E0000-memory.dmp family_umbral -
Executes dropped EXE 1 IoCs
pid Process 4624 stealer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" stealer v2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 384 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4632 powershell.exe 4632 powershell.exe 4632 powershell.exe 3588 powershell.exe 3588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4624 stealer.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeIncreaseQuotaPrivilege 4632 powershell.exe Token: SeSecurityPrivilege 4632 powershell.exe Token: SeTakeOwnershipPrivilege 4632 powershell.exe Token: SeLoadDriverPrivilege 4632 powershell.exe Token: SeSystemProfilePrivilege 4632 powershell.exe Token: SeSystemtimePrivilege 4632 powershell.exe Token: SeProfSingleProcessPrivilege 4632 powershell.exe Token: SeIncBasePriorityPrivilege 4632 powershell.exe Token: SeCreatePagefilePrivilege 4632 powershell.exe Token: SeBackupPrivilege 4632 powershell.exe Token: SeRestorePrivilege 4632 powershell.exe Token: SeShutdownPrivilege 4632 powershell.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeSystemEnvironmentPrivilege 4632 powershell.exe Token: SeRemoteShutdownPrivilege 4632 powershell.exe Token: SeUndockPrivilege 4632 powershell.exe Token: SeManageVolumePrivilege 4632 powershell.exe Token: 33 4632 powershell.exe Token: 34 4632 powershell.exe Token: 35 4632 powershell.exe Token: 36 4632 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4404 wrote to memory of 4140 4404 stealer v2.exe 72 PID 4404 wrote to memory of 4140 4404 stealer v2.exe 72 PID 4140 wrote to memory of 4624 4140 cmd.exe 74 PID 4140 wrote to memory of 4624 4140 cmd.exe 74 PID 4624 wrote to memory of 4632 4624 stealer.exe 75 PID 4624 wrote to memory of 4632 4624 stealer.exe 75 PID 4624 wrote to memory of 3588 4624 stealer.exe 78 PID 4624 wrote to memory of 3588 4624 stealer.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SYSTEM32\cmd.execmd /c "stealer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exestealer.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp98F4.tmp.bat""4⤵PID:1404
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:384
-
-
-
-
-
C:\Windows\task.exeC:\Windows\task.exe1⤵PID:4100
-
C:\Windows\system32\schtasks.exeschtasks /run /TN Update2⤵PID:4644
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe1⤵PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD53fdef356c45358700d996a282315e2c1
SHA1e81500c4b19bed838dba325d2aff3e3c6971b78b
SHA25632b66eab142777d5b59e3ed68da31c75d6dc0b1419f067e3bceadd2b92e5c175
SHA51278d314cf590f9cad826ddab5c8a2a1531988a54e123f4100fbc6e1ddc0df127755524792c7fa9884dd4327e5193877d79e9de5f13ce09c73fe007e1afc2830d9
-
Filesize
671KB
MD5bdb421db1041dff30935a0c368f0316e
SHA115786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA5120280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
170B
MD51834d0a44346b455ed6e333a4220e60c
SHA16e01ab6464c31050a36ea84e781516cd33bd5330
SHA256a677c8baeebea187f7168f9f0f4b3071af4cfd0260e9fe3a79195d59727584c2
SHA5122249e505c48233997f7611f0471120abb0f6fc1b2935624a2fcf1805062b2ddeec2d5841c2bc21acf6fc3f05e714cc8683ae2004eef250d4d7e191af5f65f9ca