Analysis
-
max time kernel
6s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
stealer v2.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
stealer v2.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
stealer v2.exe
Resource
win11-20240412-en
Errors
General
-
Target
stealer v2.exe
-
Size
678KB
-
MD5
942c8ba962017c3f597a54c44c9f57be
-
SHA1
bc06cee1fc7c218fe0732f6e13c95cb141fd3b2d
-
SHA256
fe9b415107f164c76a286b93f647b0501fb83e4dd7f839ab7fec9639c55084ae
-
SHA512
dee865eca7a6a206c1b197e711494118e6fb696ea3497971ea50222550202eb062d30d49f1814c57d80756fc4cb4c340119a65c895acc9f54f6c1c3820517de8
-
SSDEEP
12288:Riny90J6VGAQWUJFRjynsW+xUid6IeJO70Nv9cpzolz/:RoyJCNJFlysPd6RJOC4zolz/
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1231373922524598342/SZ4ChwOih600qv0UuiVxKSVU3wzAKLa2uHxdzmR7pdCC3h5QB7aPcVnGRyY3wZSRS0VF
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral4/memory/432-50-0x000000001B1E0000-0x000000001B220000-memory.dmp family_umbral -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation stealer.exe -
Executes dropped EXE 2 IoCs
pid Process 3760 stealer.exe 432 task.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" stealer v2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\task.exe stealer.exe File opened for modification C:\Windows\task.exe stealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3164 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2100 powershell.exe 2100 powershell.exe 1180 powershell.exe 1180 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3760 stealer.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 432 task.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3112 wrote to memory of 2692 3112 stealer v2.exe 84 PID 3112 wrote to memory of 2692 3112 stealer v2.exe 84 PID 2692 wrote to memory of 3760 2692 cmd.exe 86 PID 2692 wrote to memory of 3760 2692 cmd.exe 86 PID 3760 wrote to memory of 2100 3760 stealer.exe 88 PID 3760 wrote to memory of 2100 3760 stealer.exe 88 PID 3760 wrote to memory of 1180 3760 stealer.exe 91 PID 3760 wrote to memory of 1180 3760 stealer.exe 91 PID 3760 wrote to memory of 1036 3760 stealer.exe 100 PID 3760 wrote to memory of 1036 3760 stealer.exe 100 PID 1036 wrote to memory of 3164 1036 cmd.exe 102 PID 1036 wrote to memory of 3164 1036 cmd.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SYSTEM32\cmd.execmd /c "stealer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exestealer.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp44AA.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:3164
-
-
-
-
-
C:\Windows\task.exeC:\Windows\task.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\system32\schtasks.exeschtasks /run /TN Update2⤵PID:4120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
671KB
MD5bdb421db1041dff30935a0c368f0316e
SHA115786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA5120280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
170B
MD50956de8e46817a9da34dfd011f1fc60e
SHA12913117332fcfa4a0984a62dbd639ed3f02d0653
SHA2565a07325842c73924433cbf4e7bb413a367f4c4e71e02fab410d2c32402a67b33
SHA51262c78ae9b39e2a1f3f5355eea0d3b7eeeb459159411f4e6644f85c0033b75be7a400342f1b754871c052a30affcebe8ff49e9b348d2742bc4d4c5ba8b4657d5e