Analysis
-
max time kernel
6s -
max time network
9s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-04-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
stealer v2.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
stealer v2.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
stealer v2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
stealer v2.exe
Resource
win11-20240412-en
Errors
General
-
Target
stealer v2.exe
-
Size
678KB
-
MD5
942c8ba962017c3f597a54c44c9f57be
-
SHA1
bc06cee1fc7c218fe0732f6e13c95cb141fd3b2d
-
SHA256
fe9b415107f164c76a286b93f647b0501fb83e4dd7f839ab7fec9639c55084ae
-
SHA512
dee865eca7a6a206c1b197e711494118e6fb696ea3497971ea50222550202eb062d30d49f1814c57d80756fc4cb4c340119a65c895acc9f54f6c1c3820517de8
-
SSDEEP
12288:Riny90J6VGAQWUJFRjynsW+xUid6IeJO70Nv9cpzolz/:RoyJCNJFlysPd6RJOC4zolz/
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1231373922524598342/SZ4ChwOih600qv0UuiVxKSVU3wzAKLa2uHxdzmR7pdCC3h5QB7aPcVnGRyY3wZSRS0VF
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral5/memory/2604-44-0x000000001B630000-0x000000001B670000-memory.dmp family_umbral -
Executes dropped EXE 2 IoCs
pid Process 4932 stealer.exe 2604 task.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" stealer v2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\task.exe stealer.exe File created C:\Windows\task.exe stealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3704 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5032 powershell.exe 5032 powershell.exe 4484 powershell.exe 4484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4932 stealer.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 2604 task.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1220 2336 stealer v2.exe 78 PID 2336 wrote to memory of 1220 2336 stealer v2.exe 78 PID 1220 wrote to memory of 4932 1220 cmd.exe 80 PID 1220 wrote to memory of 4932 1220 cmd.exe 80 PID 4932 wrote to memory of 5032 4932 stealer.exe 81 PID 4932 wrote to memory of 5032 4932 stealer.exe 81 PID 4932 wrote to memory of 4484 4932 stealer.exe 83 PID 4932 wrote to memory of 4484 4932 stealer.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SYSTEM32\cmd.execmd /c "stealer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exestealer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp496D.tmp.bat""4⤵PID:1476
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:3704
-
-
-
-
-
C:\Windows\task.exeC:\Windows\task.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
671KB
MD5bdb421db1041dff30935a0c368f0316e
SHA115786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA5120280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
170B
MD5490408960280e2bb462e23aa5fa7124b
SHA18876a6bd76031a249a69deca4855482ae3c922bb
SHA25653b82bb9788c0c6aa14f08d9fa0ab90624b61f070d62b57d0ec00d33383490d6
SHA51227120414f90006f5df8d766bd9623b7ee369c60578c98f657c66984662c1131da695695d2bfaf9401ab6819e95268e51a73bedee1514d263e2ecb3f8ed153897