umbral | ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8

Resubmissions

27-04-2024 22:30

240427-2faxjsac8z 10

27-04-2024 22:14

240427-15m3qshf69 10

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

immortal.bin.exe
Size

1.1MB
MD5

9e511d399fbc2bf0c2d45302dc62be61
SHA1

3100c1c0c5f98b1a7bccef0cdcfde6b34e38992b
SHA256

ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8
SHA512

7e4560bd6e76d181b47f44eca0a7195cb905e852ed2a94308cad57576a16c62335256978c73ddac275d736423c5c6a9a4eed648090847ee80e8183be77c04486
SSDEEP

24576:fO29aTBMPYvJnXAvKhO7CMbNdCrty7ARVJ3g6cbhbZxvI:G29adQt3CrtWQcb3xv

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe	family_umbral
behavioral2/memory/3852-17-0x00000250FFF10000-0x00000250FFF50000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

immortal.bin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	immortal.bin.exe

Executes dropped EXE 1 IoCs

Processes:

c4osbxx5.fdk.exe

pid process

3852 c4osbxx5.fdk.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

10 raw.githubusercontent.com
12 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

immortal.bin.exe

pid process

3400 immortal.bin.exe
3400 immortal.bin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3852	c4osbxx5.fdk.exe

flow	ioc
10	raw.githubusercontent.com
12	raw.githubusercontent.com

pid	process
3400	immortal.bin.exe
3400	immortal.bin.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

immortal.bin.exec4osbxx5.fdk.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3400	immortal.bin.exe
Token: SeDebugPrivilege	3852	c4osbxx5.fdk.exe
Token: SeIncreaseQuotaPrivilege	1148	wmic.exe
Token: SeSecurityPrivilege	1148	wmic.exe
Token: SeTakeOwnershipPrivilege	1148	wmic.exe
Token: SeLoadDriverPrivilege	1148	wmic.exe
Token: SeSystemProfilePrivilege	1148	wmic.exe
Token: SeSystemtimePrivilege	1148	wmic.exe
Token: SeProfSingleProcessPrivilege	1148	wmic.exe
Token: SeIncBasePriorityPrivilege	1148	wmic.exe
Token: SeCreatePagefilePrivilege	1148	wmic.exe
Token: SeBackupPrivilege	1148	wmic.exe
Token: SeRestorePrivilege	1148	wmic.exe
Token: SeShutdownPrivilege	1148	wmic.exe
Token: SeDebugPrivilege	1148	wmic.exe
Token: SeSystemEnvironmentPrivilege	1148	wmic.exe
Token: SeRemoteShutdownPrivilege	1148	wmic.exe
Token: SeUndockPrivilege	1148	wmic.exe
Token: SeManageVolumePrivilege	1148	wmic.exe
Token: 33	1148	wmic.exe
Token: 34	1148	wmic.exe
Token: 35	1148	wmic.exe
Token: 36	1148	wmic.exe
Token: SeIncreaseQuotaPrivilege	1148	wmic.exe
Token: SeSecurityPrivilege	1148	wmic.exe
Token: SeTakeOwnershipPrivilege	1148	wmic.exe
Token: SeLoadDriverPrivilege	1148	wmic.exe
Token: SeSystemProfilePrivilege	1148	wmic.exe
Token: SeSystemtimePrivilege	1148	wmic.exe
Token: SeProfSingleProcessPrivilege	1148	wmic.exe
Token: SeIncBasePriorityPrivilege	1148	wmic.exe
Token: SeCreatePagefilePrivilege	1148	wmic.exe
Token: SeBackupPrivilege	1148	wmic.exe
Token: SeRestorePrivilege	1148	wmic.exe
Token: SeShutdownPrivilege	1148	wmic.exe
Token: SeDebugPrivilege	1148	wmic.exe
Token: SeSystemEnvironmentPrivilege	1148	wmic.exe
Token: SeRemoteShutdownPrivilege	1148	wmic.exe
Token: SeUndockPrivilege	1148	wmic.exe
Token: SeManageVolumePrivilege	1148	wmic.exe
Token: 33	1148	wmic.exe
Token: 34	1148	wmic.exe
Token: 35	1148	wmic.exe
Token: 36	1148	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

immortal.bin.exe

pid process

3400 immortal.bin.exe

pid	process
3400	immortal.bin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

immortal.bin.exec4osbxx5.fdk.exe

description	pid	process	target process
PID 3400 wrote to memory of 3852	3400	immortal.bin.exe	c4osbxx5.fdk.exe
PID 3400 wrote to memory of 3852	3400	immortal.bin.exe	c4osbxx5.fdk.exe
PID 3852 wrote to memory of 1148	3852	c4osbxx5.fdk.exe	wmic.exe
PID 3852 wrote to memory of 1148	3852	c4osbxx5.fdk.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe
"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe
"C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe
Filesize
227KB

MD5
7f32dcbb00de079c31ff7895ae9c0560

SHA1
e80841a355b8dce9955b9bbba63f02a4ad31a836

SHA256
5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f

SHA512
776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc

Download Submit
memory/3400-0-0x0000000000170000-0x00000000004DE000-memory.dmp

Filesize
3.4MB

Download
memory/3400-1-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/3400-2-0x0000000000170000-0x00000000004DE000-memory.dmp

Filesize
3.4MB

Download
memory/3400-3-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/3400-19-0x0000000000170000-0x00000000004DE000-memory.dmp

Filesize
3.4MB

Download
memory/3400-20-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/3852-17-0x00000250FFF10000-0x00000250FFF50000-memory.dmp

Filesize
256KB

Download
memory/3852-21-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/3852-22-0x000002509A4E0000-0x000002509A4F0000-memory.dmp

Filesize
64KB

Download
memory/3852-24-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download