Malware Analysis Report

2024-10-10 10:06

Sample ID 240427-2faxjsac8z
Target immortal.bin.exe
SHA256 ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8
Tags
umbral stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8

Threat Level: Known bad

The file immortal.bin.exe was found to be: Known bad.

Malicious Activity Summary

umbral stealer

Detect Umbral payload

Umbral

Downloads MZ/PE file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 22:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 22:30

Reported

2024-04-27 22:36

Platform

win7-20240220-en

Max time kernel

290s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1160

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp

Files

memory/2276-0-0x0000000000BB0000-0x0000000000F1E000-memory.dmp

memory/2276-3-0x0000000000BB0000-0x0000000000F1E000-memory.dmp

memory/2276-2-0x0000000073EA0000-0x000000007458E000-memory.dmp

memory/2276-1-0x0000000000BB0000-0x0000000000F1E000-memory.dmp

memory/2276-4-0x00000000051D0000-0x0000000005210000-memory.dmp

memory/2276-7-0x0000000073EA0000-0x000000007458E000-memory.dmp

memory/2276-8-0x00000000051D0000-0x0000000005210000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 22:30

Reported

2024-04-27 22:36

Platform

win10-20240404-en

Max time kernel

195s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe

"C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp

Files

memory/4296-0-0x00000000000B0000-0x000000000041E000-memory.dmp

memory/4296-1-0x00000000000B0000-0x000000000041E000-memory.dmp

memory/4296-2-0x0000000073450000-0x0000000073B3E000-memory.dmp

memory/4296-3-0x00000000055A0000-0x00000000055B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe

MD5 7f32dcbb00de079c31ff7895ae9c0560
SHA1 e80841a355b8dce9955b9bbba63f02a4ad31a836
SHA256 5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
SHA512 776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc

memory/4296-12-0x00000000000B0000-0x000000000041E000-memory.dmp

memory/3452-11-0x0000016D96F80000-0x0000016D96FC0000-memory.dmp

memory/4296-13-0x0000000073450000-0x0000000073B3E000-memory.dmp

memory/3452-15-0x0000016DB1620000-0x0000016DB1630000-memory.dmp

memory/3452-14-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

memory/3452-17-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-27 22:30

Reported

2024-04-27 22:36

Platform

win10v2004-20240419-en

Max time kernel

55s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1540

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/2816-0-0x0000000000FB0000-0x000000000131E000-memory.dmp

memory/2816-1-0x0000000000FB0000-0x000000000131E000-memory.dmp

memory/2816-2-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/2816-3-0x00000000062C0000-0x00000000062D0000-memory.dmp

memory/2816-6-0x0000000000FB0000-0x000000000131E000-memory.dmp

memory/2816-7-0x00000000748A0000-0x0000000075050000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-27 22:30

Reported

2024-04-27 22:36

Platform

win11-20240419-en

Max time kernel

251s

Max time network

261s

Command Line

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe

"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3876 -ip 3876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1572

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3876-0-0x0000000000950000-0x0000000000CBE000-memory.dmp

memory/3876-1-0x0000000000950000-0x0000000000CBE000-memory.dmp

memory/3876-2-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/3876-3-0x0000000005D80000-0x0000000005D90000-memory.dmp

memory/3876-6-0x0000000000950000-0x0000000000CBE000-memory.dmp

memory/3876-7-0x00000000745B0000-0x0000000074D61000-memory.dmp