Analysis

  • max time kernel
    163s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 23:08

General

  • Target

    https://download.oxy.st/d/wXOh/2/b18d9bd17d358652a7abc06ed4c4f63f

Score
10/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1234227911570231390/0z3FMS1OCOm4Dimw1zroCZEdttv5BdfkYDJmjaCIZnKZ5CxWh2wDpajd40DrN9mMEQHM

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.oxy.st/d/wXOh/2/b18d9bd17d358652a7abc06ed4c4f63f
    1⤵
      PID:3232
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4588 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:1548
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5720 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:3452
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5872 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4952
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3644 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:1040
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5540 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:3732
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=3712 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                1⤵
                  PID:3052
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5308 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:3480
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6224 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                    1⤵
                      PID:1468
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6180 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                      1⤵
                        PID:3840
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=5560 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                        1⤵
                          PID:3700
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=5704 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                          1⤵
                            PID:4048
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6412 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:4404
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5560 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                              1⤵
                                PID:2900
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6544 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                                1⤵
                                  PID:3412
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6796 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                  • Drops file in Program Files directory
                                  PID:2132
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7200 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:3424
                                  • C:\Program Files\7-Zip\7zFM.exe
                                    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Critical Error_4Beta.rar"
                                    1⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of WriteProcessMemory
                                    PID:2492
                                    • C:\Users\Admin\AppData\Local\Temp\7zOCB940149\KrampusUI.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7zOCB940149\KrampusUI.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:4636
                                      • C:\Users\Admin\AppData\Local\Temp\Update.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Update.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:3316
                                      • C:\Users\Admin\AppData\Local\Temp\2-step.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2-step.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4756
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" csproduct get uuid
                                          4⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5000
                                    • C:\Users\Admin\AppData\Local\Temp\7zOCB95F789\KrampusUI.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7zOCB95F789\KrampusUI.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:1764
                                      • C:\Users\Admin\AppData\Local\Temp\Update.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Update.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:2952
                                      • C:\Users\Admin\AppData\Local\Temp\2-step.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2-step.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:2316
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" csproduct get uuid
                                          4⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1372
                                    • C:\Users\Admin\AppData\Local\Temp\7zOCB9908C9\KrampusUI.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7zOCB9908C9\KrampusUI.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:5000
                                      • C:\Users\Admin\AppData\Local\Temp\Update.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Update.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:4756
                                      • C:\Users\Admin\AppData\Local\Temp\2-step.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2-step.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:3056
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" csproduct get uuid
                                          4⤵
                                            PID:4344

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2-step.exe.log

                                      Filesize

                                      1KB

                                      MD5

                                      8094b248fe3231e48995c2be32aeb08c

                                      SHA1

                                      2fe06e000ebec919bf982d033c5d1219c1f916b6

                                      SHA256

                                      136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

                                      SHA512

                                      bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KrampusUI.exe.log

                                      Filesize

                                      654B

                                      MD5

                                      2ff39f6c7249774be85fd60a8f9a245e

                                      SHA1

                                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                                      SHA256

                                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                      SHA512

                                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

                                      Filesize

                                      871B

                                      MD5

                                      386677f585908a33791517dfc2317f88

                                      SHA1

                                      2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

                                      SHA256

                                      7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

                                      SHA512

                                      876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

                                    • C:\Users\Admin\AppData\Local\Temp\2-step.exe

                                      Filesize

                                      231KB

                                      MD5

                                      02c626b54e983d7723706eb9328f41a5

                                      SHA1

                                      affb6e208919439418f07bcc1991c700b063b33f

                                      SHA256

                                      209ca4d12ae3133eb80bc7e5a8fb67a39ed9bb88fb5f6137badddd54eed0e62a

                                      SHA512

                                      3d30ccfeae87234099398a1b8050221d81a128ed79a9a183f5fb763b1991af56e27e33f3844ad56d277cbd4f0a8655d9842ea0f563a2aaabff597efea016da60

                                    • C:\Users\Admin\AppData\Local\Temp\7zOCB940149\KrampusUI.exe

                                      Filesize

                                      323KB

                                      MD5

                                      3b7d0635ec7df3d5ff0dc1e856889aa1

                                      SHA1

                                      cdf39ae3484d2522f84e8a6a1920f50d6ad3216e

                                      SHA256

                                      5b5dfaa069eaca07dc4a0a4276edbc2c3418d5450addc7c16ca70cead9479131

                                      SHA512

                                      34bc4698b3675c06d30597ce578ce92fcf8aa65281d7563121355666f03f788be6c638b843af251d5a340a89c47ffcf573cdf02b450669cec051c85fb8924aaa

                                    • C:\Users\Admin\AppData\Local\Temp\Update.exe

                                      Filesize

                                      454KB

                                      MD5

                                      cc70b6409bf138ea8196b2ac27c7263e

                                      SHA1

                                      6eef6535e01c225240faf18f5718a7ccfff5dc78

                                      SHA256

                                      8021b1c265f5863f79cb7cd1789545d8ed38d5a1b75fe235fd86ea0d545e0ac4

                                      SHA512

                                      763160a911aa21128772ed3685768c8995b7d94ea27d442b127aba6b4b7efdfa2ea1eadfe4f107cd0af769600fa463922332b2f754268bdb44b20ffde9e6d308

                                    • memory/3316-37-0x0000000000EF0000-0x0000000000F68000-memory.dmp

                                      Filesize

                                      480KB

                                    • memory/4636-12-0x0000000000C10000-0x0000000000C68000-memory.dmp

                                      Filesize

                                      352KB

                                    • memory/4636-13-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/4636-14-0x000000001BA20000-0x000000001BA30000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/4636-40-0x00007FFE89A50000-0x00007FFE8A511000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/4756-39-0x00000144CA310000-0x00000144CA350000-memory.dmp

                                      Filesize

                                      256KB