Analysis
-
max time kernel
138s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 12:00
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Umbral.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Umbral.exe
Resource
win10v2004-20240419-en
General
-
Target
Umbral.exe
-
Size
232KB
-
MD5
afbe250f9d941daf1fc895e29d0b2821
-
SHA1
9aeaa55efa56702a0c2694ff2de3a5c6df7b03ac
-
SHA256
628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6
-
SHA512
177ddc51032af306d32c0826efddfa3be5e68621b440be764fba7ad37fd982fb58d7e902e4eb258fe50bbd236f82457e45e7d12a885c78314b304e72fb0f2c94
-
SSDEEP
6144:tloZMDXU9Zx0kt8X0/PSCsMpwpf3tW+x5R0STTKN0b8e1mKISi:voZnf0kkPQwpf3tW+x5R0STTKm2
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral3/memory/3492-0-0x0000027C430D0000-0x0000027C43110000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4400 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5020 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2012 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3492 Umbral.exe 4400 powershell.exe 4400 powershell.exe 452 powershell.exe 452 powershell.exe 3324 powershell.exe 3324 powershell.exe 3016 powershell.exe 3016 powershell.exe 4972 powershell.exe 4972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3492 Umbral.exe Token: SeIncreaseQuotaPrivilege 1164 wmic.exe Token: SeSecurityPrivilege 1164 wmic.exe Token: SeTakeOwnershipPrivilege 1164 wmic.exe Token: SeLoadDriverPrivilege 1164 wmic.exe Token: SeSystemProfilePrivilege 1164 wmic.exe Token: SeSystemtimePrivilege 1164 wmic.exe Token: SeProfSingleProcessPrivilege 1164 wmic.exe Token: SeIncBasePriorityPrivilege 1164 wmic.exe Token: SeCreatePagefilePrivilege 1164 wmic.exe Token: SeBackupPrivilege 1164 wmic.exe Token: SeRestorePrivilege 1164 wmic.exe Token: SeShutdownPrivilege 1164 wmic.exe Token: SeDebugPrivilege 1164 wmic.exe Token: SeSystemEnvironmentPrivilege 1164 wmic.exe Token: SeRemoteShutdownPrivilege 1164 wmic.exe Token: SeUndockPrivilege 1164 wmic.exe Token: SeManageVolumePrivilege 1164 wmic.exe Token: 33 1164 wmic.exe Token: 34 1164 wmic.exe Token: 35 1164 wmic.exe Token: 36 1164 wmic.exe Token: SeIncreaseQuotaPrivilege 1164 wmic.exe Token: SeSecurityPrivilege 1164 wmic.exe Token: SeTakeOwnershipPrivilege 1164 wmic.exe Token: SeLoadDriverPrivilege 1164 wmic.exe Token: SeSystemProfilePrivilege 1164 wmic.exe Token: SeSystemtimePrivilege 1164 wmic.exe Token: SeProfSingleProcessPrivilege 1164 wmic.exe Token: SeIncBasePriorityPrivilege 1164 wmic.exe Token: SeCreatePagefilePrivilege 1164 wmic.exe Token: SeBackupPrivilege 1164 wmic.exe Token: SeRestorePrivilege 1164 wmic.exe Token: SeShutdownPrivilege 1164 wmic.exe Token: SeDebugPrivilege 1164 wmic.exe Token: SeSystemEnvironmentPrivilege 1164 wmic.exe Token: SeRemoteShutdownPrivilege 1164 wmic.exe Token: SeUndockPrivilege 1164 wmic.exe Token: SeManageVolumePrivilege 1164 wmic.exe Token: 33 1164 wmic.exe Token: 34 1164 wmic.exe Token: 35 1164 wmic.exe Token: 36 1164 wmic.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeIncreaseQuotaPrivilege 4476 wmic.exe Token: SeSecurityPrivilege 4476 wmic.exe Token: SeTakeOwnershipPrivilege 4476 wmic.exe Token: SeLoadDriverPrivilege 4476 wmic.exe Token: SeSystemProfilePrivilege 4476 wmic.exe Token: SeSystemtimePrivilege 4476 wmic.exe Token: SeProfSingleProcessPrivilege 4476 wmic.exe Token: SeIncBasePriorityPrivilege 4476 wmic.exe Token: SeCreatePagefilePrivilege 4476 wmic.exe Token: SeBackupPrivilege 4476 wmic.exe Token: SeRestorePrivilege 4476 wmic.exe Token: SeShutdownPrivilege 4476 wmic.exe Token: SeDebugPrivilege 4476 wmic.exe Token: SeSystemEnvironmentPrivilege 4476 wmic.exe Token: SeRemoteShutdownPrivilege 4476 wmic.exe Token: SeUndockPrivilege 4476 wmic.exe Token: SeManageVolumePrivilege 4476 wmic.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3492 wrote to memory of 1164 3492 Umbral.exe 85 PID 3492 wrote to memory of 1164 3492 Umbral.exe 85 PID 3492 wrote to memory of 1496 3492 Umbral.exe 90 PID 3492 wrote to memory of 1496 3492 Umbral.exe 90 PID 3492 wrote to memory of 4400 3492 Umbral.exe 92 PID 3492 wrote to memory of 4400 3492 Umbral.exe 92 PID 3492 wrote to memory of 452 3492 Umbral.exe 95 PID 3492 wrote to memory of 452 3492 Umbral.exe 95 PID 3492 wrote to memory of 3324 3492 Umbral.exe 97 PID 3492 wrote to memory of 3324 3492 Umbral.exe 97 PID 3492 wrote to memory of 3016 3492 Umbral.exe 99 PID 3492 wrote to memory of 3016 3492 Umbral.exe 99 PID 3492 wrote to memory of 4476 3492 Umbral.exe 103 PID 3492 wrote to memory of 4476 3492 Umbral.exe 103 PID 3492 wrote to memory of 64 3492 Umbral.exe 105 PID 3492 wrote to memory of 64 3492 Umbral.exe 105 PID 3492 wrote to memory of 1580 3492 Umbral.exe 107 PID 3492 wrote to memory of 1580 3492 Umbral.exe 107 PID 3492 wrote to memory of 4972 3492 Umbral.exe 109 PID 3492 wrote to memory of 4972 3492 Umbral.exe 109 PID 3492 wrote to memory of 5020 3492 Umbral.exe 111 PID 3492 wrote to memory of 5020 3492 Umbral.exe 111 PID 3492 wrote to memory of 4948 3492 Umbral.exe 114 PID 3492 wrote to memory of 4948 3492 Umbral.exe 114 PID 4948 wrote to memory of 2012 4948 cmd.exe 116 PID 4948 wrote to memory of 2012 4948 cmd.exe 116 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1496 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:64
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:5020
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
948B
MD52b566ffd6de9e256d318da539ea226be
SHA15687791670b1391754d5c4d80e520cf7e3edd3db
SHA256c292acf9fdd61c1cc21b4e3139b32b20b878b7094e7b30fc9d255f0bf60059ef
SHA5123d76037af1080d099ef0037d1e49a40c883e452bb2e4d8f528d5f824142189ea92faa03488cadee2b30ec9b3a8283935a8b3c26e10578dd1ebbca9eda3a5ea7c
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5ec68f430dd646907595c25a337c6f032
SHA17fc35f368450557543feac46f3ec34cd68581811
SHA25643b31b43ebf535cffbf983420cfc26f0cd0bb8e88b0add85383b458243a36ab5
SHA5121ab54dd427341ca14d580736d2ec06c91abf1e1b45b5ca982f05c43c5a86a7e64684f3c3eb00f31db89f244027b450a0f5a05c9f954032c58a72f138aab05ed3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82