Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 17:59
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240508-en
General
-
Target
Umbral.exe
-
Size
231KB
-
MD5
e9e39a33854ca8af45f6048dd49f265b
-
SHA1
d19011ba34adf3135335aa9839d24e1b5c5dde71
-
SHA256
e5da8ebc635776269ddceed41b6b6c0860071dafbe121b3fa17e63d01effd26c
-
SHA512
703fdc9b9d086329a7273138920904fa0bf3d9917c0db74fcba1853bf1ecd42fd3144725238104e98ebac95f31da5d38551b3f97fb6c72ffdd0c60dbdc4d35cf
-
SSDEEP
6144:YOSAnvuqXLUirFMWyW1bYcUNSzNc0jqatc2J8e1mvSTU:vDqyFMWyW1bYcUNSzNc0jqIj2T
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2204-1-0x0000000000920000-0x0000000000960000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2036 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 discord.com 7 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1664 wmic.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2036 powershell.exe 2908 powershell.exe 2888 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2204 Umbral.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeIncreaseQuotaPrivilege 1524 wmic.exe Token: SeSecurityPrivilege 1524 wmic.exe Token: SeTakeOwnershipPrivilege 1524 wmic.exe Token: SeLoadDriverPrivilege 1524 wmic.exe Token: SeSystemProfilePrivilege 1524 wmic.exe Token: SeSystemtimePrivilege 1524 wmic.exe Token: SeProfSingleProcessPrivilege 1524 wmic.exe Token: SeIncBasePriorityPrivilege 1524 wmic.exe Token: SeCreatePagefilePrivilege 1524 wmic.exe Token: SeBackupPrivilege 1524 wmic.exe Token: SeRestorePrivilege 1524 wmic.exe Token: SeShutdownPrivilege 1524 wmic.exe Token: SeDebugPrivilege 1524 wmic.exe Token: SeSystemEnvironmentPrivilege 1524 wmic.exe Token: SeRemoteShutdownPrivilege 1524 wmic.exe Token: SeUndockPrivilege 1524 wmic.exe Token: SeManageVolumePrivilege 1524 wmic.exe Token: 33 1524 wmic.exe Token: 34 1524 wmic.exe Token: 35 1524 wmic.exe Token: SeIncreaseQuotaPrivilege 1524 wmic.exe Token: SeSecurityPrivilege 1524 wmic.exe Token: SeTakeOwnershipPrivilege 1524 wmic.exe Token: SeLoadDriverPrivilege 1524 wmic.exe Token: SeSystemProfilePrivilege 1524 wmic.exe Token: SeSystemtimePrivilege 1524 wmic.exe Token: SeProfSingleProcessPrivilege 1524 wmic.exe Token: SeIncBasePriorityPrivilege 1524 wmic.exe Token: SeCreatePagefilePrivilege 1524 wmic.exe Token: SeBackupPrivilege 1524 wmic.exe Token: SeRestorePrivilege 1524 wmic.exe Token: SeShutdownPrivilege 1524 wmic.exe Token: SeDebugPrivilege 1524 wmic.exe Token: SeSystemEnvironmentPrivilege 1524 wmic.exe Token: SeRemoteShutdownPrivilege 1524 wmic.exe Token: SeUndockPrivilege 1524 wmic.exe Token: SeManageVolumePrivilege 1524 wmic.exe Token: 33 1524 wmic.exe Token: 34 1524 wmic.exe Token: 35 1524 wmic.exe Token: SeIncreaseQuotaPrivilege 2396 wmic.exe Token: SeSecurityPrivilege 2396 wmic.exe Token: SeTakeOwnershipPrivilege 2396 wmic.exe Token: SeLoadDriverPrivilege 2396 wmic.exe Token: SeSystemProfilePrivilege 2396 wmic.exe Token: SeSystemtimePrivilege 2396 wmic.exe Token: SeProfSingleProcessPrivilege 2396 wmic.exe Token: SeIncBasePriorityPrivilege 2396 wmic.exe Token: SeCreatePagefilePrivilege 2396 wmic.exe Token: SeBackupPrivilege 2396 wmic.exe Token: SeRestorePrivilege 2396 wmic.exe Token: SeShutdownPrivilege 2396 wmic.exe Token: SeDebugPrivilege 2396 wmic.exe Token: SeSystemEnvironmentPrivilege 2396 wmic.exe Token: SeRemoteShutdownPrivilege 2396 wmic.exe Token: SeUndockPrivilege 2396 wmic.exe Token: SeManageVolumePrivilege 2396 wmic.exe Token: 33 2396 wmic.exe Token: 34 2396 wmic.exe Token: 35 2396 wmic.exe Token: SeIncreaseQuotaPrivilege 2396 wmic.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2036 2204 Umbral.exe 28 PID 2204 wrote to memory of 2036 2204 Umbral.exe 28 PID 2204 wrote to memory of 2036 2204 Umbral.exe 28 PID 2204 wrote to memory of 2908 2204 Umbral.exe 30 PID 2204 wrote to memory of 2908 2204 Umbral.exe 30 PID 2204 wrote to memory of 2908 2204 Umbral.exe 30 PID 2204 wrote to memory of 1524 2204 Umbral.exe 32 PID 2204 wrote to memory of 1524 2204 Umbral.exe 32 PID 2204 wrote to memory of 1524 2204 Umbral.exe 32 PID 2204 wrote to memory of 2396 2204 Umbral.exe 35 PID 2204 wrote to memory of 2396 2204 Umbral.exe 35 PID 2204 wrote to memory of 2396 2204 Umbral.exe 35 PID 2204 wrote to memory of 1748 2204 Umbral.exe 37 PID 2204 wrote to memory of 1748 2204 Umbral.exe 37 PID 2204 wrote to memory of 1748 2204 Umbral.exe 37 PID 2204 wrote to memory of 2888 2204 Umbral.exe 39 PID 2204 wrote to memory of 2888 2204 Umbral.exe 39 PID 2204 wrote to memory of 2888 2204 Umbral.exe 39 PID 2204 wrote to memory of 1664 2204 Umbral.exe 41 PID 2204 wrote to memory of 1664 2204 Umbral.exe 41 PID 2204 wrote to memory of 1664 2204 Umbral.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1664
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD540d4830f6bb9269550e23b7be4072d10
SHA1e9286b6613a76e9c5dc671bb33fa23f616f9f866
SHA2561416aa7b2f0077c8e6fde101665b85fe813f0768ae86dc5ec701fa2347684b3d
SHA512d1b170e8fc836830513ec35e5d1c95e885cfab32f6025424b36041d0a997218494b92bb543d8fdb8fbd8d0ffb19d02d52cc460d548d07520d834e037a87d00e5