Analysis

  • max time kernel
    42s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 09:45

General

  • Target

    Incognito.zip

  • Size

    7.1MB

  • MD5

    63079240b3eed6b027bb65232fbf7af9

  • SHA1

    1c8057ed47c33c14ab2ac71fa14641521314440f

  • SHA256

    68293945c7f39f2c0236366498465ea4fdabf6c153c9340fa6279de1ce732e1f

  • SHA512

    dd06e242c4761cf28e34ae91a5f07636be15f674834d79f138eb03b804969dafa81ea89252915fbb88669f9bb09bd4788b902328c80bc7551d4590f8ced4d428

  • SSDEEP

    196608:Zsxld4g89iK+oEGmWzJi7N4m37u8gjPOng:ZsxlChiPoBmWy4m3Pcn

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1245803318895317014/MWwE2bIuC7nD9r88eA3hM6dJFmzWXC8puVXlopPKFnYnezNuslrP3rNwI0e88YuLAhwr

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Incognito.zip
    1⤵
      PID:4244
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3368
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Incognito\" -spe -an -ai#7zMap24584:98:7zEvent30873
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe
        "C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe"
        1⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:932
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe"
          2⤵
          • Views/modifies file attributes
          PID:4740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3708
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4376
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3860
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          2⤵
            PID:3568
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            2⤵
              PID:3280
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4020
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              2⤵
              • Detects videocard installed
              PID:1848
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe" && pause
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2140
              • C:\Windows\system32\PING.EXE
                ping localhost
                3⤵
                • Runs ping.exe
                PID:1952

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            59d97011e091004eaffb9816aa0b9abd

            SHA1

            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

            SHA256

            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

            SHA512

            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            948B

            MD5

            5824a6037c081fda5d46de274b6e2799

            SHA1

            526367a09300cbde430e8fb44e41cbe7a0937aac

            SHA256

            4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

            SHA512

            a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            276798eeb29a49dc6e199768bc9c2e71

            SHA1

            5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

            SHA256

            cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

            SHA512

            0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            0b7b86c78503d141d03085ec198d29fc

            SHA1

            58cd7d5aabf4dc6709ffa95f10d37f5863d21b7a

            SHA256

            08c7ee9773c57a061a00010f11ae7c6d64a63fc0076d14d8a438fc96aee8b561

            SHA512

            a99e6426695de6e076738f25b4b2ab206bd03893af91e290d4ab32e95afbaf1dbeb0fbe4a4d1a2e564e4a95a169452ceb3117a88936057658fd38382b93eb0f2

          • C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe

            Filesize

            231KB

            MD5

            37034982dc566783fd574fb3e2c60a2a

            SHA1

            8f697451b5894b2d6c79fd7a52c6e58a48e28f74

            SHA256

            d9bd2f789078851ad54d6be09e73f8d1d707484adc45f1010fcf43a6bce88fe4

            SHA512

            7429d21f96158b7fa385685fde010fdb505b1aec84d1b0e0ff042377f8266afb8d656e0349727d41a904dd3a4f548bf9905b18a7c7ce319d3cce406ec76f1418

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kiuazkho.2wu.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/2952-36-0x00000184DE5C0000-0x00000184DE610000-memory.dmp

            Filesize

            320KB

          • memory/2952-37-0x00000184DE480000-0x00000184DE49E000-memory.dmp

            Filesize

            120KB

          • memory/2952-35-0x00000184DE640000-0x00000184DE6B6000-memory.dmp

            Filesize

            472KB

          • memory/2952-73-0x00000184DE620000-0x00000184DE62A000-memory.dmp

            Filesize

            40KB

          • memory/2952-74-0x00000184DE800000-0x00000184DE812000-memory.dmp

            Filesize

            72KB

          • memory/2952-8-0x00000184C3EE0000-0x00000184C3F20000-memory.dmp

            Filesize

            256KB

          • memory/4396-14-0x000001C54EBD0000-0x000001C54EBF2000-memory.dmp

            Filesize

            136KB