Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 01:23

General

  • Target

    loader.exe

  • Size

    365KB

  • MD5

    cbd720ad4f7be1c099ec22f56ee61dd6

  • SHA1

    9989030c7ea1756e1834c464688d418e773919fc

  • SHA256

    20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

  • SHA512

    2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

  • SSDEEP

    6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1732
    • \??\c:\users\admin\appdata\local\temp\loader.exe 
      c:\users\admin\appdata\local\temp\loader.exe 
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "c:\users\admin\appdata\local\temp\loader.exe "
        3⤵
        • Views/modifies file attributes
        PID:2544
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\loader.exe '
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:688
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
              PID:444
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:748
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\loader.exe " && pause
              3⤵
                PID:920
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  4⤵
                  • Runs ping.exe
                  PID:860
            • C:\Windows\Resources\Themes\icsys.icn.exe
              C:\Windows\Resources\Themes\icsys.icn.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1508
              • \??\c:\windows\resources\themes\explorer.exe
                c:\windows\resources\themes\explorer.exe
                3⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1360
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe SE
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2028
                  • \??\c:\windows\resources\svchost.exe
                    c:\windows\resources\svchost.exe
                    5⤵
                    • Modifies visiblity of hidden/system files in Explorer
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2180
                    • \??\c:\windows\resources\spoolsv.exe
                      c:\windows\resources\spoolsv.exe PR
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:2852
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:25 /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:568
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:2864
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:2460
                • C:\Windows\Explorer.exe
                  C:\Windows\Explorer.exe
                  4⤵
                    PID:764
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2904

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

              Filesize

              7KB

              MD5

              96a54d676e2baa2553ade3750cec02f4

              SHA1

              69753b28186e40362ff98d4647a847e77ab6d697

              SHA256

              43bafa793385ea82f193391a7fd9475963fe8522a4e78d4716e54af06f7b5c09

              SHA512

              f5fc6d98335546e836677dc919c9f6ff403a480ab83dc3c437ad0f60fef66a25e6e5f2dc1f67a475e2e1989cfeabbaf3e0921322585db6b11fe62ec13b7ac0d4

            • C:\Windows\Resources\Themes\explorer.exe

              Filesize

              135KB

              MD5

              afba798122a15e6aae67a6bdaf8e2e7e

              SHA1

              81735fd8afb767c6045e06788281dd9bc3085a59

              SHA256

              a70b1ab1b6ea33dba6c3c3b09ef85b73724a5ba0b13474704d0190747188d868

              SHA512

              9c34b3dc629395af94012ee50f1005ddbc4d169028f24593e6b1ef72a481ff906c5c91c1c961d7ee242597762f509cc43ab04e8c0f02649313a173b8e68629d1

            • \Users\Admin\AppData\Local\Temp\loader.exe 

              Filesize

              230KB

              MD5

              d23ca81d16873706f5e26fbac64eaee9

              SHA1

              c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee

              SHA256

              007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7

              SHA512

              4a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4

            • \Windows\Resources\Themes\icsys.icn.exe

              Filesize

              135KB

              MD5

              b6c6d532091f6de047c1a68a4b69bf10

              SHA1

              01439b14f2158014ef0255092f4c11a136483889

              SHA256

              39931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11

              SHA512

              b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d

            • \Windows\Resources\spoolsv.exe

              Filesize

              135KB

              MD5

              edeb7cad4dbe346275bf15847a7f1e17

              SHA1

              40693dcb7121547f2fd538249949e5643117c0e4

              SHA256

              57d0a4608d50845fadc0b78fa7b9268a334bf76ac55a17874ba2bda0cf874d45

              SHA512

              be8cc6b127a5672949f3086b88496d5eef76b709bbb7dd919b55efe234f1fe6a93c5f0013d9415e4ddb1c5dd524d1c03df9f87888456ac2f8471c0ea1c04d5ab

            • \Windows\Resources\svchost.exe

              Filesize

              135KB

              MD5

              206311e7229da01362389b3ec534aa21

              SHA1

              adb9c05b7ca1a0a3f87f1c21d8b74d029db3eb17

              SHA256

              caf34ea25cf7a68c3bc5dfb0235d27db0622c1a34dce85e85a931566f63c2455

              SHA512

              55f522b8edd6f517e8401ec0cdd18f44f96c4ab3225c9d3625b46cf3a6050875e6107b632ed93a472468c4d881a7895206b3afc86d82f0dcc693a7c4c5112f62

            • memory/444-104-0x0000000001E90000-0x0000000001E98000-memory.dmp

              Filesize

              32KB

            • memory/1508-97-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/1732-46-0x00000000002F0000-0x000000000030F000-memory.dmp

              Filesize

              124KB

            • memory/1732-98-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/1732-0-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/1980-88-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

              Filesize

              9.9MB

            • memory/1980-12-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

              Filesize

              9.9MB

            • memory/1980-108-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

              Filesize

              9.9MB

            • memory/1980-10-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

              Filesize

              4KB

            • memory/1980-11-0x0000000001360000-0x00000000013A0000-memory.dmp

              Filesize

              256KB

            • memory/1980-80-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

              Filesize

              4KB

            • memory/2028-81-0x00000000002D0000-0x00000000002EF000-memory.dmp

              Filesize

              124KB

            • memory/2028-96-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2180-90-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2780-17-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

              Filesize

              2.9MB

            • memory/2780-18-0x0000000002890000-0x0000000002898000-memory.dmp

              Filesize

              32KB

            • memory/2852-95-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2904-109-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

            • memory/2904-110-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

            • memory/2952-25-0x0000000002240000-0x0000000002248000-memory.dmp

              Filesize

              32KB

            • memory/2952-24-0x000000001B630000-0x000000001B912000-memory.dmp

              Filesize

              2.9MB