Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 01:22

General

  • Target

    loader.exe

  • Size

    365KB

  • MD5

    cbd720ad4f7be1c099ec22f56ee61dd6

  • SHA1

    9989030c7ea1756e1834c464688d418e773919fc

  • SHA256

    20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

  • SHA512

    2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740

  • SSDEEP

    6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2412
    • \??\c:\users\admin\appdata\local\temp\loader.exe 
      c:\users\admin\appdata\local\temp\loader.exe 
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "c:\users\admin\appdata\local\temp\loader.exe "
        3⤵
        • Views/modifies file attributes
        PID:2788
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\loader.exe '
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:1484
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
              PID:1740
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:1088
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\loader.exe " && pause
              3⤵
                PID:896
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  4⤵
                  • Runs ping.exe
                  PID:2148
            • C:\Windows\Resources\Themes\icsys.icn.exe
              C:\Windows\Resources\Themes\icsys.icn.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2236
              • \??\c:\windows\resources\themes\explorer.exe
                c:\windows\resources\themes\explorer.exe
                3⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1600
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe SE
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2432
                  • \??\c:\windows\resources\svchost.exe
                    c:\windows\resources\svchost.exe
                    5⤵
                    • Modifies visiblity of hidden/system files in Explorer
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:840
                    • \??\c:\windows\resources\spoolsv.exe
                      c:\windows\resources\spoolsv.exe PR
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1800
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:25 /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:1172
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:604
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:2932
                • C:\Windows\Explorer.exe
                  C:\Windows\Explorer.exe
                  4⤵
                    PID:2588

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\loader.exe 

              Filesize

              230KB

              MD5

              d23ca81d16873706f5e26fbac64eaee9

              SHA1

              c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee

              SHA256

              007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7

              SHA512

              4a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HBCYEX4WMJ3PD0O91IYT.temp

              Filesize

              7KB

              MD5

              d9788b07146c954acd0efdbae53e440b

              SHA1

              8619d934a83ab9799853cd2637fe332562b12ed2

              SHA256

              f5713b1c4257441ade2d0d4ae48837b789c478b6bf62fc868ba6075c7a5156af

              SHA512

              e886edaf83ebbda94ebc606492ad845916ff99825c6e3776455317558cb657ea84a1d399f1184f8126c86dde8ebc66266b4a2c381cc714035171a9af022fbbfc

            • C:\Windows\Resources\Themes\explorer.exe

              Filesize

              135KB

              MD5

              1905292586e7ae7531079e89c140e930

              SHA1

              04ab85a09795edadb72eda9d7bac49560aa11ac5

              SHA256

              f74a57c28678a69528bceebe893b8e8a8cb69168d221e5d0efe8cd0b17a6c6d5

              SHA512

              5ef17f274c6dd764b2084a399a5b04df2cf5ffeb6ca329606b1f98f453a16d40e105f7bae01d2c1fb33a50624e7965b0fc55c5b0df861ee549aaf7403b63e5fa

            • C:\Windows\Resources\Themes\icsys.icn.exe

              Filesize

              135KB

              MD5

              b6c6d532091f6de047c1a68a4b69bf10

              SHA1

              01439b14f2158014ef0255092f4c11a136483889

              SHA256

              39931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11

              SHA512

              b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d

            • C:\Windows\Resources\spoolsv.exe

              Filesize

              135KB

              MD5

              546e236ea4de2b39579ff0f6c02e6f95

              SHA1

              c9139eeb9d830cb926773b0cb44287133b1eeb34

              SHA256

              2f1c7411962af8b528886ea4067f77aa6f2a4a25f5829c2888bb0d09a78a0b87

              SHA512

              e69a0ede110fb731146c27f43e20bc14e494dfa2154b00c0b310201fba755029633620ed75f663a6f5f58863d38c65855ed56984d5eeb6bbd9815d7ef5eefb91

            • C:\Windows\Resources\svchost.exe

              Filesize

              135KB

              MD5

              2bed3603d534ed5d7d0f356e9d2cb855

              SHA1

              84960e6e77db59cd06f4203a66dc40d7f93de61d

              SHA256

              949d06348a5179530f55ac50a3ceb3f78fb70516e10597252b324cda7e9c6548

              SHA512

              1afce3d003594a4f23a4f8ecda89675d4dabc565023db7735fbf9b81fcc6fa5ff5547eff0a0cb474fb9b233d147c3b00da106f3b3432301c048aa652de597f3b

            • memory/1600-73-0x0000000000330000-0x000000000034F000-memory.dmp

              Filesize

              124KB

            • memory/1740-105-0x000000001B760000-0x000000001BA42000-memory.dmp

              Filesize

              2.9MB

            • memory/1740-106-0x0000000001D20000-0x0000000001D28000-memory.dmp

              Filesize

              32KB

            • memory/1800-96-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2236-99-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2236-61-0x00000000003C0000-0x00000000003DF000-memory.dmp

              Filesize

              124KB

            • memory/2264-18-0x00000000003B0000-0x00000000003B8000-memory.dmp

              Filesize

              32KB

            • memory/2264-17-0x000000001B850000-0x000000001BB32000-memory.dmp

              Filesize

              2.9MB

            • memory/2412-0-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2412-49-0x0000000000360000-0x000000000037F000-memory.dmp

              Filesize

              124KB

            • memory/2412-98-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2420-12-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

              Filesize

              9.9MB

            • memory/2420-11-0x0000000001020000-0x0000000001060000-memory.dmp

              Filesize

              256KB

            • memory/2420-10-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

              Filesize

              4KB

            • memory/2420-110-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

              Filesize

              9.9MB

            • memory/2432-86-0x00000000002F0000-0x000000000030F000-memory.dmp

              Filesize

              124KB

            • memory/2432-97-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2432-77-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

            • memory/2500-24-0x000000001B630000-0x000000001B912000-memory.dmp

              Filesize

              2.9MB

            • memory/2500-25-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

              Filesize

              32KB