Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 01:52
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240508-en
General
-
Target
Umbral.exe
-
Size
227KB
-
MD5
53681862212e052e3c6b3e9ca9594428
-
SHA1
f89c700368b19d182062f673f9b51199e08c47cc
-
SHA256
2576a8b91992cead33bc30b306852a6fbaa559fff89a534537495abe76aca3a2
-
SHA512
2f9649751aeeabd4e59b7e172937518bb6867ce99eee00687243d6218edbdbc5d573a5cea36416131a3787360d215d557f91c75f480d30ce3d6bbd1152e81fa8
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4M6Q2nLxCqV0QhTuOLQjb8e1mui:ooZOL+EP8M6Q2nLxCqV0QhTuOLKY
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2968-1-0x00000000012E0000-0x0000000001320000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3000 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Deletes itself 1 IoCs
pid Process 2272 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 discord.com 7 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1284 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2256 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3000 powershell.exe 3024 powershell.exe 2524 powershell.exe 1296 powershell.exe 308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2968 Umbral.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeIncreaseQuotaPrivilege 2184 wmic.exe Token: SeSecurityPrivilege 2184 wmic.exe Token: SeTakeOwnershipPrivilege 2184 wmic.exe Token: SeLoadDriverPrivilege 2184 wmic.exe Token: SeSystemProfilePrivilege 2184 wmic.exe Token: SeSystemtimePrivilege 2184 wmic.exe Token: SeProfSingleProcessPrivilege 2184 wmic.exe Token: SeIncBasePriorityPrivilege 2184 wmic.exe Token: SeCreatePagefilePrivilege 2184 wmic.exe Token: SeBackupPrivilege 2184 wmic.exe Token: SeRestorePrivilege 2184 wmic.exe Token: SeShutdownPrivilege 2184 wmic.exe Token: SeDebugPrivilege 2184 wmic.exe Token: SeSystemEnvironmentPrivilege 2184 wmic.exe Token: SeRemoteShutdownPrivilege 2184 wmic.exe Token: SeUndockPrivilege 2184 wmic.exe Token: SeManageVolumePrivilege 2184 wmic.exe Token: 33 2184 wmic.exe Token: 34 2184 wmic.exe Token: 35 2184 wmic.exe Token: SeIncreaseQuotaPrivilege 2184 wmic.exe Token: SeSecurityPrivilege 2184 wmic.exe Token: SeTakeOwnershipPrivilege 2184 wmic.exe Token: SeLoadDriverPrivilege 2184 wmic.exe Token: SeSystemProfilePrivilege 2184 wmic.exe Token: SeSystemtimePrivilege 2184 wmic.exe Token: SeProfSingleProcessPrivilege 2184 wmic.exe Token: SeIncBasePriorityPrivilege 2184 wmic.exe Token: SeCreatePagefilePrivilege 2184 wmic.exe Token: SeBackupPrivilege 2184 wmic.exe Token: SeRestorePrivilege 2184 wmic.exe Token: SeShutdownPrivilege 2184 wmic.exe Token: SeDebugPrivilege 2184 wmic.exe Token: SeSystemEnvironmentPrivilege 2184 wmic.exe Token: SeRemoteShutdownPrivilege 2184 wmic.exe Token: SeUndockPrivilege 2184 wmic.exe Token: SeManageVolumePrivilege 2184 wmic.exe Token: 33 2184 wmic.exe Token: 34 2184 wmic.exe Token: 35 2184 wmic.exe Token: SeIncreaseQuotaPrivilege 2012 wmic.exe Token: SeSecurityPrivilege 2012 wmic.exe Token: SeTakeOwnershipPrivilege 2012 wmic.exe Token: SeLoadDriverPrivilege 2012 wmic.exe Token: SeSystemProfilePrivilege 2012 wmic.exe Token: SeSystemtimePrivilege 2012 wmic.exe Token: SeProfSingleProcessPrivilege 2012 wmic.exe Token: SeIncBasePriorityPrivilege 2012 wmic.exe Token: SeCreatePagefilePrivilege 2012 wmic.exe Token: SeBackupPrivilege 2012 wmic.exe Token: SeRestorePrivilege 2012 wmic.exe Token: SeShutdownPrivilege 2012 wmic.exe Token: SeDebugPrivilege 2012 wmic.exe Token: SeSystemEnvironmentPrivilege 2012 wmic.exe Token: SeRemoteShutdownPrivilege 2012 wmic.exe Token: SeUndockPrivilege 2012 wmic.exe Token: SeManageVolumePrivilege 2012 wmic.exe Token: 33 2012 wmic.exe Token: 34 2012 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2356 2968 Umbral.exe 28 PID 2968 wrote to memory of 2356 2968 Umbral.exe 28 PID 2968 wrote to memory of 2356 2968 Umbral.exe 28 PID 2968 wrote to memory of 3000 2968 Umbral.exe 30 PID 2968 wrote to memory of 3000 2968 Umbral.exe 30 PID 2968 wrote to memory of 3000 2968 Umbral.exe 30 PID 2968 wrote to memory of 3024 2968 Umbral.exe 32 PID 2968 wrote to memory of 3024 2968 Umbral.exe 32 PID 2968 wrote to memory of 3024 2968 Umbral.exe 32 PID 2968 wrote to memory of 2524 2968 Umbral.exe 34 PID 2968 wrote to memory of 2524 2968 Umbral.exe 34 PID 2968 wrote to memory of 2524 2968 Umbral.exe 34 PID 2968 wrote to memory of 1296 2968 Umbral.exe 36 PID 2968 wrote to memory of 1296 2968 Umbral.exe 36 PID 2968 wrote to memory of 1296 2968 Umbral.exe 36 PID 2968 wrote to memory of 2184 2968 Umbral.exe 38 PID 2968 wrote to memory of 2184 2968 Umbral.exe 38 PID 2968 wrote to memory of 2184 2968 Umbral.exe 38 PID 2968 wrote to memory of 2012 2968 Umbral.exe 41 PID 2968 wrote to memory of 2012 2968 Umbral.exe 41 PID 2968 wrote to memory of 2012 2968 Umbral.exe 41 PID 2968 wrote to memory of 1936 2968 Umbral.exe 43 PID 2968 wrote to memory of 1936 2968 Umbral.exe 43 PID 2968 wrote to memory of 1936 2968 Umbral.exe 43 PID 2968 wrote to memory of 308 2968 Umbral.exe 45 PID 2968 wrote to memory of 308 2968 Umbral.exe 45 PID 2968 wrote to memory of 308 2968 Umbral.exe 45 PID 2968 wrote to memory of 1284 2968 Umbral.exe 47 PID 2968 wrote to memory of 1284 2968 Umbral.exe 47 PID 2968 wrote to memory of 1284 2968 Umbral.exe 47 PID 2968 wrote to memory of 2272 2968 Umbral.exe 49 PID 2968 wrote to memory of 2272 2968 Umbral.exe 49 PID 2968 wrote to memory of 2272 2968 Umbral.exe 49 PID 2272 wrote to memory of 2256 2272 cmd.exe 51 PID 2272 wrote to memory of 2256 2272 cmd.exe 51 PID 2272 wrote to memory of 2256 2272 cmd.exe 51 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2356 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:308
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1284
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2256
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54f7255d09668512f5f9662ec37640cb5
SHA1537dec1806be166705699e24f35d3c57daccd86e
SHA2566360da0784b3c9f9ccc6a119f6e575ce5e4eae33d53a0c0a24f281ed62bc2e98
SHA51273e97950cb1d3e0e07860c4556e75512f39e028800cea53f06ee5916c674086b89ca8d889e99f2eddf74ee2459e3883752bb80edc7302aa27958d469da004aa3