Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-06-2024 08:17
General
-
Target
Umbral.exe
-
Size
227KB
-
MD5
53681862212e052e3c6b3e9ca9594428
-
SHA1
f89c700368b19d182062f673f9b51199e08c47cc
-
SHA256
2576a8b91992cead33bc30b306852a6fbaa559fff89a534537495abe76aca3a2
-
SHA512
2f9649751aeeabd4e59b7e172937518bb6867ce99eee00687243d6218edbdbc5d573a5cea36416131a3787360d215d557f91c75f480d30ce3d6bbd1152e81fa8
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4M6Q2nLxCqV0QhTuOLQjb8e1mui:ooZOL+EP8M6Q2nLxCqV0QhTuOLKY
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2324-0-0x000002B448460000-0x000002B4484A0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1948 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 216 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4960 PING.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1948 powershell.exe 1948 powershell.exe 1948 powershell.exe 4208 powershell.exe 4208 powershell.exe 4208 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 3292 powershell.exe 3292 powershell.exe 3292 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2324 Umbral.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeIncreaseQuotaPrivilege 1948 powershell.exe Token: SeSecurityPrivilege 1948 powershell.exe Token: SeTakeOwnershipPrivilege 1948 powershell.exe Token: SeLoadDriverPrivilege 1948 powershell.exe Token: SeSystemProfilePrivilege 1948 powershell.exe Token: SeSystemtimePrivilege 1948 powershell.exe Token: SeProfSingleProcessPrivilege 1948 powershell.exe Token: SeIncBasePriorityPrivilege 1948 powershell.exe Token: SeCreatePagefilePrivilege 1948 powershell.exe Token: SeBackupPrivilege 1948 powershell.exe Token: SeRestorePrivilege 1948 powershell.exe Token: SeShutdownPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeSystemEnvironmentPrivilege 1948 powershell.exe Token: SeRemoteShutdownPrivilege 1948 powershell.exe Token: SeUndockPrivilege 1948 powershell.exe Token: SeManageVolumePrivilege 1948 powershell.exe Token: 33 1948 powershell.exe Token: 34 1948 powershell.exe Token: 35 1948 powershell.exe Token: 36 1948 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 3292 powershell.exe Token: SeIncreaseQuotaPrivilege 1392 wmic.exe Token: SeSecurityPrivilege 1392 wmic.exe Token: SeTakeOwnershipPrivilege 1392 wmic.exe Token: SeLoadDriverPrivilege 1392 wmic.exe Token: SeSystemProfilePrivilege 1392 wmic.exe Token: SeSystemtimePrivilege 1392 wmic.exe Token: SeProfSingleProcessPrivilege 1392 wmic.exe Token: SeIncBasePriorityPrivilege 1392 wmic.exe Token: SeCreatePagefilePrivilege 1392 wmic.exe Token: SeBackupPrivilege 1392 wmic.exe Token: SeRestorePrivilege 1392 wmic.exe Token: SeShutdownPrivilege 1392 wmic.exe Token: SeDebugPrivilege 1392 wmic.exe Token: SeSystemEnvironmentPrivilege 1392 wmic.exe Token: SeRemoteShutdownPrivilege 1392 wmic.exe Token: SeUndockPrivilege 1392 wmic.exe Token: SeManageVolumePrivilege 1392 wmic.exe Token: 33 1392 wmic.exe Token: 34 1392 wmic.exe Token: 35 1392 wmic.exe Token: 36 1392 wmic.exe Token: SeIncreaseQuotaPrivilege 1392 wmic.exe Token: SeSecurityPrivilege 1392 wmic.exe Token: SeTakeOwnershipPrivilege 1392 wmic.exe Token: SeLoadDriverPrivilege 1392 wmic.exe Token: SeSystemProfilePrivilege 1392 wmic.exe Token: SeSystemtimePrivilege 1392 wmic.exe Token: SeProfSingleProcessPrivilege 1392 wmic.exe Token: SeIncBasePriorityPrivilege 1392 wmic.exe Token: SeCreatePagefilePrivilege 1392 wmic.exe Token: SeBackupPrivilege 1392 wmic.exe Token: SeRestorePrivilege 1392 wmic.exe Token: SeShutdownPrivilege 1392 wmic.exe Token: SeDebugPrivilege 1392 wmic.exe Token: SeSystemEnvironmentPrivilege 1392 wmic.exe Token: SeRemoteShutdownPrivilege 1392 wmic.exe Token: SeUndockPrivilege 1392 wmic.exe Token: SeManageVolumePrivilege 1392 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2324 wrote to memory of 596 2324 Umbral.exe 73 PID 2324 wrote to memory of 596 2324 Umbral.exe 73 PID 2324 wrote to memory of 1948 2324 Umbral.exe 75 PID 2324 wrote to memory of 1948 2324 Umbral.exe 75 PID 2324 wrote to memory of 4208 2324 Umbral.exe 78 PID 2324 wrote to memory of 4208 2324 Umbral.exe 78 PID 2324 wrote to memory of 3156 2324 Umbral.exe 80 PID 2324 wrote to memory of 3156 2324 Umbral.exe 80 PID 2324 wrote to memory of 3292 2324 Umbral.exe 82 PID 2324 wrote to memory of 3292 2324 Umbral.exe 82 PID 2324 wrote to memory of 1392 2324 Umbral.exe 84 PID 2324 wrote to memory of 1392 2324 Umbral.exe 84 PID 2324 wrote to memory of 4480 2324 Umbral.exe 87 PID 2324 wrote to memory of 4480 2324 Umbral.exe 87 PID 2324 wrote to memory of 5104 2324 Umbral.exe 89 PID 2324 wrote to memory of 5104 2324 Umbral.exe 89 PID 2324 wrote to memory of 4984 2324 Umbral.exe 91 PID 2324 wrote to memory of 4984 2324 Umbral.exe 91 PID 2324 wrote to memory of 216 2324 Umbral.exe 93 PID 2324 wrote to memory of 216 2324 Umbral.exe 93 PID 2324 wrote to memory of 3008 2324 Umbral.exe 95 PID 2324 wrote to memory of 3008 2324 Umbral.exe 95 PID 3008 wrote to memory of 4960 3008 cmd.exe 97 PID 3008 wrote to memory of 4960 3008 cmd.exe 97 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 596 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:4480
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:5104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:216
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:4960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5e9d2d14e856c8107b2da1b4d54acd802
SHA19ab68c3abee490d1418df8ecd42d57237232672d
SHA2564169e453fa3078623937db4268da606deb7104803ca0d1133295992ef3107e87
SHA5120312972ed4f1870f4219601c62eed1c59379360da6c8e2f0cbcd0dfd327967276b71170bc1631f18d7da651fcc6cb66fa5039f6301f1d36382bbb36b8877440a
-
Filesize
1KB
MD5e93982ac2d28c20d1351d3619ddff71e
SHA13e47c26610e24fb2a9363b116a3be7ab34f25d67
SHA25613a73d7b8b6d2a7c5bbaf6a36f5e3c81262931fe52b83192ec571b343bafb7a6
SHA512a8aed4d03dc31e049240de7603626487ede298d240b2f617f4d0df11c69e8c1e8a393e93432b322af964b64524f9d967dd89bb95a572fdd8f9c7e0381883c0bf
-
Filesize
1KB
MD5d26e61b05e1a82bc1ed5078b6f020fbb
SHA15a7b374a664e5975e3aacab00e30fb499bbc5dd8
SHA2567788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011
SHA51275bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c
-
Filesize
1KB
MD5134c6647f636b28e090bd423336912d4
SHA1915be716734666c659e322c22807210f280b2bcb
SHA25683b9a01b608f85103c8b6c060582770cbc034218b2c50d434d0d2f3f2d5ba487
SHA512d1c809f3e395f0e87de07c5567e3bc16520a9662b304a562944cdb020bfffe21c7e39f48b7719e509f3348e45d6604d0c6046f445409673b4db773d9e157b88e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a