Analysis

  • max time kernel
    134s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-06-2024 08:17

General

  • Target

    Umbral.exe

  • Size

    227KB

  • MD5

    53681862212e052e3c6b3e9ca9594428

  • SHA1

    f89c700368b19d182062f673f9b51199e08c47cc

  • SHA256

    2576a8b91992cead33bc30b306852a6fbaa559fff89a534537495abe76aca3a2

  • SHA512

    2f9649751aeeabd4e59b7e172937518bb6867ce99eee00687243d6218edbdbc5d573a5cea36416131a3787360d215d557f91c75f480d30ce3d6bbd1152e81fa8

  • SSDEEP

    6144:+loZM9rIkd8g+EtXHkv/iD4M6Q2nLxCqV0QhTuOLQjb8e1mui:ooZOL+EP8M6Q2nLxCqV0QhTuOLKY

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Views/modifies file attributes
      PID:596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3292
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:4480
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:5104
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4984
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:216
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • Runs ping.exe
            PID:4960

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        ad5cd538ca58cb28ede39c108acb5785

        SHA1

        1ae910026f3dbe90ed025e9e96ead2b5399be877

        SHA256

        c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

        SHA512

        c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        e9d2d14e856c8107b2da1b4d54acd802

        SHA1

        9ab68c3abee490d1418df8ecd42d57237232672d

        SHA256

        4169e453fa3078623937db4268da606deb7104803ca0d1133295992ef3107e87

        SHA512

        0312972ed4f1870f4219601c62eed1c59379360da6c8e2f0cbcd0dfd327967276b71170bc1631f18d7da651fcc6cb66fa5039f6301f1d36382bbb36b8877440a

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        e93982ac2d28c20d1351d3619ddff71e

        SHA1

        3e47c26610e24fb2a9363b116a3be7ab34f25d67

        SHA256

        13a73d7b8b6d2a7c5bbaf6a36f5e3c81262931fe52b83192ec571b343bafb7a6

        SHA512

        a8aed4d03dc31e049240de7603626487ede298d240b2f617f4d0df11c69e8c1e8a393e93432b322af964b64524f9d967dd89bb95a572fdd8f9c7e0381883c0bf

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        d26e61b05e1a82bc1ed5078b6f020fbb

        SHA1

        5a7b374a664e5975e3aacab00e30fb499bbc5dd8

        SHA256

        7788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011

        SHA512

        75bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        134c6647f636b28e090bd423336912d4

        SHA1

        915be716734666c659e322c22807210f280b2bcb

        SHA256

        83b9a01b608f85103c8b6c060582770cbc034218b2c50d434d0d2f3f2d5ba487

        SHA512

        d1c809f3e395f0e87de07c5567e3bc16520a9662b304a562944cdb020bfffe21c7e39f48b7719e509f3348e45d6604d0c6046f445409673b4db773d9e157b88e

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfhc2tes.45u.ps1

        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      • memory/1948-50-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/1948-7-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/1948-10-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/1948-43-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/1948-13-0x000002537CF70000-0x000002537CFE6000-memory.dmp

        Filesize

        472KB

      • memory/1948-54-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/1948-9-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/1948-8-0x000002537CC90000-0x000002537CCB2000-memory.dmp

        Filesize

        136KB

      • memory/2324-87-0x000002B462A10000-0x000002B462A60000-memory.dmp

        Filesize

        320KB

      • memory/2324-88-0x000002B44A2D0000-0x000002B44A2EE000-memory.dmp

        Filesize

        120KB

      • memory/2324-0-0x000002B448460000-0x000002B4484A0000-memory.dmp

        Filesize

        256KB

      • memory/2324-2-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB

      • memory/2324-155-0x000002B44A310000-0x000002B44A322000-memory.dmp

        Filesize

        72KB

      • memory/2324-154-0x000002B4488F0000-0x000002B4488FA000-memory.dmp

        Filesize

        40KB

      • memory/2324-1-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

        Filesize

        4KB

      • memory/2324-185-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

        Filesize

        9.9MB