umbral | 1ce288b4eace5690b66c6681e77f4f75d1c5fda07eab5a410ffe38271d515909

General

Target

FIXER-2.3.exe
Size

678KB
MD5

c4a81b5b47dab29d88805f75c95035a0
SHA1

092fcb36a736198e19530c96991d9bcb0354fa75
SHA256

1ce288b4eace5690b66c6681e77f4f75d1c5fda07eab5a410ffe38271d515909
SHA512

eb98f91df470f6f52ad8db2d44da3a090b63d4067e371ca8df1b5e54e7623123d6ba7df779b27cf6298d7778b415e9569f29c62ef6276f8d666134ff4aa7006e
SSDEEP

6144:u4zMHU2N3RSUDqnopqonzuv4NIAyxuQiOfFs3OJ18xNz+KgbqUypit:u44RuS78onzuv4NIAAuQkOzu

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Umbral.exe	family_umbral
behavioral2/memory/4248-13-0x000001FC899C0000-0x000001FC89A00000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4132 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Umbral.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe
Executes dropped EXE 1 IoCs

Processes:

Umbral.exe

pid process

4248 Umbral.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

572 wmic.exe

pid	process
4132	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

flow	ioc
1	ip-api.com

pid	process
572	wmic.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Umbral.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4248	Umbral.exe
4132	powershell.exe
4132	powershell.exe
1636	powershell.exe
1636	powershell.exe
2644	powershell.exe
2644	powershell.exe
3268	powershell.exe
3268	powershell.exe
2948	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Umbral.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4248	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4596	wmic.exe
Token: SeSecurityPrivilege	4596	wmic.exe
Token: SeTakeOwnershipPrivilege	4596	wmic.exe
Token: SeLoadDriverPrivilege	4596	wmic.exe
Token: SeSystemProfilePrivilege	4596	wmic.exe
Token: SeSystemtimePrivilege	4596	wmic.exe
Token: SeProfSingleProcessPrivilege	4596	wmic.exe
Token: SeIncBasePriorityPrivilege	4596	wmic.exe
Token: SeCreatePagefilePrivilege	4596	wmic.exe
Token: SeBackupPrivilege	4596	wmic.exe
Token: SeRestorePrivilege	4596	wmic.exe
Token: SeShutdownPrivilege	4596	wmic.exe
Token: SeDebugPrivilege	4596	wmic.exe
Token: SeSystemEnvironmentPrivilege	4596	wmic.exe
Token: SeRemoteShutdownPrivilege	4596	wmic.exe
Token: SeUndockPrivilege	4596	wmic.exe
Token: SeManageVolumePrivilege	4596	wmic.exe
Token: 33	4596	wmic.exe
Token: 34	4596	wmic.exe
Token: 35	4596	wmic.exe
Token: 36	4596	wmic.exe
Token: SeIncreaseQuotaPrivilege	4596	wmic.exe
Token: SeSecurityPrivilege	4596	wmic.exe
Token: SeTakeOwnershipPrivilege	4596	wmic.exe
Token: SeLoadDriverPrivilege	4596	wmic.exe
Token: SeSystemProfilePrivilege	4596	wmic.exe
Token: SeSystemtimePrivilege	4596	wmic.exe
Token: SeProfSingleProcessPrivilege	4596	wmic.exe
Token: SeIncBasePriorityPrivilege	4596	wmic.exe
Token: SeCreatePagefilePrivilege	4596	wmic.exe
Token: SeBackupPrivilege	4596	wmic.exe
Token: SeRestorePrivilege	4596	wmic.exe
Token: SeShutdownPrivilege	4596	wmic.exe
Token: SeDebugPrivilege	4596	wmic.exe
Token: SeSystemEnvironmentPrivilege	4596	wmic.exe
Token: SeRemoteShutdownPrivilege	4596	wmic.exe
Token: SeUndockPrivilege	4596	wmic.exe
Token: SeManageVolumePrivilege	4596	wmic.exe
Token: 33	4596	wmic.exe
Token: 34	4596	wmic.exe
Token: 35	4596	wmic.exe
Token: 36	4596	wmic.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	wmic.exe
Token: SeSecurityPrivilege	3988	wmic.exe
Token: SeTakeOwnershipPrivilege	3988	wmic.exe
Token: SeLoadDriverPrivilege	3988	wmic.exe
Token: SeSystemProfilePrivilege	3988	wmic.exe
Token: SeSystemtimePrivilege	3988	wmic.exe
Token: SeProfSingleProcessPrivilege	3988	wmic.exe
Token: SeIncBasePriorityPrivilege	3988	wmic.exe
Token: SeCreatePagefilePrivilege	3988	wmic.exe
Token: SeBackupPrivilege	3988	wmic.exe
Token: SeRestorePrivilege	3988	wmic.exe
Token: SeShutdownPrivilege	3988	wmic.exe
Token: SeDebugPrivilege	3988	wmic.exe
Token: SeSystemEnvironmentPrivilege	3988	wmic.exe
Token: SeRemoteShutdownPrivilege	3988	wmic.exe
Token: SeUndockPrivilege	3988	wmic.exe
Token: SeManageVolumePrivilege	3988	wmic.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

FIXER-2.3.exeUmbral.exe

description	pid	process	target process
PID 3440 wrote to memory of 4248	3440	FIXER-2.3.exe	Umbral.exe
PID 3440 wrote to memory of 4248	3440	FIXER-2.3.exe	Umbral.exe
PID 3440 wrote to memory of 2684	3440	FIXER-2.3.exe	cmd.exe
PID 3440 wrote to memory of 2684	3440	FIXER-2.3.exe	cmd.exe
PID 3440 wrote to memory of 2684	3440	FIXER-2.3.exe	cmd.exe
PID 4248 wrote to memory of 4596	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 4596	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 4132	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 4132	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 1636	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 1636	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 2644	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 2644	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 3268	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 3268	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 3988	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 3988	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 1576	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 1576	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 3480	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 3480	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 2948	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 2948	4248	Umbral.exe	powershell.exe
PID 4248 wrote to memory of 572	4248	Umbral.exe	wmic.exe
PID 4248 wrote to memory of 572	4248	Umbral.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe
"C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1576
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bum.bat" "
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4f5f260adddac5f80eb2d1c0784a2e24

SHA1
8719894ff1664202f9e228c55f94d62dcaf12cce

SHA256
7b41d9c769cb20c7ad73e7afa44f964fd7fe66be45d2b0a2ef438dc985433202

SHA512
aa4a23298fda2e7bd6168bcb25b4a215616bccf73705e3566b6b576bf33bb9336682ace3354643332c940c5ee02eef59682a77447ba2f94e97ae0b4722ef0ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59b93900cda86b5663a4d2111ef0e44e

SHA1
249a631f4e755865a38a382850ccdcfe3a323908

SHA256
364187cce435ad25306a6879c58c88adf58150b705402666e609c170edd47c86

SHA512
005e069dfd2dd0026a2e4742646117eed8e48ff9c76e216978ef22d7b9bc50b83266b869712cd943095b083e04fe8c13e9c73f14a9c13f1e1ae714090dbd7594

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
4726eb272b00df9ffd0274d16aa7c8ae

SHA1
a3c98c19fd956d61f32e0fe214f855e4ac810904

SHA256
7b5df9094a3d6133b309f01585bb2391b4e5e4c7d91737e25399e73053b219ad

SHA512
bd8acb0ab507ac015cb213ec5baed52f60b7144c25e5b32828e8406a7a7264a708708a6149e09e80d83664eadda7381a440305e607c6511e101b51da2f2a110b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olo22ymh.uhs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bum.bat

Filesize
442KB

MD5
12e75cc92bd7f9350f40745437a75e0f

SHA1
4deead6e14afc6df1afd88e91fd7caa1acf37294

SHA256
0f8ebc8ff32f92408a8d383cceb1e1bc2dc0f0dfe1cffbfe808d82303c98f759

SHA512
c43fdde607adaea7f2d8949dac5db7143553f8ef498f2801180c7cdcd31353dcd80af42ce65677305432bf8e5a59bf0f728b9cb4a69a14bca0e529342f03070d

Download Submit
memory/4132-26-0x0000019043BB0000-0x0000019043BD2000-memory.dmp

Filesize
136KB

Download
memory/4248-42-0x000001FCA4210000-0x000001FCA4286000-memory.dmp

Filesize
472KB

Download
memory/4248-43-0x000001FC8B9F0000-0x000001FC8BA40000-memory.dmp

Filesize
320KB

Download
memory/4248-44-0x000001FC8B7F0000-0x000001FC8B80E000-memory.dmp

Filesize
120KB

Download
memory/4248-12-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp

Filesize
8KB

Download
memory/4248-13-0x000001FC899C0000-0x000001FC89A00000-memory.dmp

Filesize
256KB

Download
memory/4248-78-0x000001FC8B810000-0x000001FC8B81A000-memory.dmp

Filesize
40KB

Download
memory/4248-79-0x000001FC8B9A0000-0x000001FC8B9B2000-memory.dmp

Filesize
72KB

Download
memory/4248-17-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

Filesize
10.8MB

Download
memory/4248-96-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads