Analysis

  • max time kernel
    1565s
  • max time network
    1567s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 19:22

General

  • Target

    TEST.exe

  • Size

    229KB

  • MD5

    9dc985d83754309760ae45747d8081c2

  • SHA1

    b60e1c39ee8da20c5bdf1df501fab12fd45eaf50

  • SHA256

    f3fdf0137c30af49a71a174e204795a0b96ef2a8a0a53fda4add34574f79005b

  • SHA512

    d0908c5e493bd83cd58e73b715c9318cb6032bb388d7c6ffbdc75b4bb813e594153a57e2ecebbe0a2d1aa0513312be16886b08ad8b91fc590217838057a730cf

  • SSDEEP

    6144:tloZM+rIkd8g+EtXHkv/iD4hYBSGELnsmd42X3WVzb8e1mzi:voZtL+EP8hYBSGELnsmd42X3WtB

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TEST.exe
    "C:\Users\Admin\AppData\Local\Temp\TEST.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TEST.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2772
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DGZQ2Y6PYIYSZ92PJIC.temp

      Filesize

      7KB

      MD5

      d96f8f282a204615d3e05e1ea32c6b54

      SHA1

      502838561e7452c4fd62320b7e48954670b2f247

      SHA256

      ca8c5d9dd9d54c688e7b3fc6e8a79710ded88fe2eb7e3098b32c562fde7c2969

      SHA512

      a99b96fc32d52d8bfae92706e4dc2e691401d9aff805520f7a3d05d87947f8f4322c0ab2cd100c31fd5827eff55da34b3983a7b83c3bc5f57551df386b910507

    • memory/1284-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

    • memory/1284-22-0x0000000001E20000-0x0000000001E28000-memory.dmp

      Filesize

      32KB

    • memory/1736-8-0x000000001B800000-0x000000001BAE2000-memory.dmp

      Filesize

      2.9MB

    • memory/1736-14-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

      Filesize

      9.6MB

    • memory/1736-9-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

      Filesize

      32KB

    • memory/1736-10-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

      Filesize

      9.6MB

    • memory/1736-11-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

      Filesize

      9.6MB

    • memory/1736-12-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

      Filesize

      9.6MB

    • memory/1736-13-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

      Filesize

      9.6MB

    • memory/1736-7-0x000007FEEE08E000-0x000007FEEE08F000-memory.dmp

      Filesize

      4KB

    • memory/1736-15-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

      Filesize

      9.6MB

    • memory/2772-46-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB

    • memory/2952-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

      Filesize

      4KB

    • memory/2952-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

      Filesize

      9.9MB

    • memory/2952-1-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

      Filesize

      256KB

    • memory/2952-49-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

      Filesize

      9.9MB