Overview

overview

10

Static

static

10

Roblox Player .exe

windows7-x64

10

Analysis

  • max time kernel
    761s
  • max time network
    760s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Roblox Player .exe

  • Size

    231KB

  • MD5

    1d709b2e5422c136f062b0bdb9a78cc4

  • SHA1

    bd191bca3ebcca8c555980765b7803a332970942

  • SHA256

    513d5b3d2483934b6bc89539cac383aa5a04cdd6355c582db452b276453f48e9

  • SHA512

    f2796b21545150263269bc23323897f65219e7a51b25f91f1d42c5f6b1120cf5363a6dc269f4dd688224b168f4d40cbab90d66de12129220dad9d9881c2a982e

  • SSDEEP

    6144:1loZMVhmJcoHwtuvAXT2CyRtImt6YXzQCsp8aLLyxkb8e1m5rrZA:XoZ1rHwG9Rymt6YXzQhp8aLLyCara

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Roblox Player .exe
    "C:\Users\Admin\AppData\Local\Temp\Roblox Player .exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1656
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2328
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
    1⤵
      PID:856
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
        PID:3024
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x514
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1252

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1656-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1656-1-0x0000000001330000-0x0000000001370000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1656-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1656-3-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1656-4-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2328-5-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2328-6-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download