umbral | 2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db

General

Target

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe
Size

106KB
MD5

b06c811554508247282dc00b7a82b0ef
SHA1

1574070e54ae15a93b8a9ecd4a40a98cfb2f1a71
SHA256

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
SHA512

f9f1f1c75ac472e4167ecba2811eae3b66c7023bd9257c310e2469be8b796010cb0657244640e2525f46464cee894bef87d284fb02b5ee3439d3f23ab45a8c6e
SSDEEP

3072:GmqRL49gVu4HLM2daP8NJYHttq9iZLSHdUvynNe9nLsZ:GbeIM4/JY7q9SLS9Eynw9nL

Score

10^/10

umbral bootkit persistence stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1188379475021410374/Ssj5Ns9zjIl8_hao3wt15snRVqwtBYjDt8QLCtqPC4z6ltGHrqIRWciPemKhTAJ3Ea_2

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	family_umbral
behavioral1/memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs

resource	yara_rule
behavioral1/memory/2400-1-0x0000000000C70000-0x0000000000C90000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD

Detects executables Discord URL observed in first stage droppers 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables attemping to enumerate video devices using WMI 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing possible sandbox analysis VM names 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
behavioral1/memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Detects executables containing possible sandbox analysis VM usernames 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Detects executables containing possible sandbox system UUIDs 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
behavioral1/memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	MBR.exe
2572	MasonMBR.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBR = "C:\\Users\\Admin\\AppData\\Roaming\\MBR.exe"	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MasonMBR = "C:\\Users\\Admin\\AppData\\Roaming\\MasonMBR.exe"	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MasonMBR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2728	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	MBR.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2524	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	28
PID 2400 wrote to memory of 2524	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	28
PID 2400 wrote to memory of 2524	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	28
PID 2400 wrote to memory of 2572	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	29
PID 2400 wrote to memory of 2572	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	29
PID 2400 wrote to memory of 2572	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	29
PID 2400 wrote to memory of 2812	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	30
PID 2400 wrote to memory of 2812	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	30
PID 2400 wrote to memory of 2812	2400	2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe	30
PID 2812 wrote to memory of 2728	2812	cmd.exe	32
PID 2812 wrote to memory of 2728	2812	cmd.exe	32
PID 2812 wrote to memory of 2728	2812	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe
"C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\MBR.exe
  "C:\Users\Admin\AppData\Roaming\MBR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Users\Admin\AppData\Roaming\MasonMBR.exe
  "C:\Users\Admin\AppData\Roaming\MasonMBR.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:2572
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp.bat

Filesize
216B

MD5
4203f0c20f30efad1f63b60f9dd76552

SHA1
e880a462d62796c2252363a90e1f78a43878168d

SHA256
951dbdf1a3579368fd4ed5e670d17b6311f3ea1e0d052687435e3a6dc11331e4

SHA512
9e0d038762e498278f4dd2634f1d5b41dc5f43a4fa14f64e7ef3e00d28d4cae9dd05b12a3a4411f080b6e4ebef1ca85b3a54ce1ba080e767ea7858c1f8bd6ea7

Download Submit
C:\Users\Admin\AppData\Roaming\MBR.exe

Filesize
229KB

MD5
9a1f6daccf2852fa1f2ec50491ab56d4

SHA1
6ed12627343e7c617eee33b47b233065b89bd3a3

SHA256
5adb0dfcd3a329385f1c631c443b6438d33a5679bf7384a4252895c04ccc9c70

SHA512
9de85657f9a62bcb6768477da7cba74007e3366611f3b384710f68e8be2a69e8c0862e48412aa7d3e5c3ecab2e79faea14993fee42b771f10629b6625c90b87c

Download Submit
C:\Users\Admin\AppData\Roaming\MasonMBR.exe

Filesize
9KB

MD5
c2349cd4a8504c81b8b586a1180300d7

SHA1
d8e79516e0624dfc57440927fb6ddb0db8d2f1d6

SHA256
d1d1cf219e5da72d91b2371df9d5952106a67dd4d7dddbf5f6da254aa7e7070e

SHA512
5ec457bf5709ce42b87742d0305b72a887ce1abda2fed10378c3312d8b2a5a6c1b87e433faafe94f561da1d47a036ffa35d3e416f0a09ccba25129b7f954992e

Download Submit
memory/2400-0-0x000007FEF60B3000-0x000007FEF60B4000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000C70000-0x0000000000C90000-memory.dmp

Filesize
128KB

Download
memory/2400-24-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-25-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2572-14-0x0000000001020000-0x0000000001028000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads