Malware Analysis Report

2024-10-10 10:00

Sample ID 240622-x258csvfrm
Target 2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
SHA256 2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db
Tags
umbral bootkit persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db

Threat Level: Known bad

The file 2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db was found to be: Known bad.

Malicious Activity Summary

umbral bootkit persistence stealer

Umbral

Detect Umbral payload

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Detects executables Discord URL observed in first stage droppers

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Detects executables containing possible sandbox analysis VM usernames

Detects executables containing possible sandbox system UUIDs

Detects executables containing possible sandbox analysis VM names

Detects executables attemping to enumerate video devices using WMI

Checks computer location settings

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 19:21

Signatures

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 19:21

Reported

2024-06-22 19:24

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing possible sandbox analysis VM names

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing possible sandbox system UUIDs

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MBR.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MasonMBR.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBR = "C:\\Users\\Admin\\AppData\\Roaming\\MBR.exe" C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MasonMBR = "C:\\Users\\Admin\\AppData\\Roaming\\MasonMBR.exe" C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\MasonMBR.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MBR.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Users\Admin\AppData\Roaming\MBR.exe
PID 2400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Users\Admin\AppData\Roaming\MBR.exe
PID 2400 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Users\Admin\AppData\Roaming\MBR.exe
PID 2400 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Users\Admin\AppData\Roaming\MasonMBR.exe
PID 2400 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Users\Admin\AppData\Roaming\MasonMBR.exe
PID 2400 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Users\Admin\AppData\Roaming\MasonMBR.exe
PID 2400 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Windows\system32\cmd.exe
PID 2400 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Windows\system32\cmd.exe
PID 2400 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2812 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2812 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe

"C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe"

C:\Users\Admin\AppData\Roaming\MBR.exe

"C:\Users\Admin\AppData\Roaming\MBR.exe"

C:\Users\Admin\AppData\Roaming\MasonMBR.exe

"C:\Users\Admin\AppData\Roaming\MasonMBR.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp

Files

memory/2400-0-0x000007FEF60B3000-0x000007FEF60B4000-memory.dmp

memory/2400-1-0x0000000000C70000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Roaming\MBR.exe

MD5 9a1f6daccf2852fa1f2ec50491ab56d4
SHA1 6ed12627343e7c617eee33b47b233065b89bd3a3
SHA256 5adb0dfcd3a329385f1c631c443b6438d33a5679bf7384a4252895c04ccc9c70
SHA512 9de85657f9a62bcb6768477da7cba74007e3366611f3b384710f68e8be2a69e8c0862e48412aa7d3e5c3ecab2e79faea14993fee42b771f10629b6625c90b87c

C:\Users\Admin\AppData\Roaming\MasonMBR.exe

MD5 c2349cd4a8504c81b8b586a1180300d7
SHA1 d8e79516e0624dfc57440927fb6ddb0db8d2f1d6
SHA256 d1d1cf219e5da72d91b2371df9d5952106a67dd4d7dddbf5f6da254aa7e7070e
SHA512 5ec457bf5709ce42b87742d0305b72a887ce1abda2fed10378c3312d8b2a5a6c1b87e433faafe94f561da1d47a036ffa35d3e416f0a09ccba25129b7f954992e

memory/2524-15-0x00000000003B0000-0x00000000003F0000-memory.dmp

memory/2572-14-0x0000000001020000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp.bat

MD5 4203f0c20f30efad1f63b60f9dd76552
SHA1 e880a462d62796c2252363a90e1f78a43878168d
SHA256 951dbdf1a3579368fd4ed5e670d17b6311f3ea1e0d052687435e3a6dc11331e4
SHA512 9e0d038762e498278f4dd2634f1d5b41dc5f43a4fa14f64e7ef3e00d28d4cae9dd05b12a3a4411f080b6e4ebef1ca85b3a54ce1ba080e767ea7858c1f8bd6ea7

memory/2400-24-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

memory/2400-25-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 19:21

Reported

2024-06-22 19:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing possible sandbox analysis VM names

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing possible sandbox system UUIDs

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MBR.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MasonMBR.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBR = "C:\\Users\\Admin\\AppData\\Roaming\\MBR.exe" C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MasonMBR = "C:\\Users\\Admin\\AppData\\Roaming\\MasonMBR.exe" C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\MasonMBR.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MBR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe

"C:\Users\Admin\AppData\Local\Temp\2083f10b11097d67563cd88af575bd6aeb4d07fb0b016666058fd6c2072297db.exe"

C:\Users\Admin\AppData\Roaming\MBR.exe

"C:\Users\Admin\AppData\Roaming\MBR.exe"

C:\Users\Admin\AppData\Roaming\MasonMBR.exe

"C:\Users\Admin\AppData\Roaming\MasonMBR.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp52F2.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp

Files

memory/4228-0-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

memory/4228-1-0x0000000000520000-0x0000000000540000-memory.dmp

memory/4228-4-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

C:\Users\Admin\AppData\Roaming\MBR.exe

MD5 9a1f6daccf2852fa1f2ec50491ab56d4
SHA1 6ed12627343e7c617eee33b47b233065b89bd3a3
SHA256 5adb0dfcd3a329385f1c631c443b6438d33a5679bf7384a4252895c04ccc9c70
SHA512 9de85657f9a62bcb6768477da7cba74007e3366611f3b384710f68e8be2a69e8c0862e48412aa7d3e5c3ecab2e79faea14993fee42b771f10629b6625c90b87c

C:\Users\Admin\AppData\Roaming\MasonMBR.exe

MD5 c2349cd4a8504c81b8b586a1180300d7
SHA1 d8e79516e0624dfc57440927fb6ddb0db8d2f1d6
SHA256 d1d1cf219e5da72d91b2371df9d5952106a67dd4d7dddbf5f6da254aa7e7070e
SHA512 5ec457bf5709ce42b87742d0305b72a887ce1abda2fed10378c3312d8b2a5a6c1b87e433faafe94f561da1d47a036ffa35d3e416f0a09ccba25129b7f954992e

memory/5040-24-0x000001E20C200000-0x000001E20C240000-memory.dmp

memory/2860-32-0x0000013F4BC40000-0x0000013F4BC48000-memory.dmp

memory/5040-31-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/4228-34-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2860-35-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp52F2.tmp.bat

MD5 4cc283c0b194388d6494a3a8483aca63
SHA1 d8711491be0708fe076e517ad6b92f6f01912938
SHA256 4c3757ad641d9d4ff1c74ec2550e3560172b7b83f3058e6eb070de2a3a58101e
SHA512 dc95c055d9ee3bfcfd4b2aa858124752ada5611368b0a88991085fc76b5f1117900aa332e066c081e5eb94f9047dcc339f4bbb0b95ae07d70eb6fcfb2a0ec35d

memory/5040-37-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2860-38-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp