Overview

overview

10

Static

static

10

Umbral.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-07-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.exe

  • Size

    231KB

  • MD5

    967320916645d064c55bbb046526df05

  • SHA1

    c1a16294e93796b74ec339f4824ca52ed8168bc1

  • SHA256

    95898a7768f940dafb72443fae1572a25a631acb5e7481e0940939f4016db636

  • SHA512

    f9284986eb87df0995311c97a7983988d927379b9403ee01a8db65482a1f457f73b5ae3eb916b42fb4e0bb0496ae52454146d69098b9141dd507f8a82dbd3bdd

  • SSDEEP

    6144:RloZM3rIkd8g+EtXHkv/iD4VVnRLxCqVhQhTuOLzRMb8e1mvii:joZIL+EP8VVnRLxCqVhQhTuOL283

Score
10/10
umbralexecutionstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3364
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:1772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2768
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      1a9fa92a4f2e2ec9e244d43a6a4f8fb9

      SHA1

      9910190edfaccece1dfcc1d92e357772f5dae8f7

      SHA256

      0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

      SHA512

      5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      6bddc96a32b9ed8fc70b141ccf4a39b2

      SHA1

      0f33c0699da40a5eadcec646791cf21cdb0dd7c6

      SHA256

      cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

      SHA512

      e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u54t1g0t.m1z.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3164-15-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-11-0x000001CAF6F30000-0x000001CAF6F52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3164-13-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-14-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-12-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3164-18-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4652-2-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4652-0-0x00007FF950553000-0x00007FF950555000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4652-31-0x00000155CBDF0000-0x00000155CBE02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4652-30-0x00000155CBDB0000-0x00000155CBDBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4652-33-0x00000155CBE90000-0x00000155CBF06000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4652-34-0x00000155CBE10000-0x00000155CBE2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4652-1-0x00000155B1610000-0x00000155B1650000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4652-46-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4652-49-0x00007FF950550000-0x00007FF951012000-memory.dmp

      Filesize

      10.8MB

      Download