umbral | 91a8f24b813ec8f33e1222a9996cdfe5c4c0dd56cb922a113a87953878b065a9

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-07-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GeforceChair0.22.exe
Size

231KB
MD5

4889fe4c6bc9c53e9e53983517727fa8
SHA1

3964bac164a7cdc3a0cddd46f8d3aab5e568b515
SHA256

91a8f24b813ec8f33e1222a9996cdfe5c4c0dd56cb922a113a87953878b065a9
SHA512

f44368d7406db49db31b13f578e968a053e100d49cd2dbf05dabe3a4f3e9412e8fd2ce6ac0c363f34091f5e7af78769ca0cc1b6020f7e8e9a313813a575c7100
SSDEEP

6144:BloZM0rIkd8g+EtXHkv/iD4i/QClL8e1m+cOi:zoZDL+EP8IpHE

Score

10^/10

umbral credential_access execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2516-1-0x00000000009D0000-0x0000000000A10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2756	powershell.exe
2816	powershell.exe
1688	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2876	wmic.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2516	GeforceChair0.22.exe
2792	powershell.exe
2756	powershell.exe
2816	powershell.exe
3016	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	GeforceChair0.22.exe
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	wmic.exe
Token: SeSecurityPrivilege	1972	wmic.exe
Token: SeTakeOwnershipPrivilege	1972	wmic.exe
Token: SeLoadDriverPrivilege	1972	wmic.exe
Token: SeSystemProfilePrivilege	1972	wmic.exe
Token: SeSystemtimePrivilege	1972	wmic.exe
Token: SeProfSingleProcessPrivilege	1972	wmic.exe
Token: SeIncBasePriorityPrivilege	1972	wmic.exe
Token: SeCreatePagefilePrivilege	1972	wmic.exe
Token: SeBackupPrivilege	1972	wmic.exe
Token: SeRestorePrivilege	1972	wmic.exe
Token: SeShutdownPrivilege	1972	wmic.exe
Token: SeDebugPrivilege	1972	wmic.exe
Token: SeSystemEnvironmentPrivilege	1972	wmic.exe
Token: SeRemoteShutdownPrivilege	1972	wmic.exe
Token: SeUndockPrivilege	1972	wmic.exe
Token: SeManageVolumePrivilege	1972	wmic.exe
Token: 33	1972	wmic.exe
Token: 34	1972	wmic.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1680	2516	GeforceChair0.22.exe	30
PID 2516 wrote to memory of 1680	2516	GeforceChair0.22.exe	30
PID 2516 wrote to memory of 1680	2516	GeforceChair0.22.exe	30
PID 2516 wrote to memory of 2792	2516	GeforceChair0.22.exe	33
PID 2516 wrote to memory of 2792	2516	GeforceChair0.22.exe	33
PID 2516 wrote to memory of 2792	2516	GeforceChair0.22.exe	33
PID 2516 wrote to memory of 2756	2516	GeforceChair0.22.exe	35
PID 2516 wrote to memory of 2756	2516	GeforceChair0.22.exe	35
PID 2516 wrote to memory of 2756	2516	GeforceChair0.22.exe	35
PID 2516 wrote to memory of 2816	2516	GeforceChair0.22.exe	37
PID 2516 wrote to memory of 2816	2516	GeforceChair0.22.exe	37
PID 2516 wrote to memory of 2816	2516	GeforceChair0.22.exe	37
PID 2516 wrote to memory of 3016	2516	GeforceChair0.22.exe	39
PID 2516 wrote to memory of 3016	2516	GeforceChair0.22.exe	39
PID 2516 wrote to memory of 3016	2516	GeforceChair0.22.exe	39
PID 2516 wrote to memory of 1972	2516	GeforceChair0.22.exe	41
PID 2516 wrote to memory of 1972	2516	GeforceChair0.22.exe	41
PID 2516 wrote to memory of 1972	2516	GeforceChair0.22.exe	41
PID 2516 wrote to memory of 1560	2516	GeforceChair0.22.exe	43
PID 2516 wrote to memory of 1560	2516	GeforceChair0.22.exe	43
PID 2516 wrote to memory of 1560	2516	GeforceChair0.22.exe	43
PID 2516 wrote to memory of 1232	2516	GeforceChair0.22.exe	45
PID 2516 wrote to memory of 1232	2516	GeforceChair0.22.exe	45
PID 2516 wrote to memory of 1232	2516	GeforceChair0.22.exe	45
PID 2516 wrote to memory of 1688	2516	GeforceChair0.22.exe	47
PID 2516 wrote to memory of 1688	2516	GeforceChair0.22.exe	47
PID 2516 wrote to memory of 1688	2516	GeforceChair0.22.exe	47
PID 2516 wrote to memory of 2876	2516	GeforceChair0.22.exe	49
PID 2516 wrote to memory of 2876	2516	GeforceChair0.22.exe	49
PID 2516 wrote to memory of 2876	2516	GeforceChair0.22.exe	49

C:\Users\Admin\AppData\Local\Temp\GeforceChair0.22.exe
"C:\Users\Admin\AppData\Local\Temp\GeforceChair0.22.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GeforceChair0.22.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1560
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fb7d0a55f64aa75ace444ee79be9e041

SHA1
9874bca05da36e0bb4c5b55adbc3279963f48294

SHA256
90c03cea0ec5ed16cceeb3f2e4f12e16fc460a64c3d9ef5129a9869e252991de

SHA512
8f0abeff017a5a768efe1be9e52c357292b75fc78798c4542fdcc026d47137148c42246dc8e6664bb1367146ba637d80da7c7d45cb22c964b372ed7e2d966f17

Download Submit
memory/1688-43-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2516-0-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

Filesize
4KB

Download
memory/2516-1-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/2516-2-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-47-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-14-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-15-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2792-7-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2792-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download