Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 15:26
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240705-en
General
-
Target
Umbral.exe
-
Size
231KB
-
MD5
37040bc6e02b555d9062631211678bc9
-
SHA1
cb2f4548ce9bd51ce42301ffa74130d9c6098ad5
-
SHA256
3294164d79836fe3765e57e50dd0ac898164ccc049f097fb2deb2725478aa583
-
SHA512
e5db52931152bef14e1dda82288a1f4265d79c4c4ad08f143994b2b60b2b530dfbcdcb1468bd70e5799a55b2a4f02565249e0d41944032bbd43a296757d9754c
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4FxEe9rI8jB67NokR4cb8e1mtqpui:joZtL+EP8FxEe9rI8jB67NokRxuqR
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3040-1-0x0000000000DD0000-0x0000000000E10000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2972 powershell.exe 2608 powershell.exe 1468 powershell.exe 1556 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Deletes itself 1 IoCs
pid Process 1092 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 discord.com 11 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1092 cmd.exe 1668 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1508 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1668 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3040 Umbral.exe 2972 powershell.exe 2608 powershell.exe 1468 powershell.exe 1992 powershell.exe 1556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3040 Umbral.exe Token: SeIncreaseQuotaPrivilege 2508 wmic.exe Token: SeSecurityPrivilege 2508 wmic.exe Token: SeTakeOwnershipPrivilege 2508 wmic.exe Token: SeLoadDriverPrivilege 2508 wmic.exe Token: SeSystemProfilePrivilege 2508 wmic.exe Token: SeSystemtimePrivilege 2508 wmic.exe Token: SeProfSingleProcessPrivilege 2508 wmic.exe Token: SeIncBasePriorityPrivilege 2508 wmic.exe Token: SeCreatePagefilePrivilege 2508 wmic.exe Token: SeBackupPrivilege 2508 wmic.exe Token: SeRestorePrivilege 2508 wmic.exe Token: SeShutdownPrivilege 2508 wmic.exe Token: SeDebugPrivilege 2508 wmic.exe Token: SeSystemEnvironmentPrivilege 2508 wmic.exe Token: SeRemoteShutdownPrivilege 2508 wmic.exe Token: SeUndockPrivilege 2508 wmic.exe Token: SeManageVolumePrivilege 2508 wmic.exe Token: 33 2508 wmic.exe Token: 34 2508 wmic.exe Token: 35 2508 wmic.exe Token: SeIncreaseQuotaPrivilege 2508 wmic.exe Token: SeSecurityPrivilege 2508 wmic.exe Token: SeTakeOwnershipPrivilege 2508 wmic.exe Token: SeLoadDriverPrivilege 2508 wmic.exe Token: SeSystemProfilePrivilege 2508 wmic.exe Token: SeSystemtimePrivilege 2508 wmic.exe Token: SeProfSingleProcessPrivilege 2508 wmic.exe Token: SeIncBasePriorityPrivilege 2508 wmic.exe Token: SeCreatePagefilePrivilege 2508 wmic.exe Token: SeBackupPrivilege 2508 wmic.exe Token: SeRestorePrivilege 2508 wmic.exe Token: SeShutdownPrivilege 2508 wmic.exe Token: SeDebugPrivilege 2508 wmic.exe Token: SeSystemEnvironmentPrivilege 2508 wmic.exe Token: SeRemoteShutdownPrivilege 2508 wmic.exe Token: SeUndockPrivilege 2508 wmic.exe Token: SeManageVolumePrivilege 2508 wmic.exe Token: 33 2508 wmic.exe Token: 34 2508 wmic.exe Token: 35 2508 wmic.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeIncreaseQuotaPrivilege 2164 wmic.exe Token: SeSecurityPrivilege 2164 wmic.exe Token: SeTakeOwnershipPrivilege 2164 wmic.exe Token: SeLoadDriverPrivilege 2164 wmic.exe Token: SeSystemProfilePrivilege 2164 wmic.exe Token: SeSystemtimePrivilege 2164 wmic.exe Token: SeProfSingleProcessPrivilege 2164 wmic.exe Token: SeIncBasePriorityPrivilege 2164 wmic.exe Token: SeCreatePagefilePrivilege 2164 wmic.exe Token: SeBackupPrivilege 2164 wmic.exe Token: SeRestorePrivilege 2164 wmic.exe Token: SeShutdownPrivilege 2164 wmic.exe Token: SeDebugPrivilege 2164 wmic.exe Token: SeSystemEnvironmentPrivilege 2164 wmic.exe Token: SeRemoteShutdownPrivilege 2164 wmic.exe Token: SeUndockPrivilege 2164 wmic.exe Token: SeManageVolumePrivilege 2164 wmic.exe Token: 33 2164 wmic.exe Token: 34 2164 wmic.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2508 3040 Umbral.exe 30 PID 3040 wrote to memory of 2508 3040 Umbral.exe 30 PID 3040 wrote to memory of 2508 3040 Umbral.exe 30 PID 3040 wrote to memory of 2376 3040 Umbral.exe 33 PID 3040 wrote to memory of 2376 3040 Umbral.exe 33 PID 3040 wrote to memory of 2376 3040 Umbral.exe 33 PID 3040 wrote to memory of 2972 3040 Umbral.exe 35 PID 3040 wrote to memory of 2972 3040 Umbral.exe 35 PID 3040 wrote to memory of 2972 3040 Umbral.exe 35 PID 3040 wrote to memory of 2608 3040 Umbral.exe 37 PID 3040 wrote to memory of 2608 3040 Umbral.exe 37 PID 3040 wrote to memory of 2608 3040 Umbral.exe 37 PID 3040 wrote to memory of 1468 3040 Umbral.exe 39 PID 3040 wrote to memory of 1468 3040 Umbral.exe 39 PID 3040 wrote to memory of 1468 3040 Umbral.exe 39 PID 3040 wrote to memory of 1992 3040 Umbral.exe 41 PID 3040 wrote to memory of 1992 3040 Umbral.exe 41 PID 3040 wrote to memory of 1992 3040 Umbral.exe 41 PID 3040 wrote to memory of 2164 3040 Umbral.exe 43 PID 3040 wrote to memory of 2164 3040 Umbral.exe 43 PID 3040 wrote to memory of 2164 3040 Umbral.exe 43 PID 3040 wrote to memory of 1872 3040 Umbral.exe 45 PID 3040 wrote to memory of 1872 3040 Umbral.exe 45 PID 3040 wrote to memory of 1872 3040 Umbral.exe 45 PID 3040 wrote to memory of 2212 3040 Umbral.exe 47 PID 3040 wrote to memory of 2212 3040 Umbral.exe 47 PID 3040 wrote to memory of 2212 3040 Umbral.exe 47 PID 3040 wrote to memory of 1556 3040 Umbral.exe 49 PID 3040 wrote to memory of 1556 3040 Umbral.exe 49 PID 3040 wrote to memory of 1556 3040 Umbral.exe 49 PID 3040 wrote to memory of 1508 3040 Umbral.exe 51 PID 3040 wrote to memory of 1508 3040 Umbral.exe 51 PID 3040 wrote to memory of 1508 3040 Umbral.exe 51 PID 3040 wrote to memory of 1092 3040 Umbral.exe 53 PID 3040 wrote to memory of 1092 3040 Umbral.exe 53 PID 3040 wrote to memory of 1092 3040 Umbral.exe 53 PID 1092 wrote to memory of 1668 1092 cmd.exe 55 PID 1092 wrote to memory of 1668 1092 cmd.exe 55 PID 1092 wrote to memory of 1668 1092 cmd.exe 55 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2376 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:1872
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1508
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1668
-
-
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A172.217.23.195
-
Remote address:8.8.8.8:53Requestgstatic.comIN A
-
Remote address:172.217.23.195:443RequestGET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 05 Aug 2024 15:27:10 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:172.217.23.195:443RequestGET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 05 Aug 2024 15:28:08 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 42
X-Rl: 41
-
Remote address:208.95.112.1:80RequestGET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 161
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.138.232discord.comIN A162.159.135.232discord.comIN A162.159.137.232discord.comIN A162.159.136.232discord.comIN A162.159.128.233
-
Remote address:8.8.8.8:53Requestdiscord.comIN A
-
Remote address:8.8.8.8:53Requestdiscord.comIN A
-
1.5kB 4.9kB 16 11
HTTP Request
GET https://gstatic.com/generate_204HTTP Response
204 -
621 B 572 B 7 5
HTTP Request
GET https://gstatic.com/generate_204HTTP Response
204 -
310 B 267 B 5 2
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200 -
285 B 510 B 5 4
HTTP Request
GET http://ip-api.com/json/?fields=225545HTTP Response
200 -
345 B 219 B 5 5
-
114 B 73 B 2 1
DNS Request
gstatic.com
DNS Request
gstatic.com
DNS Response
172.217.23.195
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
171 B 137 B 3 1
DNS Request
discord.com
DNS Request
discord.com
DNS Request
discord.com
DNS Response
162.159.138.232162.159.135.232162.159.137.232162.159.136.232162.159.128.233
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fbe2b67bb3b86013da8d8cf2e9fe89bc
SHA1d8de7ccc68024d275b24e2e3dd9aa52e77dde66f
SHA256b5d6db00f75712561c86da22a18ddcbfbc2a07ed13826c2fd04e53b582604a45
SHA512f4d96bec2ff4ad0dad70249f36a7e43547fd2dd360bc75ae83268e07b9dfa81c38ca9f23580c7692f0aad48f8c5e70652a2a23d21ea7adf919e2d950f08aa2df