Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-08-2024 16:04
General
-
Target
Umbral.exe
-
Size
496KB
-
MD5
2989b8a064354c5fa729d713b84df30e
-
SHA1
a8f8065b500258e7b768c59f9c6f57932d4bcfa1
-
SHA256
bbdd54660f7cfee0d7ec0d5afa51900142c029ae48e71f8d4f834cac00b1761b
-
SHA512
0d5b22d39dff8030755bb120c598aec238549100fb53c40468be7f6adb036867bf464fc9c71b204824f7042faa18cbb90ab199ce450844371b42b79c22fb3e94
-
SSDEEP
12288:VoZtL+EP8jNMGxfEY3tmfh8ItWCw8ZOG:jI85MGxfEY3tmfh8ItDwaO
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2840-0-0x0000023515DB0000-0x0000023515E32000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3836 powershell.exe 1568 powershell.exe 2736 powershell.exe 1444 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 discord.com 1 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1076 cmd.exe 4848 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4616 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4848 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2840 Umbral.exe 3836 powershell.exe 3836 powershell.exe 1568 powershell.exe 1568 powershell.exe 2736 powershell.exe 2736 powershell.exe 1028 powershell.exe 1028 powershell.exe 1444 powershell.exe 1444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2840 Umbral.exe Token: SeIncreaseQuotaPrivilege 1404 wmic.exe Token: SeSecurityPrivilege 1404 wmic.exe Token: SeTakeOwnershipPrivilege 1404 wmic.exe Token: SeLoadDriverPrivilege 1404 wmic.exe Token: SeSystemProfilePrivilege 1404 wmic.exe Token: SeSystemtimePrivilege 1404 wmic.exe Token: SeProfSingleProcessPrivilege 1404 wmic.exe Token: SeIncBasePriorityPrivilege 1404 wmic.exe Token: SeCreatePagefilePrivilege 1404 wmic.exe Token: SeBackupPrivilege 1404 wmic.exe Token: SeRestorePrivilege 1404 wmic.exe Token: SeShutdownPrivilege 1404 wmic.exe Token: SeDebugPrivilege 1404 wmic.exe Token: SeSystemEnvironmentPrivilege 1404 wmic.exe Token: SeRemoteShutdownPrivilege 1404 wmic.exe Token: SeUndockPrivilege 1404 wmic.exe Token: SeManageVolumePrivilege 1404 wmic.exe Token: 33 1404 wmic.exe Token: 34 1404 wmic.exe Token: 35 1404 wmic.exe Token: 36 1404 wmic.exe Token: SeIncreaseQuotaPrivilege 1404 wmic.exe Token: SeSecurityPrivilege 1404 wmic.exe Token: SeTakeOwnershipPrivilege 1404 wmic.exe Token: SeLoadDriverPrivilege 1404 wmic.exe Token: SeSystemProfilePrivilege 1404 wmic.exe Token: SeSystemtimePrivilege 1404 wmic.exe Token: SeProfSingleProcessPrivilege 1404 wmic.exe Token: SeIncBasePriorityPrivilege 1404 wmic.exe Token: SeCreatePagefilePrivilege 1404 wmic.exe Token: SeBackupPrivilege 1404 wmic.exe Token: SeRestorePrivilege 1404 wmic.exe Token: SeShutdownPrivilege 1404 wmic.exe Token: SeDebugPrivilege 1404 wmic.exe Token: SeSystemEnvironmentPrivilege 1404 wmic.exe Token: SeRemoteShutdownPrivilege 1404 wmic.exe Token: SeUndockPrivilege 1404 wmic.exe Token: SeManageVolumePrivilege 1404 wmic.exe Token: 33 1404 wmic.exe Token: 34 1404 wmic.exe Token: 35 1404 wmic.exe Token: 36 1404 wmic.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeIncreaseQuotaPrivilege 3544 wmic.exe Token: SeSecurityPrivilege 3544 wmic.exe Token: SeTakeOwnershipPrivilege 3544 wmic.exe Token: SeLoadDriverPrivilege 3544 wmic.exe Token: SeSystemProfilePrivilege 3544 wmic.exe Token: SeSystemtimePrivilege 3544 wmic.exe Token: SeProfSingleProcessPrivilege 3544 wmic.exe Token: SeIncBasePriorityPrivilege 3544 wmic.exe Token: SeCreatePagefilePrivilege 3544 wmic.exe Token: SeBackupPrivilege 3544 wmic.exe Token: SeRestorePrivilege 3544 wmic.exe Token: SeShutdownPrivilege 3544 wmic.exe Token: SeDebugPrivilege 3544 wmic.exe Token: SeSystemEnvironmentPrivilege 3544 wmic.exe Token: SeRemoteShutdownPrivilege 3544 wmic.exe Token: SeUndockPrivilege 3544 wmic.exe Token: SeManageVolumePrivilege 3544 wmic.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2840 wrote to memory of 1404 2840 Umbral.exe 82 PID 2840 wrote to memory of 1404 2840 Umbral.exe 82 PID 2840 wrote to memory of 228 2840 Umbral.exe 85 PID 2840 wrote to memory of 228 2840 Umbral.exe 85 PID 2840 wrote to memory of 3836 2840 Umbral.exe 87 PID 2840 wrote to memory of 3836 2840 Umbral.exe 87 PID 2840 wrote to memory of 1568 2840 Umbral.exe 89 PID 2840 wrote to memory of 1568 2840 Umbral.exe 89 PID 2840 wrote to memory of 2736 2840 Umbral.exe 91 PID 2840 wrote to memory of 2736 2840 Umbral.exe 91 PID 2840 wrote to memory of 1028 2840 Umbral.exe 93 PID 2840 wrote to memory of 1028 2840 Umbral.exe 93 PID 2840 wrote to memory of 3544 2840 Umbral.exe 95 PID 2840 wrote to memory of 3544 2840 Umbral.exe 95 PID 2840 wrote to memory of 2432 2840 Umbral.exe 97 PID 2840 wrote to memory of 2432 2840 Umbral.exe 97 PID 2840 wrote to memory of 2584 2840 Umbral.exe 99 PID 2840 wrote to memory of 2584 2840 Umbral.exe 99 PID 2840 wrote to memory of 1444 2840 Umbral.exe 101 PID 2840 wrote to memory of 1444 2840 Umbral.exe 101 PID 2840 wrote to memory of 4616 2840 Umbral.exe 103 PID 2840 wrote to memory of 4616 2840 Umbral.exe 103 PID 2840 wrote to memory of 1076 2840 Umbral.exe 105 PID 2840 wrote to memory of 1076 2840 Umbral.exe 105 PID 1076 wrote to memory of 4848 1076 cmd.exe 107 PID 1076 wrote to memory of 4848 1076 cmd.exe 107 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 228 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:2432
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:4616
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4848
-
-
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A172.217.23.195
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:8.8.8.8:53Request195.23.217.172.in-addr.arpaIN PTRResponse195.23.217.172.in-addr.arpaIN PTRams16s37-in-f31e100net195.23.217.172.in-addr.arpaIN PTRprg03s05-in-f3�H195.23.217.172.in-addr.arpaIN PTRprg03s05-in-f195�H
-
Remote address:8.8.8.8:53Request1.112.95.208.in-addr.arpaIN PTRResponse1.112.95.208.in-addr.arpaIN PTRip-apicom
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.136.232discord.comIN A162.159.137.232discord.comIN A162.159.128.233discord.comIN A162.159.138.232discord.comIN A162.159.135.232
-
Remote address:8.8.8.8:53Request232.136.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.229.43
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:208.95.112.1:80RequestGET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 161
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
803 B 5.2kB 8 8
-
310 B 267 B 5 2
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200 -
285 B 470 B 5 3
HTTP Request
GET http://ip-api.com/json/?fields=225545HTTP Response
200 -
519.1kB 13.0kB 385 140
-
602 B 1.1kB 9 9
DNS Request
gstatic.com
DNS Response
172.217.23.195
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
ip-api.com
DNS Response
208.95.112.1
DNS Request
195.23.217.172.in-addr.arpa
DNS Request
1.112.95.208.in-addr.arpa
DNS Request
discord.com
DNS Response
162.159.136.232162.159.137.232162.159.128.233162.159.138.232162.159.135.232
DNS Request
232.136.159.162.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.229.43
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
948B
MD56aa2fca4712a213a6961a9b42cedaadb
SHA181da2cba9f21527a1ee07596d0a5a8c11c27ec84
SHA256818ba8689d5e1508fbd0f1183ec4cd7b920236975243b5c8a7c69ae1ce06a6b8
SHA51269f5a0fe0a020f027bcf16e30735e2e7983b4ba89360304ff05a2bb6c375b186730f575e0ba2fde6c5f3d95d256ec70a42cca62bcfa0e9c7a263b207c9c183e8
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
1KB
MD5e8ad350bb24c7ab38efd0ef0553239c7
SHA1887c19e4c11de19854458e26a1ed05b67a75bf29
SHA2565cf85b38cbbf1a064a4f8001a0ec031993d44e46b8e65d713785c84916cb8ffd
SHA51274fef147e98b8b576712c212174a7793deb619d54c7ac7956e38ed4e09202f0c93ae4ec9e89cd4d0ac79c481d30c5c3fc5a3d042537c74d7bffda1f8453aef6e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82