umbral | 28fba0bec489228d8e5533f0ab8356127c257e15576a82c60b1216420ac01571

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updated executor.exe
Size

1.8MB
MD5

f2a8b9e47973209ed9e9efef4ae2394b
SHA1

3f16e6ba00dda08e079be4474e362266b761ec45
SHA256

28fba0bec489228d8e5533f0ab8356127c257e15576a82c60b1216420ac01571
SHA512

43713790091013c1b8c55607e36b08086e59e142369354303747034ac04557faec1a84482042103739bfdc54e0bcaae22515ca5e79afeee5bfbd835297efd39d
SSDEEP

49152:kDjlabwz9YAoWpu/4ke0AaOTzwoKZpKCfRO2E:0qwy7Wpce0AaOT3CfUj

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000194e3-46.dat	family_umbral
behavioral1/memory/2800-54-0x0000000000D70000-0x0000000000DB0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2040	powershell.exe
2900	powershell.exe
2160	powershell.exe
2308	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	executor+Z.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	executor+Z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1108	cmd.exe
1464	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2292	wmic.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	updated executor.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1464	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2800	executor+Z.exe
2308	powershell.exe
2040	powershell.exe
2900	powershell.exe
1704	powershell.exe
2160	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	executor+Z.exe
Token: SeIncreaseQuotaPrivilege	2428	wmic.exe
Token: SeSecurityPrivilege	2428	wmic.exe
Token: SeTakeOwnershipPrivilege	2428	wmic.exe
Token: SeLoadDriverPrivilege	2428	wmic.exe
Token: SeSystemProfilePrivilege	2428	wmic.exe
Token: SeSystemtimePrivilege	2428	wmic.exe
Token: SeProfSingleProcessPrivilege	2428	wmic.exe
Token: SeIncBasePriorityPrivilege	2428	wmic.exe
Token: SeCreatePagefilePrivilege	2428	wmic.exe
Token: SeBackupPrivilege	2428	wmic.exe
Token: SeRestorePrivilege	2428	wmic.exe
Token: SeShutdownPrivilege	2428	wmic.exe
Token: SeDebugPrivilege	2428	wmic.exe
Token: SeSystemEnvironmentPrivilege	2428	wmic.exe
Token: SeRemoteShutdownPrivilege	2428	wmic.exe
Token: SeUndockPrivilege	2428	wmic.exe
Token: SeManageVolumePrivilege	2428	wmic.exe
Token: 33	2428	wmic.exe
Token: 34	2428	wmic.exe
Token: 35	2428	wmic.exe
Token: SeIncreaseQuotaPrivilege	2428	wmic.exe
Token: SeSecurityPrivilege	2428	wmic.exe
Token: SeTakeOwnershipPrivilege	2428	wmic.exe
Token: SeLoadDriverPrivilege	2428	wmic.exe
Token: SeSystemProfilePrivilege	2428	wmic.exe
Token: SeSystemtimePrivilege	2428	wmic.exe
Token: SeProfSingleProcessPrivilege	2428	wmic.exe
Token: SeIncBasePriorityPrivilege	2428	wmic.exe
Token: SeCreatePagefilePrivilege	2428	wmic.exe
Token: SeBackupPrivilege	2428	wmic.exe
Token: SeRestorePrivilege	2428	wmic.exe
Token: SeShutdownPrivilege	2428	wmic.exe
Token: SeDebugPrivilege	2428	wmic.exe
Token: SeSystemEnvironmentPrivilege	2428	wmic.exe
Token: SeRemoteShutdownPrivilege	2428	wmic.exe
Token: SeUndockPrivilege	2428	wmic.exe
Token: SeManageVolumePrivilege	2428	wmic.exe
Token: 33	2428	wmic.exe
Token: 34	2428	wmic.exe
Token: 35	2428	wmic.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeIncreaseQuotaPrivilege	2968	wmic.exe
Token: SeSecurityPrivilege	2968	wmic.exe
Token: SeTakeOwnershipPrivilege	2968	wmic.exe
Token: SeLoadDriverPrivilege	2968	wmic.exe
Token: SeSystemProfilePrivilege	2968	wmic.exe
Token: SeSystemtimePrivilege	2968	wmic.exe
Token: SeProfSingleProcessPrivilege	2968	wmic.exe
Token: SeIncBasePriorityPrivilege	2968	wmic.exe
Token: SeCreatePagefilePrivilege	2968	wmic.exe
Token: SeBackupPrivilege	2968	wmic.exe
Token: SeRestorePrivilege	2968	wmic.exe
Token: SeShutdownPrivilege	2968	wmic.exe
Token: SeDebugPrivilege	2968	wmic.exe
Token: SeSystemEnvironmentPrivilege	2968	wmic.exe
Token: SeRemoteShutdownPrivilege	2968	wmic.exe
Token: SeUndockPrivilege	2968	wmic.exe
Token: SeManageVolumePrivilege	2968	wmic.exe
Token: 33	2968	wmic.exe
Token: 34	2968	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	updated executor.exe
2532	updated executor.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2800	2532	updated executor.exe	29
PID 2532 wrote to memory of 2800	2532	updated executor.exe	29
PID 2532 wrote to memory of 2800	2532	updated executor.exe	29
PID 2800 wrote to memory of 2428	2800	executor+Z.exe	30
PID 2800 wrote to memory of 2428	2800	executor+Z.exe	30
PID 2800 wrote to memory of 2428	2800	executor+Z.exe	30
PID 2800 wrote to memory of 2460	2800	executor+Z.exe	33
PID 2800 wrote to memory of 2460	2800	executor+Z.exe	33
PID 2800 wrote to memory of 2460	2800	executor+Z.exe	33
PID 2800 wrote to memory of 2308	2800	executor+Z.exe	35
PID 2800 wrote to memory of 2308	2800	executor+Z.exe	35
PID 2800 wrote to memory of 2308	2800	executor+Z.exe	35
PID 2800 wrote to memory of 2040	2800	executor+Z.exe	37
PID 2800 wrote to memory of 2040	2800	executor+Z.exe	37
PID 2800 wrote to memory of 2040	2800	executor+Z.exe	37
PID 2800 wrote to memory of 2900	2800	executor+Z.exe	39
PID 2800 wrote to memory of 2900	2800	executor+Z.exe	39
PID 2800 wrote to memory of 2900	2800	executor+Z.exe	39
PID 2800 wrote to memory of 1704	2800	executor+Z.exe	41
PID 2800 wrote to memory of 1704	2800	executor+Z.exe	41
PID 2800 wrote to memory of 1704	2800	executor+Z.exe	41
PID 2800 wrote to memory of 2968	2800	executor+Z.exe	43
PID 2800 wrote to memory of 2968	2800	executor+Z.exe	43
PID 2800 wrote to memory of 2968	2800	executor+Z.exe	43
PID 2800 wrote to memory of 2384	2800	executor+Z.exe	45
PID 2800 wrote to memory of 2384	2800	executor+Z.exe	45
PID 2800 wrote to memory of 2384	2800	executor+Z.exe	45
PID 2800 wrote to memory of 2392	2800	executor+Z.exe	47
PID 2800 wrote to memory of 2392	2800	executor+Z.exe	47
PID 2800 wrote to memory of 2392	2800	executor+Z.exe	47
PID 2800 wrote to memory of 2160	2800	executor+Z.exe	49
PID 2800 wrote to memory of 2160	2800	executor+Z.exe	49
PID 2800 wrote to memory of 2160	2800	executor+Z.exe	49
PID 2800 wrote to memory of 2292	2800	executor+Z.exe	51
PID 2800 wrote to memory of 2292	2800	executor+Z.exe	51
PID 2800 wrote to memory of 2292	2800	executor+Z.exe	51
PID 2800 wrote to memory of 1108	2800	executor+Z.exe	53
PID 2800 wrote to memory of 1108	2800	executor+Z.exe	53
PID 2800 wrote to memory of 1108	2800	executor+Z.exe	53
PID 1108 wrote to memory of 1464	1108	cmd.exe	55
PID 1108 wrote to memory of 1464	1108	cmd.exe	55
PID 1108 wrote to memory of 1464	1108	cmd.exe	55

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\updated executor.exe
"C:\Users\Admin\AppData\Local\Temp\updated executor.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\executor+Z.exe
  "C:\Users\Admin\AppData\Local\Temp\executor+Z.exe" Executor.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\executor+Z.exe"
    3⤵
    - Views/modifies file attributes
    PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\executor+Z.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2384
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2292
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\executor+Z.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\executor+Z.exe

Filesize
231KB

MD5
e5fe1871688f8786189ec49cc8124520

SHA1
e2de4a187d3cc99969e888819f6cf2bf5c78e90d

SHA256
750db35c728176edd361bee975326a5b1a270a835be7b272c68175f55d247029

SHA512
095f4398d1af600565bf8e29fc8bf0acbbff1a3729a3b4f531f597342afeed375f248ab5c4b3e589e41fb5305702fbc07b42df9b3320502c9abe3ba4d8a7f30c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TBHKW03KNHF0PUJX0MC3.temp

Filesize
7KB

MD5
700fda5cbd05cb0cd9150415a316a835

SHA1
7b47a9d11d3633c6aaa2fb7c9c28c0c2ce52658c

SHA256
3d4b2c84cc09881ef8d40f08bc80874903d709d6e0df4c4805bc7d979aa8e4e4

SHA512
04d9748ecb0cd58c5f5704817b9931ca1cf626603f7002be88210ec079ddc081a8cad3df996b3f268c0e1772e3564242e11ea0d667d876acbeaa594470c0d9ac

Download Submit
memory/2040-67-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/2040-66-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2160-94-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2308-60-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2308-59-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2800-53-0x000007FEF4863000-0x000007FEF4864000-memory.dmp

Filesize
4KB

Download
memory/2800-54-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download