umbral | 988e18df0a992354434f712880cc3fc7b2037392736138be3b8758bd889065fb

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat.exe
Size

229KB
MD5

57b52820e80bbf21cb91858308b64a43
SHA1

681de078a2bab05ff51d6b211a6136cd0a4cf5c5
SHA256

cad17c73e90686eee88e8e73039d69d0969a544a20d324cb30efe4849bf22be2
SHA512

981daa6346b6887d92fc77e865a9de661ebdf5216cca2c05a2817b28833a02a07ae5c64d181990dd0d86971e740a44e709b058a50cbef146066e00bce6628454
SSDEEP

6144:tloZMcrIkd8g+EtXHkv/iD49XVt8il92+De8NhoMi2b8e1m4ohi:voZrL+EP89XVt8il92+De8NhoQG4

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/3308-0-0x000001AC70410000-0x000001AC70450000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3908	powershell.exe
1644	powershell.exe
4592	powershell.exe
2620	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1440	cmd.exe
4388	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1616	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4388	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3308	Cheat.exe
2620	powershell.exe
2620	powershell.exe
3908	powershell.exe
3908	powershell.exe
1644	powershell.exe
1644	powershell.exe
3996	powershell.exe
3996	powershell.exe
4592	powershell.exe
4592	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3308	Cheat.exe
Token: SeIncreaseQuotaPrivilege	612	wmic.exe
Token: SeSecurityPrivilege	612	wmic.exe
Token: SeTakeOwnershipPrivilege	612	wmic.exe
Token: SeLoadDriverPrivilege	612	wmic.exe
Token: SeSystemProfilePrivilege	612	wmic.exe
Token: SeSystemtimePrivilege	612	wmic.exe
Token: SeProfSingleProcessPrivilege	612	wmic.exe
Token: SeIncBasePriorityPrivilege	612	wmic.exe
Token: SeCreatePagefilePrivilege	612	wmic.exe
Token: SeBackupPrivilege	612	wmic.exe
Token: SeRestorePrivilege	612	wmic.exe
Token: SeShutdownPrivilege	612	wmic.exe
Token: SeDebugPrivilege	612	wmic.exe
Token: SeSystemEnvironmentPrivilege	612	wmic.exe
Token: SeRemoteShutdownPrivilege	612	wmic.exe
Token: SeUndockPrivilege	612	wmic.exe
Token: SeManageVolumePrivilege	612	wmic.exe
Token: 33	612	wmic.exe
Token: 34	612	wmic.exe
Token: 35	612	wmic.exe
Token: 36	612	wmic.exe
Token: SeIncreaseQuotaPrivilege	612	wmic.exe
Token: SeSecurityPrivilege	612	wmic.exe
Token: SeTakeOwnershipPrivilege	612	wmic.exe
Token: SeLoadDriverPrivilege	612	wmic.exe
Token: SeSystemProfilePrivilege	612	wmic.exe
Token: SeSystemtimePrivilege	612	wmic.exe
Token: SeProfSingleProcessPrivilege	612	wmic.exe
Token: SeIncBasePriorityPrivilege	612	wmic.exe
Token: SeCreatePagefilePrivilege	612	wmic.exe
Token: SeBackupPrivilege	612	wmic.exe
Token: SeRestorePrivilege	612	wmic.exe
Token: SeShutdownPrivilege	612	wmic.exe
Token: SeDebugPrivilege	612	wmic.exe
Token: SeSystemEnvironmentPrivilege	612	wmic.exe
Token: SeRemoteShutdownPrivilege	612	wmic.exe
Token: SeUndockPrivilege	612	wmic.exe
Token: SeManageVolumePrivilege	612	wmic.exe
Token: 33	612	wmic.exe
Token: 34	612	wmic.exe
Token: 35	612	wmic.exe
Token: 36	612	wmic.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	3216	wmic.exe
Token: SeSecurityPrivilege	3216	wmic.exe
Token: SeTakeOwnershipPrivilege	3216	wmic.exe
Token: SeLoadDriverPrivilege	3216	wmic.exe
Token: SeSystemProfilePrivilege	3216	wmic.exe
Token: SeSystemtimePrivilege	3216	wmic.exe
Token: SeProfSingleProcessPrivilege	3216	wmic.exe
Token: SeIncBasePriorityPrivilege	3216	wmic.exe
Token: SeCreatePagefilePrivilege	3216	wmic.exe
Token: SeBackupPrivilege	3216	wmic.exe
Token: SeRestorePrivilege	3216	wmic.exe
Token: SeShutdownPrivilege	3216	wmic.exe
Token: SeDebugPrivilege	3216	wmic.exe
Token: SeSystemEnvironmentPrivilege	3216	wmic.exe
Token: SeRemoteShutdownPrivilege	3216	wmic.exe
Token: SeUndockPrivilege	3216	wmic.exe
Token: SeManageVolumePrivilege	3216	wmic.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 612	3308	Cheat.exe	86
PID 3308 wrote to memory of 612	3308	Cheat.exe	86
PID 3308 wrote to memory of 3788	3308	Cheat.exe	89
PID 3308 wrote to memory of 3788	3308	Cheat.exe	89
PID 3308 wrote to memory of 2620	3308	Cheat.exe	91
PID 3308 wrote to memory of 2620	3308	Cheat.exe	91
PID 3308 wrote to memory of 3908	3308	Cheat.exe	93
PID 3308 wrote to memory of 3908	3308	Cheat.exe	93
PID 3308 wrote to memory of 1644	3308	Cheat.exe	95
PID 3308 wrote to memory of 1644	3308	Cheat.exe	95
PID 3308 wrote to memory of 3996	3308	Cheat.exe	97
PID 3308 wrote to memory of 3996	3308	Cheat.exe	97
PID 3308 wrote to memory of 3216	3308	Cheat.exe	99
PID 3308 wrote to memory of 3216	3308	Cheat.exe	99
PID 3308 wrote to memory of 3424	3308	Cheat.exe	101
PID 3308 wrote to memory of 3424	3308	Cheat.exe	101
PID 3308 wrote to memory of 1576	3308	Cheat.exe	103
PID 3308 wrote to memory of 1576	3308	Cheat.exe	103
PID 3308 wrote to memory of 4592	3308	Cheat.exe	105
PID 3308 wrote to memory of 4592	3308	Cheat.exe	105
PID 3308 wrote to memory of 1616	3308	Cheat.exe	107
PID 3308 wrote to memory of 1616	3308	Cheat.exe	107
PID 3308 wrote to memory of 1440	3308	Cheat.exe	109
PID 3308 wrote to memory of 1440	3308	Cheat.exe	109
PID 1440 wrote to memory of 4388	1440	cmd.exe	111
PID 1440 wrote to memory of 4388	1440	cmd.exe	111

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
  2⤵
  - Views/modifies file attributes
  PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheat.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3424
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1616
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Cheat.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
380007fbdf9fef355db2afd71fce9cd1

SHA1
e98802ef10fac8ef96a3210930784c317ca76fa0

SHA256
6353a11014d2c1495ac7a5efef195d06d8e8b30a163c437263361deb5a28de03

SHA512
9790c6b4c16ed4f4e6cddf492d01a6b4963e20bde6ddf40017db20ffc672b0cfaea2ad6aebcb51e8e459682974be0d024b35546aad840051a1e9fe2d3e565bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
602563204cbd00339b5803891409024e

SHA1
669f54b26b741406bfee8618b6752f0171a9849d

SHA256
581e7879060c671fb37e4a58b6f2bbf20418c4afc63e9fe167ba15595cd61f8b

SHA512
b4b18e401fe74724e9ccf4d7bb10a84db40c480bbc8fd0e007edb2225c9edb69f0abce7b5f0d34c524d4e968e32ec53b9816a8442bae713de25a70d1ff5d7d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0t0s1zp.uuz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2620-4-0x00007FFCD1570000-0x00007FFCD2031000-memory.dmp

Filesize
10.8MB

Download
memory/2620-10-0x000002B868580000-0x000002B8685A2000-memory.dmp

Filesize
136KB

Download
memory/2620-15-0x00007FFCD1570000-0x00007FFCD2031000-memory.dmp

Filesize
10.8MB

Download
memory/2620-18-0x00007FFCD1570000-0x00007FFCD2031000-memory.dmp

Filesize
10.8MB

Download
memory/2620-3-0x00007FFCD1570000-0x00007FFCD2031000-memory.dmp

Filesize
10.8MB

Download
memory/3308-32-0x000001AC72B10000-0x000001AC72B60000-memory.dmp

Filesize
320KB

Download
memory/3308-31-0x000001AC72B90000-0x000001AC72C06000-memory.dmp

Filesize
472KB

Download
memory/3308-33-0x000001AC729C0000-0x000001AC729DE000-memory.dmp

Filesize
120KB

Download
memory/3308-1-0x00007FFCD1573000-0x00007FFCD1575000-memory.dmp

Filesize
8KB

Download
memory/3308-0-0x000001AC70410000-0x000001AC70450000-memory.dmp

Filesize
256KB

Download
memory/3308-69-0x000001AC729F0000-0x000001AC729FA000-memory.dmp

Filesize
40KB

Download
memory/3308-70-0x000001AC72D10000-0x000001AC72D22000-memory.dmp

Filesize
72KB

Download
memory/3308-2-0x00007FFCD1570000-0x00007FFCD2031000-memory.dmp

Filesize
10.8MB

Download
memory/3308-88-0x00007FFCD1570000-0x00007FFCD2031000-memory.dmp

Filesize
10.8MB

Download