umbral | 1e94a2848737d3fe8046f4dabcfe94c250be5085802edce428e4dd271f459a19

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-08-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nowatermarks.exe
Size

229KB
MD5

79d545d3f6a46db17e8dadba1bf623ae
SHA1

f289247a7620ff890ac3d5c87c13445c83b2a02d
SHA256

1e94a2848737d3fe8046f4dabcfe94c250be5085802edce428e4dd271f459a19
SHA512

bd14dec25736a52f79f8b9e4aede9981ffca9ff78e2dbca875802eff7525495a17c506c69b74b572c5e18aca2c7df05b11adaa1160a65f9e2df1f4e8b5b1f447
SSDEEP

6144:lloZMrrIkd8g+EtXHkv/iD4ITZHR/k4XSG/BcoNTo6lm8e1mCKi:noZcL+EP8QZHR/k4XSG/BcoNVSHv

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3368-1-0x000001700C770000-0x000001700C7B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2612	powershell.exe
3520	powershell.exe
1048	powershell.exe
3168	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2172	cmd.exe
652	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3192	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
652	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	Nowatermarks.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeIncreaseQuotaPrivilege	3168	powershell.exe
Token: SeSecurityPrivilege	3168	powershell.exe
Token: SeTakeOwnershipPrivilege	3168	powershell.exe
Token: SeLoadDriverPrivilege	3168	powershell.exe
Token: SeSystemProfilePrivilege	3168	powershell.exe
Token: SeSystemtimePrivilege	3168	powershell.exe
Token: SeProfSingleProcessPrivilege	3168	powershell.exe
Token: SeIncBasePriorityPrivilege	3168	powershell.exe
Token: SeCreatePagefilePrivilege	3168	powershell.exe
Token: SeBackupPrivilege	3168	powershell.exe
Token: SeRestorePrivilege	3168	powershell.exe
Token: SeShutdownPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeSystemEnvironmentPrivilege	3168	powershell.exe
Token: SeRemoteShutdownPrivilege	3168	powershell.exe
Token: SeUndockPrivilege	3168	powershell.exe
Token: SeManageVolumePrivilege	3168	powershell.exe
Token: 33	3168	powershell.exe
Token: 34	3168	powershell.exe
Token: 35	3168	powershell.exe
Token: 36	3168	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3032	3368	Nowatermarks.exe	73
PID 3368 wrote to memory of 3032	3368	Nowatermarks.exe	73
PID 3368 wrote to memory of 3168	3368	Nowatermarks.exe	75
PID 3368 wrote to memory of 3168	3368	Nowatermarks.exe	75
PID 3368 wrote to memory of 3520	3368	Nowatermarks.exe	78
PID 3368 wrote to memory of 3520	3368	Nowatermarks.exe	78
PID 3368 wrote to memory of 1048	3368	Nowatermarks.exe	80
PID 3368 wrote to memory of 1048	3368	Nowatermarks.exe	80
PID 3368 wrote to memory of 1000	3368	Nowatermarks.exe	82
PID 3368 wrote to memory of 1000	3368	Nowatermarks.exe	82
PID 3368 wrote to memory of 4452	3368	Nowatermarks.exe	84
PID 3368 wrote to memory of 4452	3368	Nowatermarks.exe	84
PID 3368 wrote to memory of 524	3368	Nowatermarks.exe	87
PID 3368 wrote to memory of 524	3368	Nowatermarks.exe	87
PID 3368 wrote to memory of 2144	3368	Nowatermarks.exe	89
PID 3368 wrote to memory of 2144	3368	Nowatermarks.exe	89
PID 3368 wrote to memory of 2612	3368	Nowatermarks.exe	91
PID 3368 wrote to memory of 2612	3368	Nowatermarks.exe	91
PID 3368 wrote to memory of 3192	3368	Nowatermarks.exe	93
PID 3368 wrote to memory of 3192	3368	Nowatermarks.exe	93
PID 3368 wrote to memory of 2172	3368	Nowatermarks.exe	95
PID 3368 wrote to memory of 2172	3368	Nowatermarks.exe	95
PID 2172 wrote to memory of 652	2172	cmd.exe	97
PID 2172 wrote to memory of 652	2172	cmd.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe
"C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe"
  2⤵
  - Views/modifies file attributes
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:524
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3192
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
226c5d3ce2511e67e82dd048c5de323a

SHA1
1025bb6b6ea280b67972a36d68d8c8e358f890a4

SHA256
876e1448668ba33af526fc0d1703f6d25d1e557be290862f29c8d640bcd1ffd2

SHA512
5aaf65385f70c32d8273ba2480c2cf8e18f3b0e3c06c99a81faa632fda4e5f93706068c5647cf12cae0f14a81338d3aa1f34ce3cdec3ad3b9fa285eef224c776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1ee4de5bacffa0ba071906fe7508e97

SHA1
30b8b12735ea3aee1cfbf7a701e4741ff06ba2c9

SHA256
6f37f98ac6627063dcef402f165aac78c0fb83bb141e803e3eeb8eea99245c36

SHA512
c0e85336a7c399ca67923004405e145cfaa16579407765919af7115a8840c72ba67d1943f8181916366313e2e4105b28029c8d53e1af16315310fff7b1224765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd3a8e3ccae2deffde7225f70a42e798

SHA1
f529a8ddd5921cbba263a9c16078fb8b490c6c2c

SHA256
3a03993a68659fcde8670d72599ce1b9cb6667953ef7f3a08930aaeb6602807a

SHA512
dfa3158f3dae7790cbb31b6ed4ad8d831be20cde7d6e48fe1cf4feedab3c4a24253d76fbc3729f79829f846eac29c95151d3ff27706abad6bbdb0264eb814b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0079dd6b7573fdfeb15f414854be413

SHA1
92c572a7a85afbdb2e10cb4923c962721414b2a9

SHA256
e310e6a9113eea5efe08877d04f1fb86616b65d543c6408c8b50098591c3d0b3

SHA512
894c6116face7275464a09fa8de276af0b70e285eb710e86ce6375945e4a39b77a5a31303507b21a1a27210861fdef193f9811414ae3f5f2a269e6648667aff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yv0wvkw2.gys.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/3168-49-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3168-8-0x0000016CC8210000-0x0000016CC8232000-memory.dmp

Filesize
136KB

Download
memory/3168-10-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3168-42-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3168-13-0x0000016CC83C0000-0x0000016CC8436000-memory.dmp

Filesize
472KB

Download
memory/3168-53-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3168-9-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3168-7-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3368-84-0x0000017026EE0000-0x0000017026F30000-memory.dmp

Filesize
320KB

Download
memory/3368-85-0x0000017026C00000-0x0000017026C1E000-memory.dmp

Filesize
120KB

Download
memory/3368-0-0x00007FF954663000-0x00007FF954664000-memory.dmp

Filesize
4KB

Download
memory/3368-2-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3368-150-0x0000017026BD0000-0x0000017026BE2000-memory.dmp

Filesize
72KB

Download
memory/3368-149-0x0000017026BA0000-0x0000017026BAA000-memory.dmp

Filesize
40KB

Download
memory/3368-1-0x000001700C770000-0x000001700C7B0000-memory.dmp

Filesize
256KB

Download
memory/3368-180-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download