Overview

overview

10

Static

static

3

cbe01fe464...0N.exe

windows7-x64

10

cbe01fe464...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2024 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbe01fe4646cb0bf553e56fab6049ea0N.exe

  • Size

    332KB

  • MD5

    cbe01fe4646cb0bf553e56fab6049ea0

  • SHA1

    74323c61e5e6af54a185db9055a63b58164a0875

  • SHA256

    084d8dae75296d5278702a13359c8869ea6919de5e0f3e939d0e786771238614

  • SHA512

    231f36ca6f9904dee27d8bd663f2210686f1b999341bf5da4aa6726785cbfa78df9af9ca2095cc918682ec215e92509beb34ea294b88eeabfa74f263ec801bc3

  • SSDEEP

    6144:tqS31vVrANegm9Wv3IOm+I3Wy6VlWd40pKr/zZ5wBJqsycOPAahF:4S7PWvSR3WTVl50wrN5wDq//A

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1270503478661218436/lYjczFpScyBiK0vTfbrRGM7w5iZQZYGn5ZBMz2hf0cegpXKTgRn6umRYCB_UZguXyf4o

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbe01fe4646cb0bf553e56fab6049ea0N.exe
    "C:\Users\Admin\AppData\Local\Temp\cbe01fe4646cb0bf553e56fab6049ea0N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        3⤵
        • Views/modifies file attributes
        PID:2268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:328
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:1752
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:572
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2348
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:992
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          2⤵
          • Executes dropped EXE
          PID:1644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        Filesize

        231KB

        MD5

        a733fa354827ee6841d92540f7031823

        SHA1

        12d0420484d4aee5945633298824003c1715815a

        SHA256

        9da608bc82962c952329648689186ab278007ec0895ce14d136dd0cc48eddc34

        SHA512

        ce699c379824cf4134cc134b9d803fe6cd7b2e3ab9a79af8ddd8f95713ffe67f96ab2fd04310f4700715bf9db2d1a8a0699bf916f6405fdcf6c66789e9764832

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        479KB

        MD5

        dd6cec99223a8139819a04b08a53ef6a

        SHA1

        7941a00b799f614af2d212322304ed3c403cdc6b

        SHA256

        8f541cf02aa94b2d9a9f6c8ef1cd88ed56211394ec209d12a48b3507846ef65d

        SHA512

        d18b8d4ca61c35678ef220f90e09d2a3dea36beb46b76aaf63605c521ffcc34d77e3c1a7ad323f749edf4b0749da3eaf80b7b3ea50af5eeaae5d96ba3cb3aff7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\23Q7FHT4F3A95VTU20UE.temp
        Filesize

        7KB

        MD5

        da2c17c79c881f64f251c90efc68d398

        SHA1

        6306d0b0085881fb9a2ab5069098f428c9b31df7

        SHA256

        06f22ed88a35b6d84a6bdc8290fb52f1d130aee946192fc6303ba97d7cf936a6

        SHA512

        c05d74393c9847ed6db094a59c80726e56e415c6fbf0ac121ca0c6c8938e0b1e55b9ca50934abf905bf012b65d6ef764998af1b1a6b815d13ff87ab30ba327cb

        Download Submit

      • memory/1644-14-0x0000000000FD0000-0x000000000104E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1676-22-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1676-23-0x00000000028D0000-0x00000000028D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1796-29-0x000000001B620000-0x000000001B902000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1796-30-0x0000000002710000-0x0000000002718000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2416-16-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2416-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2416-7-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2416-1-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2560-17-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2560-11-0x0000000000C40000-0x0000000000C80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2560-15-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2560-62-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

        Filesize

        9.9MB

        Download