Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 13:05

General

  • Target

    umbralstealer.exe

  • Size

    229KB

  • MD5

    83b81dda82a62350b52ee97a12d3163a

  • SHA1

    3e7c9d5eda676771071fa77ce8f357b0c32673fa

  • SHA256

    b8e51135b2e0a124ac1103a9c4a6f2353d289ffe99611d990c291ae356950ecf

  • SHA512

    e0d0d47479b19287dbb731b0025c458623fa17e77d506756a7e90289abf0c04faa5e655bd2f521ead68d3c8530cb4ecaf1cb1c48e1fe2e03759affe8c0c4ca04

  • SSDEEP

    6144:lloZM9fsXtioRkts/cnnK6cMlxDKxX8il927De8NhoREb8e1muoi:noZXtlRk83MlxDKxX8il927De8NhoOJ

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\umbralstealer.exe
    "C:\Users\Admin\AppData\Local\Temp\umbralstealer.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\umbralstealer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1252
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2912
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GEZAWL7SZN5Y6TDGD3FR.temp

      Filesize

      7KB

      MD5

      8981a3e6b9ced7539ff73bd8be410bc3

      SHA1

      62dfcd37bf9fbc863d24d3ad4df434d89841a553

      SHA256

      beca44435b6cfae210f24a147e7467f13de4826d969fb1ddfe7897f6cc10da8b

      SHA512

      7d83044c04ad9ef97ebe640c0a490154c08bb3c208d33208df15b3b13cad4b451176e3401cc5df3eb99815e6a8c52f99479e3052814b4ef39bdd0602162da3b7

    • memory/2388-7-0x000007FEED76E000-0x000007FEED76F000-memory.dmp

      Filesize

      4KB

    • memory/2388-8-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB

    • memory/2388-9-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

    • memory/2388-10-0x0000000002CF4000-0x0000000002CF7000-memory.dmp

      Filesize

      12KB

    • memory/2388-12-0x000007FEED4B0000-0x000007FEEDE4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2388-11-0x0000000002CFB000-0x0000000002D62000-memory.dmp

      Filesize

      412KB

    • memory/2388-52-0x000007FEED4B0000-0x000007FEEDE4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2568-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

      Filesize

      4KB

    • memory/2568-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

      Filesize

      9.9MB

    • memory/2568-1-0x0000000000070000-0x00000000000B0000-memory.dmp

      Filesize

      256KB

    • memory/2568-51-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

      Filesize

      9.9MB

    • memory/2860-18-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

      Filesize

      2.9MB

    • memory/2860-19-0x0000000001D80000-0x0000000001D88000-memory.dmp

      Filesize

      32KB