Overview

overview

10

Static

static

7

4bb8a2bcc0...0N.exe

windows7-x64

10

4bb8a2bcc0...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bb8a2bcc007cc041fe3c03c25453920N.exe

  • Size

    3.5MB

  • MD5

    4bb8a2bcc007cc041fe3c03c25453920

  • SHA1

    e922394a6f90243985b305efb9e4caed04483d40

  • SHA256

    9b90f637ef1988d0b812882cc1455f1ca87b8eef2017d92ec438734b02eebe36

  • SHA512

    40cc3a02511bd4b899824aeb70867218220f7797e100daf625b364f899ec3c58d8c129fe0b17c445683e0968beb5abc25262707fa074f9ef85b26da31cb7cddd

  • SSDEEP

    49152:k9bxPRDP0fHuNSeZUZzWHehOQ1750lGurq4bx67oICjhTLCUA/bIHvWdW9dX8dvz:m5Rjb1Zc/hOQkvq407ozFmAeW9Wvz

Score
10/10
umbralcredential_accessdiscoveryevasionexecutionspywarestealerthemidatrojan

Malware Config

Extracted

Family

umbral

C2

https://os1.olympus-entertainment.com

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bb8a2bcc007cc041fe3c03c25453920N.exe
    "C:\Users\Admin\AppData\Local\Temp\4bb8a2bcc007cc041fe3c03c25453920N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Drops file in Drivers directory
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4bb8a2bcc007cc041fe3c03c25453920N.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2988
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2644
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      2⤵
      • System Location Discovery: System Language Discovery
      • Detects videocard installed
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    41c38b3da4d1379d77dc7fba19a7e4bc

    SHA1

    b98cc5ed367953acfa042febb079e60c20918afe

    SHA256

    92772e81cd6ba4b58bcf34fd3c03c0d80fa6682d84a6453af4b52a639a8570eb

    SHA512

    3e5a602ff788bbe48345eaf3dbeb3fa0246d6f8d787e1f8e7e8ae091e5124f3c0f92445f0dcf77b410d84df58a6113a4d462413f8ce80800d7f5e387094efa11

    Download Submit

  • memory/304-13-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-1-0x00000000754C4000-0x00000000754C5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/304-2-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-9-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-8-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-22-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-11-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-20-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-19-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-18-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-17-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-16-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-15-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-14-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-73-0x0000000000400000-0x0000000000D50000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/304-4-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-21-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-10-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-7-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-6-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-5-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-24-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-25-0x0000000000400000-0x0000000000D50000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/304-26-0x0000000000400000-0x0000000000D50000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/304-31-0x00000000754C4000-0x00000000754C5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/304-0-0x0000000000400000-0x0000000000D50000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/304-29-0x0000000000400000-0x0000000000D50000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/304-72-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-3-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/304-12-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2880-32-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2880-30-0x00000000754B0000-0x00000000755C0000-memory.dmp

    Filesize

    1.1MB

    Download