Analysis

  • max time kernel
    95s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 07:05

General

  • Target

    everything.exe

  • Size

    231KB

  • MD5

    c230d0ffbb5ba00f2bc8a3e51c831d30

  • SHA1

    ba14e05c5b2f9bd82895598e4e037971cb88cb75

  • SHA256

    cf7b9914e5b25efd7b449a9426d8d2cb570440da613b0bf7b258b425d2c6a7a0

  • SHA512

    d4930c2f78d55037819d276e4321d43b759fb063834fd6b0e494730bad35f6815c2665106a3a976e8902b58b058a09ab3d6369c56dcc16aebfa487dbf66ef318

  • SSDEEP

    6144:RloZMArIkd8g+EtXHkv/iD4av2h3tW+xdkt/qqfsCb8e1mKi:joZHL+EP8av2h3tW+xdkt/qqfPI

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\everything.exe
    "C:\Users\Admin\AppData\Local\Temp\everything.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\everything.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3480
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:4304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2280
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:4240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      71fa55c67a762ba70e40011153e19b3c

      SHA1

      a36d2bb4802a8ec7db1a68de5f0c3d6007987492

      SHA256

      b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291

      SHA512

      32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      432507558b904755313d5b27a3dc271a

      SHA1

      c5f1e5c3a723f83080c38f987b289e6b08eafd70

      SHA256

      d037ed26ad6876ecaa84eaddff658fc90fa5c2e3a83822f140e11c30b6f61a07

      SHA512

      7ee8989467bd7216417600ac44244fea7249061a515396ae5860cad37b1e0167a28387b02d6e2e1dbd140e9e51fee98c6f36aa0ad559137204923374de1f5d1f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      948B

      MD5

      17d8127be94d3c1b6fcc9a4ed585003e

      SHA1

      789874fcc7c778c723f3e89822d8cc8750c6c4c8

      SHA256

      ea357ad1f95863b3618d31e5b0f90495331f64de2b784d9e185b48668c937a7b

      SHA512

      bb18b6d07d82227f5cfbe3eb460df79ec892c560ad2964dcd4782aa26336ae15059843bf46a739bdd4a4daa58057f99102531a756a1cf434ce6449b3cd35a98e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      548dd08570d121a65e82abb7171cae1c

      SHA1

      1a1b5084b3a78f3acd0d811cc79dbcac121217ab

      SHA256

      cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

      SHA512

      37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      208ef39582a181fb8c043a14d824206d

      SHA1

      d0fabc499994dc11b403fef0ca1e66d831ea478e

      SHA256

      b66b9feb94f0bf97089404fd46920776ef78a80103f65ef08eb7c847d696c210

      SHA512

      5ed74b727aa712c1b9501a7ec734c82ba20d30e6c127f531b8fde9051f25882fde187ca90cfe2bb9ceb4347d41d64d76a1b098a995293fe5ca7aaa0312044ae5

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdkxnd5n.3cf.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1500-71-0x000001AEF60F0000-0x000001AEF60FA000-memory.dmp

      Filesize

      40KB

    • memory/1500-35-0x000001AEDD9D0000-0x000001AEDD9EE000-memory.dmp

      Filesize

      120KB

    • memory/1500-90-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

      Filesize

      10.8MB

    • memory/1500-72-0x000001AEF6120000-0x000001AEF6132000-memory.dmp

      Filesize

      72KB

    • memory/1500-2-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

      Filesize

      10.8MB

    • memory/1500-33-0x000001AEF6140000-0x000001AEF61B6000-memory.dmp

      Filesize

      472KB

    • memory/1500-34-0x000001AEF6320000-0x000001AEF6370000-memory.dmp

      Filesize

      320KB

    • memory/1500-0-0x00007FF9837D3000-0x00007FF9837D5000-memory.dmp

      Filesize

      8KB

    • memory/1500-1-0x000001AEDBB40000-0x000001AEDBB80000-memory.dmp

      Filesize

      256KB

    • memory/3500-15-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

      Filesize

      10.8MB

    • memory/3500-14-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

      Filesize

      10.8MB

    • memory/3500-12-0x000001A1727C0000-0x000001A1727E2000-memory.dmp

      Filesize

      136KB

    • memory/3500-13-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

      Filesize

      10.8MB

    • memory/3500-18-0x00007FF9837D0000-0x00007FF984291000-memory.dmp

      Filesize

      10.8MB