Overview

overview

10

Static

static

10

botCreator.exe

windows7-x64

10

botCreator.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2024 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    botCreator.exe

  • Size

    488KB

  • MD5

    668d42a2877f3c06ca17a413325174d4

  • SHA1

    697e43404eb5e6a36f529cdd96321956ac809b3e

  • SHA256

    4c19159d4f39a778bc189a23249cbb1f3985e8203dea388aaffb0493c64d7763

  • SHA512

    b475b3e505d76e99f0d3de5214633749cfb62b724a71797440a383ddc08c6e8b82ca9dfa411a2c8c8cec7e5aa10c24d9d8b8dea31fb20d2b58e73de1f43962ed

  • SSDEEP

    12288:WoZ1tlRk83MlrfFwiAfboTxUyzzq4HRPVgk9dRv/:f5r3YFwiAfboTxUyzzq4xPVP

Score
10/10
umbraldiscoverystealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\botCreator.exe
    "C:\Users\Admin\AppData\Local\Temp\botCreator.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
    1⤵
      PID:4636
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      1⤵
        PID:5044
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=5092,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:1
        1⤵
          PID:2360
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4652,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:1
          1⤵
            PID:3028
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=5284,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:1
            1⤵
              PID:3292
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5512,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:8
              1⤵
                PID:4296
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5532,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:8
                1⤵
                  PID:2232
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=6040,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:1
                  1⤵
                    PID:2936
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5556,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:1
                    1⤵
                      PID:5000
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                      1⤵
                      • Enumerates system info in registry
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3864
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffe9823d198,0x7ffe9823d1a4,0x7ffe9823d1b0
                        2⤵
                          PID:656
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,13171512771088853267,1235402282355803579,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:2
                          2⤵
                            PID:1956
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1972,i,13171512771088853267,1235402282355803579,262144 --variations-seed-version --mojo-platform-channel-handle=2348 /prefetch:3
                            2⤵
                              PID:456
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2452,i,13171512771088853267,1235402282355803579,262144 --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:8
                              2⤵
                                PID:2388
                              • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4492,i,13171512771088853267,1235402282355803579,262144 --variations-seed-version --mojo-platform-channel-handle=4516 /prefetch:8
                                2⤵
                                  PID:2396
                                • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4492,i,13171512771088853267,1235402282355803579,262144 --variations-seed-version --mojo-platform-channel-handle=4516 /prefetch:8
                                  2⤵
                                    PID:2640
                                • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
                                  1⤵
                                    PID:1152

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                    Filesize

                                    2B

                                    MD5

                                    99914b932bd37a50b983c5e7c90ae93b

                                    SHA1

                                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                    SHA256

                                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                    SHA512

                                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                    Filesize

                                    2B

                                    MD5

                                    d751713988987e9331980363e24189ce

                                    SHA1

                                    97d170e1550eee4afc0af065b78cda302a97674c

                                    SHA256

                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                    SHA512

                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
                                    Filesize

                                    40B

                                    MD5

                                    20d4b8fa017a12a108c87f540836e250

                                    SHA1

                                    1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                    SHA256

                                    6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                    SHA512

                                    507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                    Filesize

                                    30KB

                                    MD5

                                    7446ea74d4a16c619c8036e00fbe2831

                                    SHA1

                                    c1750a1901f2fa4823c210cbb53e65a5bcaacb4e

                                    SHA256

                                    1f9e91bdbf9753e145ec2c645485cb16d505c252ac1467a05724f3c6ed5bfc11

                                    SHA512

                                    51cb06c6a4ae3278612e2ba93834dc57af522fd5b04bc32d515283fb390849ec1cb7a94867224e255b32bc08c2b08da79c7a395404fb6d9abc08af5e767726cf

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c98c9ac4-95b6-48fa-9344-817e921de2c6.tmp
                                    Filesize

                                    11KB

                                    MD5

                                    d2046537913711354254be5edece4ed0

                                    SHA1

                                    a4b03ebc549199b94ebda927593364a801cd68c2

                                    SHA256

                                    3350ddcbeeba120b111a6591f5ebfd9b5c6a472183d59714393133c24217ee16

                                    SHA512

                                    20e997d594aef9d7c506c1eef6d6926f887ba1585c0cce483a7f0a32b9ca931426db1ec2a1ffe26bae2c3fe175e62b2e4d24d0a3e15f1edd361b0887ffc52007

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    60KB

                                    MD5

                                    e37e905614bc992d5a5b970539cbdae1

                                    SHA1

                                    aadaa0a0bf173b29ad13df7350d4e0e0cf3d18e4

                                    SHA256

                                    4c25cd138000bdd49d14bc8a1ab256ece23082ed492510d3fced9138e6851f05

                                    SHA512

                                    9b7a51fa567731521eea3fdfa23795531a787ba9d4faffe89ed6d99dbaf7f0c0cd0a96b16dbf9f69661ff5a706ae122fbefbf4165fdb7b27dbe82da40251b4f4

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    64KB

                                    MD5

                                    c538706fb77d045bafea1c05c9b04483

                                    SHA1

                                    40776507fd4acf517223a3a327c8df64c2194570

                                    SHA256

                                    c4b8e0e139b9c6e08b48c61a1cc2c1d5ca8b76534c93744ffcbeaab73b7a14cc

                                    SHA512

                                    b073330d5047e2c4554a7fa6be7ed0f338e085ba5168c914168ad3ad0648e22a8f0f8179ad34b6607f222db16fb168d135295ad846a1d5a038548dcb46e65af1

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    60KB

                                    MD5

                                    282c398445f8b78a08f6d82bcf0bea44

                                    SHA1

                                    383d4596d4e04640cc1e1e76159ab02af1d6a39e

                                    SHA256

                                    15a354c1627e7a035914163c803e5de6f8cd6c551575d707dd83be0fdba4f614

                                    SHA512

                                    f658e9dd49c1b8150881c2b8b1037ccb6ba745948888facc96d4877cb08d096f0ffab0ca73f1d1ac5d059eabd1ac443c907fc2984934aa2d3b02de3d4683137c

                                    Download Submit

                                  • memory/1844-1-0x0000024423E00000-0x0000024423E80000-memory.dmp

                                    Filesize

                                    512KB

                                    Download

                                  • memory/1844-5-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/1844-4-0x000002443E430000-0x000002443E532000-memory.dmp

                                    Filesize

                                    1.0MB

                                    Download

                                  • memory/1844-2-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/1844-0-0x00007FFEA0393000-0x00007FFEA0395000-memory.dmp

                                    Filesize

                                    8KB

                                    Download