Overview

overview

10

Static

static

10

GeoLocate ...id.exe

windows7-x64

10

GeoLocate ...id.exe

windows10-2004-x64

10

GeoLocate ...te.exe

windows7-x64

3

GeoLocate ...te.exe

windows10-2004-x64

3

GeoLocate ...on.dll

windows7-x64

1

GeoLocate ...on.dll

windows10-2004-x64

1

GeoLocate ...rt.bat

windows7-x64

10

GeoLocate ...rt.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GeoLocate (1)/GeoLocate/Start.bat

  • Size

    65B

  • MD5

    35fe1bc3ce269544b91a4f9d224627c6

  • SHA1

    6c84b83ed36f95b805687e5c500e44faf0d144db

  • SHA256

    6ed72f86689c84cc2f2680a99d47dd92a4dc9941ff483530814148a587e729c7

  • SHA512

    aa72112556953f27f84e1b97de54574776a5043e924caf0935fac3db4c0c6a13db4a85467f7df0755667860b591ae50252358e72374a766a93a18ecfb3ec1403

Score
10/10
umbraldiscoverystealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Start.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Src\GeoLocate.exe
      Src/GeoLocate.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4984
    • C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Src\Files\skid.exe
      Src/Files/skid.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3436-0-0x00007FFFC1C23000-0x00007FFFC1C25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3436-1-0x0000029BD5B00000-0x0000029BD5B40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3436-2-0x00007FFFC1C20000-0x00007FFFC26E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3436-7-0x00007FFFC1C20000-0x00007FFFC26E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-4-0x00000000007B0000-0x00000000007B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4984-3-0x000000007526E000-0x000000007526F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4984-5-0x0000000005050000-0x0000000005102000-memory.dmp

    Filesize

    712KB

    Download