umbral | d1c9cf26181befbb8e3c53ea3b2aac37afd12d06ff9e53d42438c67a79b134c4

General

Target

SolaraFixer.7z
Size

70KB
MD5

b77e6245add9f2cb38fb2bf2a310e83c
SHA1

223c9b6e76776310a1e74e398060342263eb46ea
SHA256

d1c9cf26181befbb8e3c53ea3b2aac37afd12d06ff9e53d42438c67a79b134c4
SHA512

2e9d6545f06ef6014f6f640db3fb9bbd5d698afdec45399774fe0cd8410bd51f60961c0b04b1393975d3e08fa62de1ba2bf3de226b9724dce27dc1418b88877d
SSDEEP

1536:uRChivU97J63OL+V+8GFJj+ODdCxI1Tu7HU7rXYvePzYQ:uIis97IESHKyI1TsHUNbYQ

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1299461719801991309/vrYuMDjs_n5vFmzGOfz4kp_hTyDr2VE1-rjZ8OaF0rcFRYvfnqe3C0qr56jzGH43IeT7

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\SolaraFixer.exe	family_umbral
behavioral1/memory/3256-5-0x000001BAF12C0000-0x000001BAF1300000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Executes dropped EXE 3 IoCs

Processes:

SolaraFixer.exeSolaraFixer.exeSolaraFixer.exe

pid process

3256 SolaraFixer.exe
560 SolaraFixer.exe
2896 SolaraFixer.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

pid	process
3256	SolaraFixer.exe
560	SolaraFixer.exe
2896	SolaraFixer.exe

flow	ioc
2	ip-api.com

Modifies registry class 2 IoCs

Processes:

7zFM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3012 7zFM.exe

pid	process
3012	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeSolaraFixer.exewmic.exesvchost.exeSolaraFixer.exewmic.exe

description	pid	process
Token: SeRestorePrivilege	3012	7zFM.exe
Token: 35	3012	7zFM.exe
Token: SeSecurityPrivilege	3012	7zFM.exe
Token: SeSecurityPrivilege	3012	7zFM.exe
Token: SeDebugPrivilege	3256	SolaraFixer.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: 36	2220	wmic.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: 36	2220	wmic.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeTakeOwnershipPrivilege	4432	svchost.exe
Token: 35	4432	svchost.exe
Token: SeDebugPrivilege	560	SolaraFixer.exe
Token: SeIncreaseQuotaPrivilege	3612	wmic.exe
Token: SeSecurityPrivilege	3612	wmic.exe
Token: SeTakeOwnershipPrivilege	3612	wmic.exe
Token: SeLoadDriverPrivilege	3612	wmic.exe
Token: SeSystemProfilePrivilege	3612	wmic.exe
Token: SeSystemtimePrivilege	3612	wmic.exe
Token: SeProfSingleProcessPrivilege	3612	wmic.exe
Token: SeIncBasePriorityPrivilege	3612	wmic.exe
Token: SeCreatePagefilePrivilege	3612	wmic.exe
Token: SeBackupPrivilege	3612	wmic.exe
Token: SeRestorePrivilege	3612	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

3012 7zFM.exe
3012 7zFM.exe
3012 7zFM.exe

pid	process
3012	7zFM.exe
3012	7zFM.exe
3012	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SolaraFixer.exeSolaraFixer.exeSolaraFixer.exe

description	pid	process	target process
PID 3256 wrote to memory of 2220	3256	SolaraFixer.exe	wmic.exe
PID 3256 wrote to memory of 2220	3256	SolaraFixer.exe	wmic.exe
PID 560 wrote to memory of 3612	560	SolaraFixer.exe	wmic.exe
PID 560 wrote to memory of 3612	560	SolaraFixer.exe	wmic.exe
PID 2896 wrote to memory of 2652	2896	SolaraFixer.exe	wmic.exe
PID 2896 wrote to memory of 2652	2896	SolaraFixer.exe	wmic.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SolaraFixer.7z"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012

C:\Users\Admin\Desktop\SolaraFixer.exe
"C:\Users\Admin\Desktop\SolaraFixer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Users\Admin\Desktop\SolaraFixer.exe
"C:\Users\Admin\Desktop\SolaraFixer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3612

C:\Users\Admin\Desktop\SolaraFixer.exe
"C:\Users\Admin\Desktop\SolaraFixer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraFixer.exe.log

Filesize
1KB

MD5
02df789e3c730b309fc4d9abce5d729b

SHA1
4f9da0f0d4cadacfd0f68fb1f7ee73a66dcf1b4e

SHA256
4afabcd1723096359d90c8f32df7a6a44cd866e89d5b37c89280bfeab61d7321

SHA512
7ac0dd7e3a3e483d07409da793dd2b0915d4369fe41fe743acd82de9aa77b9fa7ea5cd60498034f3fa0674d93d184c9128375d8f7f0796fddecff3845fca8587

Download Submit
C:\Users\Admin\Desktop\SolaraFixer.exe

Filesize
231KB

MD5
8bef46b57ddddec3d0d140f6f8d4b68e

SHA1
549b51f7d1106f186de8d3594d55dcac22a6f8fc

SHA256
360d3cef3d330c1930e318277939ab1c7db6c969f23be5d385b93f5faef3b4d2

SHA512
5e9442c00355f5aea64b787658e7b390e5f53d1709bb4ce951db3e363b91fde46cd70d2262ddd9d06c1e21a72a2728821065d87c213ce86020a620ba468458f7

Download Submit
memory/3256-4-0x00007FFC14FC3000-0x00007FFC14FC5000-memory.dmp

Filesize
8KB

Download
memory/3256-5-0x000001BAF12C0000-0x000001BAF1300000-memory.dmp

Filesize
256KB

Download
memory/3256-6-0x00007FFC14FC0000-0x00007FFC15A82000-memory.dmp

Filesize
10.8MB

Download
memory/3256-8-0x00007FFC14FC0000-0x00007FFC15A82000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads