umbral | 01e0a6ee3525d712d3d56b708914bbe5910cc2cdc3970f82d4afbac413f6142e

Analysis

max time kernel
31s
max time network
34s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-10-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowstDriverAutoUpdater_X64.exe
Size

2.5MB
MD5

6f4f8578849ae9ac04f1038f12bc6ba5
SHA1

abac0aa5afca58e47d26139ebb3b50a64b62890c
SHA256

01e0a6ee3525d712d3d56b708914bbe5910cc2cdc3970f82d4afbac413f6142e
SHA512

9bc144713f3179cc3fbcf7531d54d77c714449b5dad1e7c9ab069a5fc14a38e360cc3c93b70018873c2da0221ddad6af3caebb8d1905e322a40d3c9693e1d25e
SSDEEP

49152:gdyk9hBIBRCpIfYU697Dmz9R6YZBbxPFii8QrPL4mgekYllV:gb9hBIBopzUsDcnBtFii8QT0mxlb

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00290000000450bd-8.dat	family_umbral
behavioral1/memory/1560-20-0x00000283CCEC0000-0x00000283CCF00000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	WindowstDriverAutoUpdater_X64.exe

Executes dropped EXE 1 IoCs

pid	Process
1560	drvupd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowstDriverAutoUpdater_X64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4816	wmic.exe
4816	wmic.exe
4816	wmic.exe
4816	wmic.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	drvupd.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1560	240	WindowstDriverAutoUpdater_X64.exe	82
PID 240 wrote to memory of 1560	240	WindowstDriverAutoUpdater_X64.exe	82
PID 1560 wrote to memory of 4816	1560	drvupd.exe	84
PID 1560 wrote to memory of 4816	1560	drvupd.exe	84

C:\Users\Admin\AppData\Local\Temp\WindowstDriverAutoUpdater_X64.exe
"C:\Users\Admin\AppData\Local\Temp\WindowstDriverAutoUpdater_X64.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\drvupd.exe
  "C:\Users\Admin\AppData\Local\Temp\drvupd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvupd.exe

Filesize
227KB

MD5
d44c6d90bebf57892cbbf1c417f664eb

SHA1
3cac780927c51b475de8331355b634c368d4b622

SHA256
0eb0112e21bea31101f9c05eb4e737989e539dec83c96773bb0c22e48e81dae3

SHA512
f38d2f13b31b81c60791a7938ec7869cd09123dc01c3c4e88d380666072109ec64389951a433f3802534316f767daad9768aa01b6003ebc3b14928720302dbd6

Download Submit
memory/1560-19-0x00007FF8A9713000-0x00007FF8A9715000-memory.dmp

Filesize
8KB

Download
memory/1560-20-0x00000283CCEC0000-0x00000283CCF00000-memory.dmp

Filesize
256KB

Download
memory/1560-21-0x00007FF8A9710000-0x00007FF8AA1D2000-memory.dmp

Filesize
10.8MB

Download
memory/1560-23-0x00007FF8A9710000-0x00007FF8AA1D2000-memory.dmp

Filesize
10.8MB

Download