umbral | e22bde6d04787794012e7e12ceaf1cf8fdf145f81551d90febf6a4f9c5d4e029

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTAGLoader.exe
Size

229KB
MD5

18cb3d1a221a079d9b499f2eec3a3e64
SHA1

5fb17f7e655b5cb79be1099c8ea550ac1f5ace1f
SHA256

e22bde6d04787794012e7e12ceaf1cf8fdf145f81551d90febf6a4f9c5d4e029
SHA512

ca4fdb1e0bbf0d63667d5faa71f691efa4f1a629ca391665d0c361ce84876fc2fd0962b3a2c8bb8735e09931cc4401f912dece4e43f325fa8fe56b5c24630b03
SSDEEP

6144:lloZM9rIkd8g+EtXHkv/iD4uNKIkqNlO+LWU1pAOqb8e1mSi:noZOL+EP8uNKIkqNlO+LWU1pAxQ

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-1-0x00000000009D0000-0x0000000000A10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3036 powershell.exe
2920 powershell.exe
2556 powershell.exe
1672 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

GTAGLoader.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts GTAGLoader.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2460 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 discord.com
9 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2460 cmd.exe
2148 PING.EXE
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

2296 wmic.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2148 PING.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3036 powershell.exe
2920 powershell.exe
2556 powershell.exe
2300 powershell.exe
1672 powershell.exe

pid	process
3036	powershell.exe
2920	powershell.exe
2556	powershell.exe
1672	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	GTAGLoader.exe

pid	process
2460	cmd.exe

flow	ioc
8	discord.com
9	discord.com

flow	ioc
6	ip-api.com

pid	process
2460	cmd.exe
2148	PING.EXE

pid	process
2296	wmic.exe

pid	process
2148	PING.EXE

pid	process
3036	powershell.exe
2920	powershell.exe
2556	powershell.exe
2300	powershell.exe
1672	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

GTAGLoader.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1992	GTAGLoader.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2952	wmic.exe
Token: SeSecurityPrivilege	2952	wmic.exe
Token: SeTakeOwnershipPrivilege	2952	wmic.exe
Token: SeLoadDriverPrivilege	2952	wmic.exe
Token: SeSystemProfilePrivilege	2952	wmic.exe
Token: SeSystemtimePrivilege	2952	wmic.exe
Token: SeProfSingleProcessPrivilege	2952	wmic.exe
Token: SeIncBasePriorityPrivilege	2952	wmic.exe
Token: SeCreatePagefilePrivilege	2952	wmic.exe
Token: SeBackupPrivilege	2952	wmic.exe
Token: SeRestorePrivilege	2952	wmic.exe
Token: SeShutdownPrivilege	2952	wmic.exe
Token: SeDebugPrivilege	2952	wmic.exe
Token: SeSystemEnvironmentPrivilege	2952	wmic.exe
Token: SeRemoteShutdownPrivilege	2952	wmic.exe
Token: SeUndockPrivilege	2952	wmic.exe
Token: SeManageVolumePrivilege	2952	wmic.exe
Token: 33	2952	wmic.exe
Token: 34	2952	wmic.exe
Token: 35	2952	wmic.exe
Token: SeIncreaseQuotaPrivilege	2952	wmic.exe
Token: SeSecurityPrivilege	2952	wmic.exe
Token: SeTakeOwnershipPrivilege	2952	wmic.exe
Token: SeLoadDriverPrivilege	2952	wmic.exe
Token: SeSystemProfilePrivilege	2952	wmic.exe
Token: SeSystemtimePrivilege	2952	wmic.exe
Token: SeProfSingleProcessPrivilege	2952	wmic.exe
Token: SeIncBasePriorityPrivilege	2952	wmic.exe
Token: SeCreatePagefilePrivilege	2952	wmic.exe
Token: SeBackupPrivilege	2952	wmic.exe
Token: SeRestorePrivilege	2952	wmic.exe
Token: SeShutdownPrivilege	2952	wmic.exe
Token: SeDebugPrivilege	2952	wmic.exe
Token: SeSystemEnvironmentPrivilege	2952	wmic.exe
Token: SeRemoteShutdownPrivilege	2952	wmic.exe
Token: SeUndockPrivilege	2952	wmic.exe
Token: SeManageVolumePrivilege	2952	wmic.exe
Token: 33	2952	wmic.exe
Token: 34	2952	wmic.exe
Token: 35	2952	wmic.exe
Token: SeIncreaseQuotaPrivilege	396	wmic.exe
Token: SeSecurityPrivilege	396	wmic.exe
Token: SeTakeOwnershipPrivilege	396	wmic.exe
Token: SeLoadDriverPrivilege	396	wmic.exe
Token: SeSystemProfilePrivilege	396	wmic.exe
Token: SeSystemtimePrivilege	396	wmic.exe
Token: SeProfSingleProcessPrivilege	396	wmic.exe
Token: SeIncBasePriorityPrivilege	396	wmic.exe
Token: SeCreatePagefilePrivilege	396	wmic.exe
Token: SeBackupPrivilege	396	wmic.exe
Token: SeRestorePrivilege	396	wmic.exe
Token: SeShutdownPrivilege	396	wmic.exe
Token: SeDebugPrivilege	396	wmic.exe
Token: SeSystemEnvironmentPrivilege	396	wmic.exe
Token: SeRemoteShutdownPrivilege	396	wmic.exe
Token: SeUndockPrivilege	396	wmic.exe
Token: SeManageVolumePrivilege	396	wmic.exe
Token: 33	396	wmic.exe
Token: 34	396	wmic.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

GTAGLoader.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 2836	1992	GTAGLoader.exe	attrib.exe
PID 1992 wrote to memory of 2836	1992	GTAGLoader.exe	attrib.exe
PID 1992 wrote to memory of 2836	1992	GTAGLoader.exe	attrib.exe
PID 1992 wrote to memory of 3036	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 3036	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 3036	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2920	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2920	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2920	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2556	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2556	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2556	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2300	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2300	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2300	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2952	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 2952	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 2952	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 396	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 396	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 396	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 1980	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 1980	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 1980	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 1672	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 1672	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 1672	1992	GTAGLoader.exe	powershell.exe
PID 1992 wrote to memory of 2296	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 2296	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 2296	1992	GTAGLoader.exe	wmic.exe
PID 1992 wrote to memory of 2460	1992	GTAGLoader.exe	cmd.exe
PID 1992 wrote to memory of 2460	1992	GTAGLoader.exe	cmd.exe
PID 1992 wrote to memory of 2460	1992	GTAGLoader.exe	cmd.exe
PID 2460 wrote to memory of 2148	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 2148	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 2148	2460	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2836 attrib.exe

pid	process
2836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe
"C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"
  2⤵
  - Views/modifies file attributes
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2296
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe" && pause
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
146a82ebf1e4fabc69e2f2e163ed8e77

SHA1
bda0eb899c9925fbaed59b13126dc36a2e004bf9

SHA256
03c7c5379155ac4b198263b253fdc9463b6711623d0d3d844aa85d390c5dc3e2

SHA512
5b79acf8b57fc2dc2de855b540a1fb7fab18db55e7bcdfd4d1a90626bec94cb6a651ad2eea198c3cab7d371dfd0fdb9aeec4de25131858225acb6a501a85e400

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1992-1-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/1992-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-55-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/1992-46-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-45-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2920-22-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2920-21-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/3036-8-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/3036-15-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-14-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-13-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-12-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-11-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-9-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-10-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/3036-7-0x000007FEED9EE000-0x000007FEED9EF000-memory.dmp

Filesize
4KB

Download