Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 20:48

General

  • Target

    GTAGLoader.exe

  • Size

    229KB

  • MD5

    18cb3d1a221a079d9b499f2eec3a3e64

  • SHA1

    5fb17f7e655b5cb79be1099c8ea550ac1f5ace1f

  • SHA256

    e22bde6d04787794012e7e12ceaf1cf8fdf145f81551d90febf6a4f9c5d4e029

  • SHA512

    ca4fdb1e0bbf0d63667d5faa71f691efa4f1a629ca391665d0c361ce84876fc2fd0962b3a2c8bb8735e09931cc4401f912dece4e43f325fa8fe56b5c24630b03

  • SSDEEP

    6144:lloZM9rIkd8g+EtXHkv/iD4uNKIkqNlO+LWU1pAOqb8e1mSi:noZOL+EP8uNKIkqNlO+LWU1pAxQ

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"
      2⤵
      • Views/modifies file attributes
      PID:2836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:1980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1672
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:2296
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe" && pause
        2⤵
        • Deletes itself
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      146a82ebf1e4fabc69e2f2e163ed8e77

      SHA1

      bda0eb899c9925fbaed59b13126dc36a2e004bf9

      SHA256

      03c7c5379155ac4b198263b253fdc9463b6711623d0d3d844aa85d390c5dc3e2

      SHA512

      5b79acf8b57fc2dc2de855b540a1fb7fab18db55e7bcdfd4d1a90626bec94cb6a651ad2eea198c3cab7d371dfd0fdb9aeec4de25131858225acb6a501a85e400

    • memory/1992-1-0x00000000009D0000-0x0000000000A10000-memory.dmp

      Filesize

      256KB

    • memory/1992-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

      Filesize

      9.9MB

    • memory/1992-55-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

      Filesize

      9.9MB

    • memory/1992-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

      Filesize

      4KB

    • memory/1992-46-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

      Filesize

      9.9MB

    • memory/1992-45-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

      Filesize

      4KB

    • memory/2920-22-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

    • memory/2920-21-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

    • memory/3036-8-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

      Filesize

      2.9MB

    • memory/3036-15-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

      Filesize

      9.6MB

    • memory/3036-14-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

      Filesize

      9.6MB

    • memory/3036-13-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

      Filesize

      9.6MB

    • memory/3036-12-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

      Filesize

      9.6MB

    • memory/3036-11-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

      Filesize

      9.6MB

    • memory/3036-9-0x000007FEED730000-0x000007FEEE0CD000-memory.dmp

      Filesize

      9.6MB

    • memory/3036-10-0x0000000002990000-0x0000000002998000-memory.dmp

      Filesize

      32KB

    • memory/3036-7-0x000007FEED9EE000-0x000007FEED9EF000-memory.dmp

      Filesize

      4KB