Overview

overview

10

Static

static

10

selfbott.exe

windows7-x64

10

selfbott.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    selfbott.exe

  • Size

    227KB

  • MD5

    e8bf31ef50755a97e720a2272bc2d982

  • SHA1

    7d99287c32962fcb643916817a1f97dde5eeb13b

  • SHA256

    864825be054e1dd6ff62defe866c25c03961ef221975f386fe5385c8de6f8ce6

  • SHA512

    27cf74d9f73677f449cc9bd80d3edaa99b12d8a225e067237caa616aaf85012925a13da3eb6512fbf762e0dc765f85fb76dc5fffe9eff9f7a3aab4733cd35d94

  • SSDEEP

    6144:eloZM9rIkd8g+EtXHkv/iD49gXDR/k4XKG/BcoNgdb8e1m9i:IoZOL+EP89gXDR/k4XKG/BcoNAH

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\selfbott.exe
    "C:\Users\Admin\AppData\Local\Temp\selfbott.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\selfbott.exe"
      2⤵
      • Views/modifies file attributes
      PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\selfbott.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1340
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1744
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1772
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\selfbott.exe" && pause
        2⤵
        • Deletes itself
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      dbec8d69e3bdaf738d20b10032cd6d4d

      SHA1

      a4af1d14861b32e7019ff77f47b512526b49417c

      SHA256

      5630c11a6c6f350dd37ebd0e5828a9346b227949e5e827b4add66ee5e364a8ce

      SHA512

      be5d34e5d9da8731bb41e0132f56c1220c8b5388a433658539fa18c94747bd12c6023e1b8a7774fcbfa973f0541f49006042f1f012444c1044c42f6af44b9cd6

      Download Submit

    • memory/2072-1-0x0000000001120000-0x0000000001160000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2072-2-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-53-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2248-22-0x0000000002810000-0x0000000002818000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2248-21-0x000000001B530000-0x000000001B812000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2488-9-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-13-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-14-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-15-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-10-0x00000000026E0000-0x00000000026E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2488-11-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-12-0x000007FEED7E0000-0x000007FEEE17D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2488-8-0x000000001B540000-0x000000001B822000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2488-7-0x000007FEEDA9E000-0x000007FEEDA9F000-memory.dmp

      Filesize

      4KB

      Download