umbral | b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe
Size

502KB
MD5

3eeeb1f49079f046982efdbb06982a44
SHA1

fedc3f54f621cd91d88677371386c7c6c26743c1
SHA256

b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558
SHA512

829a085c012b8dbcd6c215a48b371b41171b75f3943aaac2dec50c7912f6b85d072eeaf5c6ebb997666dfec0cf3c038f249eb5c0dd516bc7a4c771384d6fee91
SSDEEP

12288:PyveQB/fTHIGaPkKEYzURNAwbAg3/iBsNC3v6R/ZL:PuDXTIGaPhEYzUzA0cBf3CNp

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001000000001866e-4.dat	family_umbral
behavioral1/memory/2548-12-0x0000000001190000-0x00000000011D4000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2120	powershell.exe
1068	powershell.exe
2132	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Nursultan Release.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	Nursultan Release.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1280	wmic.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2548	Nursultan Release.exe
2392	powershell.exe
2120	powershell.exe
1068	powershell.exe
2948	powershell.exe
2132	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	Nursultan Release.exe
Token: SeIncreaseQuotaPrivilege	2544	wmic.exe
Token: SeSecurityPrivilege	2544	wmic.exe
Token: SeTakeOwnershipPrivilege	2544	wmic.exe
Token: SeLoadDriverPrivilege	2544	wmic.exe
Token: SeSystemProfilePrivilege	2544	wmic.exe
Token: SeSystemtimePrivilege	2544	wmic.exe
Token: SeProfSingleProcessPrivilege	2544	wmic.exe
Token: SeIncBasePriorityPrivilege	2544	wmic.exe
Token: SeCreatePagefilePrivilege	2544	wmic.exe
Token: SeBackupPrivilege	2544	wmic.exe
Token: SeRestorePrivilege	2544	wmic.exe
Token: SeShutdownPrivilege	2544	wmic.exe
Token: SeDebugPrivilege	2544	wmic.exe
Token: SeSystemEnvironmentPrivilege	2544	wmic.exe
Token: SeRemoteShutdownPrivilege	2544	wmic.exe
Token: SeUndockPrivilege	2544	wmic.exe
Token: SeManageVolumePrivilege	2544	wmic.exe
Token: 33	2544	wmic.exe
Token: 34	2544	wmic.exe
Token: 35	2544	wmic.exe
Token: SeIncreaseQuotaPrivilege	2544	wmic.exe
Token: SeSecurityPrivilege	2544	wmic.exe
Token: SeTakeOwnershipPrivilege	2544	wmic.exe
Token: SeLoadDriverPrivilege	2544	wmic.exe
Token: SeSystemProfilePrivilege	2544	wmic.exe
Token: SeSystemtimePrivilege	2544	wmic.exe
Token: SeProfSingleProcessPrivilege	2544	wmic.exe
Token: SeIncBasePriorityPrivilege	2544	wmic.exe
Token: SeCreatePagefilePrivilege	2544	wmic.exe
Token: SeBackupPrivilege	2544	wmic.exe
Token: SeRestorePrivilege	2544	wmic.exe
Token: SeShutdownPrivilege	2544	wmic.exe
Token: SeDebugPrivilege	2544	wmic.exe
Token: SeSystemEnvironmentPrivilege	2544	wmic.exe
Token: SeRemoteShutdownPrivilege	2544	wmic.exe
Token: SeUndockPrivilege	2544	wmic.exe
Token: SeManageVolumePrivilege	2544	wmic.exe
Token: 33	2544	wmic.exe
Token: 34	2544	wmic.exe
Token: 35	2544	wmic.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeIncreaseQuotaPrivilege	1328	wmic.exe
Token: SeSecurityPrivilege	1328	wmic.exe
Token: SeTakeOwnershipPrivilege	1328	wmic.exe
Token: SeLoadDriverPrivilege	1328	wmic.exe
Token: SeSystemProfilePrivilege	1328	wmic.exe
Token: SeSystemtimePrivilege	1328	wmic.exe
Token: SeProfSingleProcessPrivilege	1328	wmic.exe
Token: SeIncBasePriorityPrivilege	1328	wmic.exe
Token: SeCreatePagefilePrivilege	1328	wmic.exe
Token: SeBackupPrivilege	1328	wmic.exe
Token: SeRestorePrivilege	1328	wmic.exe
Token: SeShutdownPrivilege	1328	wmic.exe
Token: SeDebugPrivilege	1328	wmic.exe
Token: SeSystemEnvironmentPrivilege	1328	wmic.exe
Token: SeRemoteShutdownPrivilege	1328	wmic.exe
Token: SeUndockPrivilege	1328	wmic.exe
Token: SeManageVolumePrivilege	1328	wmic.exe
Token: 33	1328	wmic.exe
Token: 34	1328	wmic.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2548	2644	b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe	30
PID 2644 wrote to memory of 2548	2644	b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe	30
PID 2644 wrote to memory of 2548	2644	b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe	30
PID 2548 wrote to memory of 2544	2548	Nursultan Release.exe	31
PID 2548 wrote to memory of 2544	2548	Nursultan Release.exe	31
PID 2548 wrote to memory of 2544	2548	Nursultan Release.exe	31
PID 2548 wrote to memory of 2392	2548	Nursultan Release.exe	34
PID 2548 wrote to memory of 2392	2548	Nursultan Release.exe	34
PID 2548 wrote to memory of 2392	2548	Nursultan Release.exe	34
PID 2548 wrote to memory of 2120	2548	Nursultan Release.exe	36
PID 2548 wrote to memory of 2120	2548	Nursultan Release.exe	36
PID 2548 wrote to memory of 2120	2548	Nursultan Release.exe	36
PID 2548 wrote to memory of 1068	2548	Nursultan Release.exe	38
PID 2548 wrote to memory of 1068	2548	Nursultan Release.exe	38
PID 2548 wrote to memory of 1068	2548	Nursultan Release.exe	38
PID 2548 wrote to memory of 2948	2548	Nursultan Release.exe	40
PID 2548 wrote to memory of 2948	2548	Nursultan Release.exe	40
PID 2548 wrote to memory of 2948	2548	Nursultan Release.exe	40
PID 2548 wrote to memory of 1328	2548	Nursultan Release.exe	42
PID 2548 wrote to memory of 1328	2548	Nursultan Release.exe	42
PID 2548 wrote to memory of 1328	2548	Nursultan Release.exe	42
PID 2548 wrote to memory of 592	2548	Nursultan Release.exe	44
PID 2548 wrote to memory of 592	2548	Nursultan Release.exe	44
PID 2548 wrote to memory of 592	2548	Nursultan Release.exe	44
PID 2548 wrote to memory of 2308	2548	Nursultan Release.exe	46
PID 2548 wrote to memory of 2308	2548	Nursultan Release.exe	46
PID 2548 wrote to memory of 2308	2548	Nursultan Release.exe	46
PID 2548 wrote to memory of 2132	2548	Nursultan Release.exe	48
PID 2548 wrote to memory of 2132	2548	Nursultan Release.exe	48
PID 2548 wrote to memory of 2132	2548	Nursultan Release.exe	48
PID 2548 wrote to memory of 1280	2548	Nursultan Release.exe	50
PID 2548 wrote to memory of 1280	2548	Nursultan Release.exe	50
PID 2548 wrote to memory of 1280	2548	Nursultan Release.exe	50

C:\Users\Admin\AppData\Local\Temp\b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe
"C:\Users\Admin\AppData\Local\Temp\b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan Release.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan Release.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan Release.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:592
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2132
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan Release.exe

Filesize
246KB

MD5
99b33e9bb4fb78746843fda390f94316

SHA1
dc37eb3c93711038d85cfc8fd0327668b1b7c78f

SHA256
5a73c5b79ca140f97de95c714e0570df2a64cc9c94eead78eb7878fc37542f48

SHA512
6c14e5dcc3b3a688da5aa36b9bdfa5ff51e18cd6543c83e5029bc077d7039b14e3c63cc48981f63b2593a586c006dcae044a4e68b6782c9fd4a0e5f5abf4bfde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bceb901da552596e79273971eb315865

SHA1
7e835511f9182591fdf4b82ee732917fa81dfc78

SHA256
ab4f4cdec1ef7154c4383d698b9b77d65f3b6e324ffc99f5c89f49cb1d7872cd

SHA512
fb7dd5392f12afeedc7d7fb74b5cfa47c2d1dd1f8f9d64209ba550d7b8e3900a1a8a471c66ef3093c8a2c98ced3374652ff18cd4baf87547592443d2e5b18b9f

Download Submit
memory/2120-25-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2120-26-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2132-54-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2392-18-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/2392-19-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2548-11-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2548-12-0x0000000001190000-0x00000000011D4000-memory.dmp

Filesize
272KB

Download
memory/2548-13-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-58-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download