Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 12:57
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20241010-en
General
-
Target
Umbral.exe
-
Size
229KB
-
MD5
6f99ad653049306925da44b34fd12011
-
SHA1
df5d265397a6895efa77bed1478e79784cba7954
-
SHA256
e14be40bad2e07456140fee37d8ca380811886c1c89b0b6e21e8b0f2a33ed663
-
SHA512
89c9c171f1684cab8bd55b971cd69b9370f49d7da743f848b99d68523b89e2810ab033c4f26d539240d185186f72549bfb422b9c65cd7cf5c00f781693b569b8
-
SSDEEP
6144:FloZM+rIkd8g+EtXHkv/iD4YD5JR/k4XRG/BcoN2Nb8e1mFi:HoZtL+EP8YD5JR/k4XRG/BcoNW/
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2252-1-0x0000000001060000-0x00000000010A0000-memory.dmp family_umbral -
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2604 powershell.exe 2448 powershell.exe 2460 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2252 Umbral.exe 2604 powershell.exe 2448 powershell.exe 2460 powershell.exe 2964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2252 Umbral.exe Token: SeIncreaseQuotaPrivilege 2932 wmic.exe Token: SeSecurityPrivilege 2932 wmic.exe Token: SeTakeOwnershipPrivilege 2932 wmic.exe Token: SeLoadDriverPrivilege 2932 wmic.exe Token: SeSystemProfilePrivilege 2932 wmic.exe Token: SeSystemtimePrivilege 2932 wmic.exe Token: SeProfSingleProcessPrivilege 2932 wmic.exe Token: SeIncBasePriorityPrivilege 2932 wmic.exe Token: SeCreatePagefilePrivilege 2932 wmic.exe Token: SeBackupPrivilege 2932 wmic.exe Token: SeRestorePrivilege 2932 wmic.exe Token: SeShutdownPrivilege 2932 wmic.exe Token: SeDebugPrivilege 2932 wmic.exe Token: SeSystemEnvironmentPrivilege 2932 wmic.exe Token: SeRemoteShutdownPrivilege 2932 wmic.exe Token: SeUndockPrivilege 2932 wmic.exe Token: SeManageVolumePrivilege 2932 wmic.exe Token: 33 2932 wmic.exe Token: 34 2932 wmic.exe Token: 35 2932 wmic.exe Token: SeIncreaseQuotaPrivilege 2932 wmic.exe Token: SeSecurityPrivilege 2932 wmic.exe Token: SeTakeOwnershipPrivilege 2932 wmic.exe Token: SeLoadDriverPrivilege 2932 wmic.exe Token: SeSystemProfilePrivilege 2932 wmic.exe Token: SeSystemtimePrivilege 2932 wmic.exe Token: SeProfSingleProcessPrivilege 2932 wmic.exe Token: SeIncBasePriorityPrivilege 2932 wmic.exe Token: SeCreatePagefilePrivilege 2932 wmic.exe Token: SeBackupPrivilege 2932 wmic.exe Token: SeRestorePrivilege 2932 wmic.exe Token: SeShutdownPrivilege 2932 wmic.exe Token: SeDebugPrivilege 2932 wmic.exe Token: SeSystemEnvironmentPrivilege 2932 wmic.exe Token: SeRemoteShutdownPrivilege 2932 wmic.exe Token: SeUndockPrivilege 2932 wmic.exe Token: SeManageVolumePrivilege 2932 wmic.exe Token: 33 2932 wmic.exe Token: 34 2932 wmic.exe Token: 35 2932 wmic.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2932 2252 Umbral.exe 30 PID 2252 wrote to memory of 2932 2252 Umbral.exe 30 PID 2252 wrote to memory of 2932 2252 Umbral.exe 30 PID 2252 wrote to memory of 2656 2252 Umbral.exe 33 PID 2252 wrote to memory of 2656 2252 Umbral.exe 33 PID 2252 wrote to memory of 2656 2252 Umbral.exe 33 PID 2252 wrote to memory of 2604 2252 Umbral.exe 35 PID 2252 wrote to memory of 2604 2252 Umbral.exe 35 PID 2252 wrote to memory of 2604 2252 Umbral.exe 35 PID 2252 wrote to memory of 2448 2252 Umbral.exe 37 PID 2252 wrote to memory of 2448 2252 Umbral.exe 37 PID 2252 wrote to memory of 2448 2252 Umbral.exe 37 PID 2252 wrote to memory of 2460 2252 Umbral.exe 39 PID 2252 wrote to memory of 2460 2252 Umbral.exe 39 PID 2252 wrote to memory of 2460 2252 Umbral.exe 39 PID 2252 wrote to memory of 2964 2252 Umbral.exe 41 PID 2252 wrote to memory of 2964 2252 Umbral.exe 41 PID 2252 wrote to memory of 2964 2252 Umbral.exe 41 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2656 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Views/modifies file attributes
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YXT2RFSPLGW2RQFWR83L.temp
Filesize7KB
MD5ecd1faa8e1db9dd936ad1903b5a49003
SHA19862df9f23e35bad161e9354588fea0f0a59ba34
SHA256e6880a34b0aee8ad43c50fa7d6060a93a5bc277870df1aed84cbcfa54790e519
SHA51236e1927df7db269fefd0380613c8bce9c5961872289f7e3c03f59da9e0932ae5ad74f242a573c5ffcdd7338bec524a0c7df4b863a80d8d1e28475ebf4fb13ad4