umbral | 46a67cdc899f61ccb6324d187d56b389f720d72beb02594fd60fdc4a8ca62ab4

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fizzy Loader.exe
Size

229KB
MD5

b56af795f8b7edc6f35a9e905921ed0e
SHA1

c82cb0088bc9c93fd9a491ad278f410d44265a4d
SHA256

46a67cdc899f61ccb6324d187d56b389f720d72beb02594fd60fdc4a8ca62ab4
SHA512

c35b429e243845337903fa5cc6853c6921514b2fcd84e7788607aa47414be9b2101c8b87acd1766666daa7fc0cdd2b7a5be19ac5754db8f12c3e262ea792f9c6
SSDEEP

6144:dloZM+rIkd8g+EtXHkv/iD4M7+QWRJ6RvSgR1E9/gF8e1mfIi:/oZtL+EP8M7+QWRJ6RvSgR1Ecqx

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000340000-0x0000000000380000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3016	powershell.exe
2580	powershell.exe
2928	powershell.exe
580	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Fizzy Loader.exe

Deletes itself 1 IoCs

pid	Process
444	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
444	cmd.exe
2132	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2176	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2132	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2848	Fizzy Loader.exe
3016	powershell.exe
2580	powershell.exe
2928	powershell.exe
2292	powershell.exe
580	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	Fizzy Loader.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeIncreaseQuotaPrivilege	2824	wmic.exe
Token: SeSecurityPrivilege	2824	wmic.exe
Token: SeTakeOwnershipPrivilege	2824	wmic.exe
Token: SeLoadDriverPrivilege	2824	wmic.exe
Token: SeSystemProfilePrivilege	2824	wmic.exe
Token: SeSystemtimePrivilege	2824	wmic.exe
Token: SeProfSingleProcessPrivilege	2824	wmic.exe
Token: SeIncBasePriorityPrivilege	2824	wmic.exe
Token: SeCreatePagefilePrivilege	2824	wmic.exe
Token: SeBackupPrivilege	2824	wmic.exe
Token: SeRestorePrivilege	2824	wmic.exe
Token: SeShutdownPrivilege	2824	wmic.exe
Token: SeDebugPrivilege	2824	wmic.exe
Token: SeSystemEnvironmentPrivilege	2824	wmic.exe
Token: SeRemoteShutdownPrivilege	2824	wmic.exe
Token: SeUndockPrivilege	2824	wmic.exe
Token: SeManageVolumePrivilege	2824	wmic.exe
Token: 33	2824	wmic.exe
Token: 34	2824	wmic.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2744	2848	Fizzy Loader.exe	31
PID 2848 wrote to memory of 2744	2848	Fizzy Loader.exe	31
PID 2848 wrote to memory of 2744	2848	Fizzy Loader.exe	31
PID 2848 wrote to memory of 1352	2848	Fizzy Loader.exe	34
PID 2848 wrote to memory of 1352	2848	Fizzy Loader.exe	34
PID 2848 wrote to memory of 1352	2848	Fizzy Loader.exe	34
PID 2848 wrote to memory of 3016	2848	Fizzy Loader.exe	36
PID 2848 wrote to memory of 3016	2848	Fizzy Loader.exe	36
PID 2848 wrote to memory of 3016	2848	Fizzy Loader.exe	36
PID 2848 wrote to memory of 2580	2848	Fizzy Loader.exe	38
PID 2848 wrote to memory of 2580	2848	Fizzy Loader.exe	38
PID 2848 wrote to memory of 2580	2848	Fizzy Loader.exe	38
PID 2848 wrote to memory of 2928	2848	Fizzy Loader.exe	40
PID 2848 wrote to memory of 2928	2848	Fizzy Loader.exe	40
PID 2848 wrote to memory of 2928	2848	Fizzy Loader.exe	40
PID 2848 wrote to memory of 2292	2848	Fizzy Loader.exe	42
PID 2848 wrote to memory of 2292	2848	Fizzy Loader.exe	42
PID 2848 wrote to memory of 2292	2848	Fizzy Loader.exe	42
PID 2848 wrote to memory of 2824	2848	Fizzy Loader.exe	44
PID 2848 wrote to memory of 2824	2848	Fizzy Loader.exe	44
PID 2848 wrote to memory of 2824	2848	Fizzy Loader.exe	44
PID 2848 wrote to memory of 1872	2848	Fizzy Loader.exe	46
PID 2848 wrote to memory of 1872	2848	Fizzy Loader.exe	46
PID 2848 wrote to memory of 1872	2848	Fizzy Loader.exe	46
PID 2848 wrote to memory of 804	2848	Fizzy Loader.exe	48
PID 2848 wrote to memory of 804	2848	Fizzy Loader.exe	48
PID 2848 wrote to memory of 804	2848	Fizzy Loader.exe	48
PID 2848 wrote to memory of 580	2848	Fizzy Loader.exe	50
PID 2848 wrote to memory of 580	2848	Fizzy Loader.exe	50
PID 2848 wrote to memory of 580	2848	Fizzy Loader.exe	50
PID 2848 wrote to memory of 2176	2848	Fizzy Loader.exe	52
PID 2848 wrote to memory of 2176	2848	Fizzy Loader.exe	52
PID 2848 wrote to memory of 2176	2848	Fizzy Loader.exe	52
PID 2848 wrote to memory of 444	2848	Fizzy Loader.exe	54
PID 2848 wrote to memory of 444	2848	Fizzy Loader.exe	54
PID 2848 wrote to memory of 444	2848	Fizzy Loader.exe	54
PID 444 wrote to memory of 2132	444	cmd.exe	56
PID 444 wrote to memory of 2132	444	cmd.exe	56
PID 444 wrote to memory of 2132	444	cmd.exe	56

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Fizzy Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Fizzy Loader.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Fizzy Loader.exe"
  2⤵
  - Views/modifies file attributes
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Fizzy Loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1872
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2176
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Fizzy Loader.exe" && pause
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
309cf55a4f98bcc22b51c580ddc20ede

SHA1
24d26641cb40149d51ea6ba462805e6b29798a63

SHA256
b6a79ce288650805e465dffaba6fc62de3dcb2cb81e88e3b7f23233998df43a7

SHA512
698087c1436a4c2a8353a1a8a10eb3675e119a1a46d50b19e87a2089616ebf0838ace0f38c11a314897852cf554f837cb3a95d05cc47abe720c8b765f827f746

Download Submit
memory/580-43-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2580-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-15-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2848-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2848-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-47-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-7-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/3016-8-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download