umbral | 417635e7890c0ff3c569ccb3800a31a44b141e0754f0266cf48d44bb87959c4f

General

Target

NEW_JJSploit.zip
Size

4.9MB
MD5

5931eed0dcd54b44fead39ef0979eed2
SHA1

1e91995d967e65ad7e65b2565c7d9b0b395e16d5
SHA256

417635e7890c0ff3c569ccb3800a31a44b141e0754f0266cf48d44bb87959c4f
SHA512

9d1ac9d42a7eba2403e6e9b8ad40124e2a60a9f60af863eadf3254af12e8decaba0cd0080a3ec9d0360171d99b778a70784268423bc618f508eb4c06a3df162c
SSDEEP

98304:LesIvGlw5VQg5fTaXfE9qKwJioYYB400Bt4xO86T82xmWv:LjI+lw5PeXM9n6t0BaOh82xms

Score

10^/10

Malware Config

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046182-44.dat	family_umbral
behavioral1/memory/4100-60-0x0000000000400000-0x0000000001887000-memory.dmp	family_umbral
behavioral1/memory/3108-76-0x0000000000400000-0x0000000001887000-memory.dmp	family_umbral
behavioral1/memory/5044-92-0x0000000000400000-0x0000000001887000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	JJSploitt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	JJSploitt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	JJSploitt.exe

Executes dropped EXE 6 IoCs

pid	Process
4100	JJSploitt.exe
4288	JJSploit.exe
3108	JJSploitt.exe
324	JJSploit.exe
5044	JJSploitt.exe
4308	JJSploit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploitt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploitt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploitt.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1820	7zFM.exe
Token: 35	1820	7zFM.exe
Token: SeSecurityPrivilege	1820	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1820	7zFM.exe
1820	7zFM.exe
4288	JJSploit.exe
324	JJSploit.exe
4308	JJSploit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4288	4100	JJSploitt.exe	93
PID 4100 wrote to memory of 4288	4100	JJSploitt.exe	93
PID 3108 wrote to memory of 324	3108	JJSploitt.exe	95
PID 3108 wrote to memory of 324	3108	JJSploitt.exe	95
PID 5044 wrote to memory of 4308	5044	JJSploitt.exe	97
PID 5044 wrote to memory of 4308	5044	JJSploitt.exe	97

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NEW_JJSploit.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1820

C:\Users\Admin\Desktop\JJSploitt.exe
"C:\Users\Admin\Desktop\JJSploitt.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4288

C:\Users\Admin\Desktop\JJSploitt.exe
"C:\Users\Admin\Desktop\JJSploitt.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:324

C:\Users\Admin\Desktop\JJSploitt.exe
"C:\Users\Admin\Desktop\JJSploitt.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JJSploit.exe

Filesize
10.2MB

MD5
f9765d4273a57fbb90cab8b829e571b2

SHA1
8a425d81b9d9991f8e11b6fbce0cf5eeb0db8469

SHA256
8d0ba9f46379e110b137dddc8a6f9f97a07288435521babfb22fb8fe170f2e23

SHA512
e0bb36d54fca40423f0aa42437e8bd1e85b9c73acb2e2ac57592785cf86f8ed2bb920ca6665399c361ffdd0934dc25b01afd666ed81e7a3c378ce836164a47ca

Download Submit
C:\Users\Admin\Desktop\JJSploitt.exe

Filesize
20.5MB

MD5
9bab8cca27bc38710928913d66493600

SHA1
198c29c00fc52bd423cc169ac86bbeeec7baf655

SHA256
8235677bf7cbbf7eb7a7150b5e4c68536516a356d264fd2b4f66bb2adcfa0839

SHA512
75888db0e8ba0bfa06afe9312b887d46ea62473765174583a39e157dec535ab74e9a0081f1c7d124dcfe0a55cd39a728b6acec50eb5f420cbca58ba2a66d6ee9

Download Submit
memory/3108-76-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/4100-60-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/5044-92-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download

Analysis

Sharing