General
-
Target
Dick.exe
-
Size
154KB
-
Sample
250214-y9jvrsylat
-
MD5
839c119a032699dd494b3dc91251fa77
-
SHA1
d1323d39fd577d5bf3adb2e093043923b018a8c9
-
SHA256
f1942d7cf8876e6a8a56db8fabc90082c9798933bdd02e8c07e28ecc80ddb8bb
-
SHA512
f134f9f8159324d2a6ea82dcef861b4c3f7c218182373297054fb915b084734b923b34081a6b98c4507d79341b8adf76ca0cee1ea20657b686c1252c78cae618
-
SSDEEP
3072:1ahKyd2n31n5GWp1icKAArDZz4N9GhbkrNEk1lT:1ahO/p0yN90QE6
Malware Config
Targets
-
-
Target
Dick.exe
-
Size
154KB
-
MD5
839c119a032699dd494b3dc91251fa77
-
SHA1
d1323d39fd577d5bf3adb2e093043923b018a8c9
-
SHA256
f1942d7cf8876e6a8a56db8fabc90082c9798933bdd02e8c07e28ecc80ddb8bb
-
SHA512
f134f9f8159324d2a6ea82dcef861b4c3f7c218182373297054fb915b084734b923b34081a6b98c4507d79341b8adf76ca0cee1ea20657b686c1252c78cae618
-
SSDEEP
3072:1ahKyd2n31n5GWp1icKAArDZz4N9GhbkrNEk1lT:1ahO/p0yN90QE6
Score10/10-
Detect Umbral payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2