umbral | e8051ca4e2624241ecf48c61e9bfd61e9d1f6cf6fb4cda85eba361edf853b289

General

Target

Umbral.exe
Size

229KB
MD5

a1d134ca35650fc8eb5029168dc77cf2
SHA1

2d7d11e799d0fd81c6809e214fc0319fe0a3ae1b
SHA256

e8051ca4e2624241ecf48c61e9bfd61e9d1f6cf6fb4cda85eba361edf853b289
SHA512

b4a027c3d286cab99b588fafb82f372ff9e244b657e8909e6454cb23d690ceef8cbb687174fa9877f1cff0f2543cf680ebf175670eb653845749671905f01c4c
SSDEEP

6144:lloZMArIkd8g+EtXHkv/iD4leoRDJ6idZIJbGmTDPb8e1mVi:noZHL+EP8leoRDJ6idZIJbGmTv/

Score

10^/10

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2756-0-0x0000023D15C70000-0x0000023D15CB0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4924	wmic.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	Umbral.exe

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
  2⤵
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:796
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3836
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2676
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  PID:2860
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8db9c39f7c3d1b4a53b68c2d16e7c044

SHA1
e719df2fe37682d5ebd4b1e4a1ea45f502dc716b

SHA256
0c4ed7f771336125f93ed80646d8de8dce62652e8ac6f68e204dcfd1f521cec6

SHA512
3a919a6cd6b32d88277941fda9baf84c9c75bbafc5d4fde89d45b6688547e3042bfeba94845be3aae7b2a00ad3d24c7561b48f335292ec47485fb16f6a8fb7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
04dba2e0763acb9b83dcb94ca0f4c2bd

SHA1
626394aea6be984d4817a88a591fea246bf4a362

SHA256
6590267fae391a722c4b8c759c88d9e694daac163148aad7e69faebe045b75e5

SHA512
1f0dff8f0a7d51ba949d994a6194eeb6d376da60769c0ea99d13c39242327a6bb5d4241b890ff0d29b17e39243b4ba1d9aa00ca952c54bbf13ea2abd95d1eb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4pbwpwj.lvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/796-84-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/796-80-0x0000017AF4630000-0x0000017AF4640000-memory.dmp

Filesize
64KB

Download
memory/796-81-0x0000017AF4630000-0x0000017AF4640000-memory.dmp

Filesize
64KB

Download
memory/796-82-0x0000017AF4630000-0x0000017AF4640000-memory.dmp

Filesize
64KB

Download
memory/796-78-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/2756-0-0x0000023D15C70000-0x0000023D15CB0000-memory.dmp

Filesize
256KB

Download
memory/2756-40-0x0000023D17A80000-0x0000023D17AD0000-memory.dmp

Filesize
320KB

Download
memory/2756-110-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/2756-34-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/2756-1-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/2756-86-0x0000023D17A60000-0x0000023D17A6A000-memory.dmp

Filesize
40KB

Download
memory/2756-39-0x0000023D303F0000-0x0000023D30466000-memory.dmp

Filesize
472KB

Download
memory/2756-2-0x0000023D178E0000-0x0000023D178F0000-memory.dmp

Filesize
64KB

Download
memory/2756-41-0x0000023D178F0000-0x0000023D1790E000-memory.dmp

Filesize
120KB

Download
memory/2756-87-0x0000023D30590000-0x0000023D305A2000-memory.dmp

Filesize
72KB

Download
memory/2756-43-0x0000023D178E0000-0x0000023D178F0000-memory.dmp

Filesize
64KB

Download
memory/2860-101-0x0000027BF9620000-0x0000027BF9630000-memory.dmp

Filesize
64KB

Download
memory/2860-99-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/2860-103-0x0000027BF9620000-0x0000027BF9630000-memory.dmp

Filesize
64KB

Download
memory/2860-105-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/2860-102-0x0000027BF9620000-0x0000027BF9630000-memory.dmp

Filesize
64KB

Download
memory/3312-9-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/3312-15-0x00000231077A0000-0x00000231077B0000-memory.dmp

Filesize
64KB

Download
memory/3312-10-0x00000231077A0000-0x00000231077B0000-memory.dmp

Filesize
64KB

Download
memory/3312-16-0x00000231077A0000-0x00000231077B0000-memory.dmp

Filesize
64KB

Download
memory/3312-19-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/3312-3-0x0000023120630000-0x0000023120652000-memory.dmp

Filesize
136KB

Download
memory/4608-36-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/4608-31-0x000001A358690000-0x000001A3586A0000-memory.dmp

Filesize
64KB

Download
memory/4608-33-0x000001A358690000-0x000001A3586A0000-memory.dmp

Filesize
64KB

Download
memory/4608-26-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/4972-68-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download
memory/4972-44-0x000002D6E1050000-0x000002D6E1060000-memory.dmp

Filesize
64KB

Download
memory/4972-42-0x00007FFD02CA0000-0x00007FFD03761000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing