umbral | 22c914a74fb920ee0124c81be75da93a49ab86d044b3ea6dee2ca6d090c47429

Analysis

max time kernel
74s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20231130-es
resource tags

arch:x64arch:x86image:win10v2004-20231130-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12-12-2023 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RC7/RC7.exe
Size

160KB
MD5

40e89aaf41d4ebda079572167d4665e7
SHA1

c14a019a862aa3f595da7d15cc993f4f894d10a5
SHA256

95388dfe045e7e976186c3ab0286ed8aa77bdb299c867f8c3e46f23ff7624a4d
SHA512

035996ef789c0dc972265ec04652d01e1a530e61d4dfdd3fadc6e502a46b054e2b88fd5347d63deba491924b67c466996208f33f9a5019eb60923445551ce554
SSDEEP

3072:Vjt4sK0uoEz8jh6oKyIPw+lV59i/XvGO0EFA0K+ymEN4NI:VjysKJ8cNP779Wvwc19yx

Score

10^/10

umbral xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

owner-cc.gl.at.ply.gg:32281

Attributes

install_file
USB.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1179573880306806895/9PPafRuKqunRXMBgRp7lwh-lO7PV6gpu6bih39np__mk8ZAghkJ95dBDKUvofe3l-iRe

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral2/memory/524-26-0x0000029856A70000-0x0000029856AB0000-memory.dmp	family_umbral
behavioral2/files/0x00080000000231e3-23.dat	family_umbral
behavioral2/files/0x00080000000231e3-24.dat	family_umbral
behavioral2/files/0x00080000000231e3-18.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023137-13.dat	family_xworm
behavioral2/memory/1328-28-0x00000000002D0000-0x00000000002E6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation	RC7.exe

Executes dropped EXE 2 IoCs

pid	Process
1328	XClient.exe
524	Umbral1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	Umbral1.exe
Token: SeDebugPrivilege	1328	XClient.exe
Token: SeDebugPrivilege	1328	XClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1328	3676	RC7.exe	92
PID 3676 wrote to memory of 1328	3676	RC7.exe	92
PID 3676 wrote to memory of 524	3676	RC7.exe	91
PID 3676 wrote to memory of 524	3676	RC7.exe	91

C:\Users\Admin\AppData\Local\Temp\RC7\RC7.exe
"C:\Users\Admin\AppData\Local\Temp\RC7\RC7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Umbral1.exe

Filesize
43KB

MD5
6375416e906aab8007f868978d38ee6e

SHA1
6356ef842d961040345829e3761db95470dbf9fb

SHA256
10af414098b953595cbb136eca78ff552d10d37d7592274c55aaba0b47339dd4

SHA512
780564f6e63f0c7744675ed64530996da924618177086e499ab91f52312d7d53fbd2be5aef1d20d3e00598b434d201d276f38222ea30a259f8a81394b7e0b6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral1.exe

Filesize
33KB

MD5
8931716c4813dd156ecf792123989fba

SHA1
dcad2a1eb1ded7a8ccbfe69351eddd9da1f651f5

SHA256
a393be455841c82a894cfdd98fdd7c2ed3e0f46570679aecf23a4c1b2a723f29

SHA512
b9ec5f9f90db267b2568a83006d1631931c4f9d7375b8dcb4586ab22987f9c9987cadacf0a497a854f2bd747898bf660e25315ce67041c59a39803648ddd4790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral1.exe

Filesize
53KB

MD5
d6b8e05898dd63005542229dba297080

SHA1
e28e07eb22f57328e90e730634f3e847b5e7097e

SHA256
048b13385454f9294947870c7fa0d2644e42972f111435d6542742ebf4a41840

SHA512
4db08cb6675fe81ad61d6634f736fb5674856a0fa8635a6e452b1364e243248e9c37ea5ee818f25fa9e97324cd6b1b6da8c7e56e70fbd0fdf719e1b8ed426e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
60KB

MD5
fd41a98611978677f1adc60f86383ea0

SHA1
200cfd48d7f7d28cff9c177cdd804e6fd578c015

SHA256
ffc549f9e84b6ecaa96e1cb49c18a8bdd89d536e0556962c88995967009cdc3d

SHA512
87a0d544d9b1dd2b53d40cd54d2c6955927dc287d2cf557eb50f408c3e6002efdac3ecbe908b49bf153bb9276d23e3e459bbaa502167cc52a63ae08a40251270

Download Submit
memory/524-34-0x00000298712B0000-0x00000298713B2000-memory.dmp

Filesize
1.0MB

Download
memory/524-31-0x0000029871090000-0x00000298710A0000-memory.dmp

Filesize
64KB

Download
memory/524-37-0x0000029871090000-0x00000298710A0000-memory.dmp

Filesize
64KB

Download
memory/524-35-0x00007FFE94970000-0x00007FFE95431000-memory.dmp

Filesize
10.8MB

Download
memory/524-26-0x0000029856A70000-0x0000029856AB0000-memory.dmp

Filesize
256KB

Download
memory/524-33-0x0000029858700000-0x0000029858740000-memory.dmp

Filesize
256KB

Download
memory/524-30-0x00007FFE94970000-0x00007FFE95431000-memory.dmp

Filesize
10.8MB

Download
memory/1328-32-0x000000001AFD0000-0x000000001AFE0000-memory.dmp

Filesize
64KB

Download
memory/1328-27-0x00007FFE94970000-0x00007FFE95431000-memory.dmp

Filesize
10.8MB

Download
memory/1328-36-0x00007FFE94970000-0x00007FFE95431000-memory.dmp

Filesize
10.8MB

Download
memory/1328-28-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/1328-38-0x000000001AFD0000-0x000000001AFE0000-memory.dmp

Filesize
64KB

Download
memory/3676-29-0x00007FFE94970000-0x00007FFE95431000-memory.dmp

Filesize
10.8MB

Download
memory/3676-1-0x00007FFE94970000-0x00007FFE95431000-memory.dmp

Filesize
10.8MB

Download
memory/3676-3-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/3676-0-0x0000000000A30000-0x0000000000A5E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads