umbral | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
3s
max time network
63s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecurityHealthService (2).exe
Size

863KB
MD5

e52b5a8920cb3377b0b965cff2511976
SHA1

750741e2b260c02f0e0c1f0a556630fd65aa04e1
SHA256

817875231b62f3c9513a011b6d008592bb37178b07f163f3d517170516ea8c1b
SHA512

ee9f8702d46343eed8a5c3f3755967f20f3c844af608150a926152da0828c31708f585280c004a5615e08cf9742fb9089a728ecf4d9360e29b51d9bd78e8060b
SSDEEP

24576:+mKZ0BH6VpcusvRVl/1C+ZiBnonvsciQvtEMvqDYWiZuTrMnkcECTvNh:+f0BH3Zv93iBnqWZYtuTr4j

Score

10^/10

umbral xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1188379475021410374/Ssj5Ns9zjIl8_hao3wt15snRVqwtBYjDt8QLCtqPC4z6ltGHrqIRWciPemKhTAJ3Ea_2

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral11/memory/2544-66-0x0000000002310000-0x0000000002350000-memory.dmp	family_umbral
behavioral11/memory/2544-50-0x000000013F090000-0x000000013F10C000-memory.dmp	family_umbral
behavioral11/files/0x000b00000001223b-49.dat	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral11/files/0x000a000000003683-19.dat	family_xworm
behavioral11/memory/2724-23-0x000000013FA00000-0x000000013FA4E000-memory.dmp	family_xworm
behavioral11/files/0x000a000000003683-22.dat	family_xworm
behavioral11/files/0x000a000000003683-21.dat	family_xworm
behavioral11/memory/2724-53-0x0000000000190000-0x00000000001A2000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Program crash 1 IoCs

pid	pid_target	Process	procid_target
672	592	WerFault.exe	43

C:\Users\Admin\AppData\Local\Temp\SecurityHealthService (2).exe
"C:\Users\Admin\AppData\Local\Temp\SecurityHealthService (2).exe"
1⤵
PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif'
  2⤵
  PID:2412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif"
  2⤵
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif'
    3⤵
    PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sqlwriter.pif'
    3⤵
    PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.pif'
  2⤵
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTCMSGoU.pif'
  2⤵
  PID:2476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.pif
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.pif"
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.bat""
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTCMSGoU.pif
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTCMSGoU.pif"
  2⤵
  PID:2012

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bbec3c2d-1299-4dac-9303-0c66a0e0d619}
1⤵
PID:1052

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d52a1af8-58a8-4848-a95a-b8f0e85a5534}
1⤵
PID:2916

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{488829bf-75a4-43f3-b99c-4ff8d79f3973}
1⤵
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe'
1⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\rjaxnou0.sxq.exe
"C:\Users\Admin\AppData\Local\Temp\rjaxnou0.sxq.exe"
1⤵
PID:592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 500
  2⤵
  - Program crash
  PID:672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2667.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjaxnou0.sxq.exe

Filesize
6KB

MD5
35d003b4a84d8661fc8c927542981719

SHA1
13265c2458e33643a5e8b41824070763c1f6da83

SHA256
36c8842a93d288427b5685d8376ded24a4a0aaf4047322260ed443acb46dcfb2

SHA512
2c088042ee4580a60425858c45d9fc157311ff0027213d2c4778b9ec992b7bb967582812f8f22747badbedb4b30d2db681b01aae7c7e59c5086d34c4feeda9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.bat

Filesize
177B

MD5
c27b84ed14a60e14be3ec5435c313cef

SHA1
630267bbc1558b3cdd0b92234bbdf75bad0b99ee

SHA256
e12573e2b9c139e2ed553b5f8fa2701364babfbd1a477c7360039a909f9ad842

SHA512
ca867b20f6524e8be3903b41daf4728d08650d5b663ce763126d58d1b3333f2a56e03b76eb950a774581dc4ab98ae027d01e004de506f2698462024741e9183e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V6TDSEKXGKUQ41LSL6QG.temp

Filesize
7KB

MD5
819f08664df5045e57b8322a35fbf9e8

SHA1
ccce5c364dcc03981fcfc434a9b61bf5627ae9e2

SHA256
a7a4b15d3a090ab423cc05c94cc6211a5e2dad52efce6a2bf177ab34f4a4fc17

SHA512
73776b7c65bba1fbb1547655d5028f494047285ed59e2765d1eeefc45a0164fec741b2e3ffda20dcad41ad5ab860a72513ffecb2ae4bbf870cb51559e001af1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTCMSGoU.pif

Filesize
252KB

MD5
377111513c87b0eaaa6717391bf563ef

SHA1
a92f2cc4de43d2b0f6a1c698aa310923242c7233

SHA256
a0cf07b6b46c06354319588f5434284459f1519f56f08c9b1be839793679b3f7

SHA512
21af9fbdd39b6d18195b0149ca17e2421c38fdb2e2fa8647168d8ded4d62ef800d23d61388c5d3f1362018de15d917feb369f06c5f7d63a6b9e0d29be5f4d325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.pif

Filesize
475KB

MD5
a3f67757b8aa84290a1de1ef02bb147b

SHA1
d34536606c53bacfbff56ac51bca69eb8757aa9d

SHA256
3e55185676c6d873dd32f0666d7310a31d7ad929b13f254e5abfa989b7aae8fb

SHA512
ee1e9e1a9599ba1c20f7501fbf7b01bbb2e1fe59e9351b74435e733c0e6b082df5d65b84bad647990cba309ddca7718b48ef63fe0e267b8403798a8d4020b075

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif

Filesize
296KB

MD5
a00574cdeaca49c3ac3e06df82085900

SHA1
ab702747dcf9dc84876fbef8efe85aabaa6b5c61

SHA256
d885201537d61e47e478ad598df977af89c4aaf52b3d6d2fd4ebdab713e36c90

SHA512
8f65826392a623d765fc06171989bea9688f288bdbb1b89a2bda90f10e664fee01cb6933ff60b1bcf4ea27bba7bd53e77febe5ca4b36c0906a1aa3d7756f4b3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif

Filesize
234KB

MD5
484d7da0efb1bd320bd78caad2a24a4d

SHA1
c0fc070bce9e17d964ea18ee0c9f60ec343a2d23

SHA256
c13097b35e1098013da603b3ab9d9af07c5d618d99b061e6539785a548416752

SHA512
bc45cf593ef0e42b550b01085032daa0932a7e50ce524965aa73c0165aecfee8ea46adf5354071f1122a78cdf2d5e74f5b47e195db428e8c72edc6cfcd2d0581

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwriter.pif

Filesize
32KB

MD5
dd4c1164627f732c1431bb15fe551d85

SHA1
00a4ec3ff503f48823fcecddb76dbc39c3c412d8

SHA256
4e1257844daa4f457ec1cf75b352bad13c180e5c23aa44975cf48e7e8d08a67b

SHA512
7e1d9e52d3760fbf6d42d1579ea2cae4900f15e7318d95c64c4f63a974985197cea11f30bb2f31d6ef8fd4ec88fb32943ce59327e3be4e4912f7ee7902d00a4b

Download Submit
memory/420-81-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/420-82-0x00000000007E0000-0x000000000080A000-memory.dmp

Filesize
168KB

Download
memory/420-87-0x00000000007E0000-0x000000000080A000-memory.dmp

Filesize
168KB

Download
memory/420-88-0x0000000077A81000-0x0000000077A82000-memory.dmp

Filesize
4KB

Download
memory/420-77-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/420-86-0x0000000037A70000-0x0000000037A80000-memory.dmp

Filesize
64KB

Download
memory/420-85-0x000007FEBF6F0000-0x000007FEBF700000-memory.dmp

Filesize
64KB

Download
memory/464-95-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/464-97-0x000007FEBF6F0000-0x000007FEBF700000-memory.dmp

Filesize
64KB

Download
memory/464-99-0x0000000037A70000-0x0000000037A80000-memory.dmp

Filesize
64KB

Download
memory/464-104-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/480-98-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/480-101-0x000007FEBF6F0000-0x000007FEBF700000-memory.dmp

Filesize
64KB

Download
memory/480-105-0x0000000037A70000-0x0000000037A80000-memory.dmp

Filesize
64KB

Download
memory/480-107-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/488-114-0x000007FEBF6F0000-0x000007FEBF700000-memory.dmp

Filesize
64KB

Download
memory/488-126-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/488-111-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/488-117-0x0000000037A70000-0x0000000037A80000-memory.dmp

Filesize
64KB

Download
memory/604-124-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/604-122-0x0000000037A70000-0x0000000037A80000-memory.dmp

Filesize
64KB

Download
memory/604-119-0x000007FEBF6F0000-0x000007FEBF700000-memory.dmp

Filesize
64KB

Download
memory/604-115-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/680-130-0x0000000037A70000-0x0000000037A80000-memory.dmp

Filesize
64KB

Download
memory/680-132-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/680-129-0x000007FEBF6F0000-0x000007FEBF700000-memory.dmp

Filesize
64KB

Download
memory/680-127-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/764-187-0x0000000000AC0000-0x0000000000AEA000-memory.dmp

Filesize
168KB

Download
memory/1480-165-0x00000000022E0000-0x0000000002360000-memory.dmp

Filesize
512KB

Download
memory/1480-158-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/1480-140-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/1480-151-0x00000000022E0000-0x0000000002360000-memory.dmp

Filesize
512KB

Download
memory/1480-160-0x00000000022E0000-0x0000000002360000-memory.dmp

Filesize
512KB

Download
memory/1556-175-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1556-168-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/1556-171-0x0000000077910000-0x0000000077A2F000-memory.dmp

Filesize
1.1MB

Download
memory/2012-169-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2012-157-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2012-164-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2012-155-0x000000013F870000-0x000000013F8B4000-memory.dmp

Filesize
272KB

Download
memory/2012-159-0x0000000077910000-0x0000000077A2F000-memory.dmp

Filesize
1.1MB

Download
memory/2376-152-0x0000000000970000-0x00000000009C2000-memory.dmp

Filesize
328KB

Download
memory/2376-162-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-13-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2412-11-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2412-6-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2412-7-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2412-8-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/2412-9-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2412-10-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/2412-14-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/2412-12-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2476-83-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/2476-91-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/2476-121-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2476-84-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2476-92-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2476-80-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2476-128-0x000007FEF2450000-0x000007FEF2DED000-memory.dmp

Filesize
9.6MB

Download
memory/2544-66-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2544-65-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-50-0x000000013F090000-0x000000013F10C000-memory.dmp

Filesize
496KB

Download
memory/2544-57-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2544-60-0x0000000077910000-0x0000000077A2F000-memory.dmp

Filesize
1.1MB

Download
memory/2544-78-0x000000001BD60000-0x000000001BDE0000-memory.dmp

Filesize
512KB

Download
memory/2544-76-0x0000000077910000-0x0000000077A2F000-memory.dmp

Filesize
1.1MB

Download
memory/2544-71-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2724-23-0x000000013FA00000-0x000000013FA4E000-memory.dmp

Filesize
312KB

Download
memory/2724-116-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-24-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-40-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2724-56-0x000000001BF80000-0x000000001C000000-memory.dmp

Filesize
512KB

Download
memory/2724-42-0x0000000077910000-0x0000000077A2F000-memory.dmp

Filesize
1.1MB

Download
memory/2724-38-0x0000000000150000-0x000000000018E000-memory.dmp

Filesize
248KB

Download
memory/2724-53-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download
memory/2724-167-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2864-54-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-0-0x0000000000D90000-0x0000000000E6E000-memory.dmp

Filesize
888KB

Download
memory/2864-15-0x000000001B9B0000-0x000000001BA30000-memory.dmp

Filesize
512KB

Download
memory/2864-156-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-1-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-110-0x000000001B9B0000-0x000000001BA30000-memory.dmp

Filesize
512KB

Download
memory/2916-51-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2916-62-0x0000000077910000-0x0000000077A2F000-memory.dmp

Filesize
1.1MB

Download
memory/2916-55-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2916-58-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2916-67-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2916-59-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2948-30-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2948-32-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2948-31-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2948-39-0x000007FEEF540000-0x000007FEEFEDD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-33-0x000007FEEF540000-0x000007FEEFEDD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-34-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2948-37-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2948-36-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2948-35-0x000007FEEF540000-0x000007FEEFEDD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads