Analysis
-
max time kernel
102s -
max time network
100s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-04-2024 20:37
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1231358831897088012/1233516767071043655/Umbral.exe?ex=662d6182&is=662c1002&hm=a3eca0624bde300b165073c384e80ff117d134e4eeaf365cc1ea0ae1329c9648&
Resource
win11-20240426-en
General
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000100000002aa0c-34.dat family_umbral behavioral1/memory/4988-89-0x000002CC8C820000-0x000002CC8C860000-memory.dmp family_umbral -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Executes dropped EXE 1 IoCs
pid Process 4988 Umbral.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 discord.com 23 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3260 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings msedge.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 494475.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Umbral.exe:Zone.Identifier msedge.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vttgi.scr\:SmartScreen:$DATA Umbral.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vttgi.scr\:Zone.Identifier:$DATA Umbral.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4868 PING.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 960 msedge.exe 960 msedge.exe 1412 msedge.exe 1412 msedge.exe 4676 msedge.exe 4676 msedge.exe 4148 identity_helper.exe 4148 identity_helper.exe 3564 msedge.exe 3564 msedge.exe 4988 Umbral.exe 4988 Umbral.exe 4036 powershell.exe 4036 powershell.exe 4036 powershell.exe 3592 powershell.exe 3592 powershell.exe 3592 powershell.exe 428 powershell.exe 428 powershell.exe 428 powershell.exe 532 powershell.exe 532 powershell.exe 532 powershell.exe 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4988 Umbral.exe Token: SeIncreaseQuotaPrivilege 2968 wmic.exe Token: SeSecurityPrivilege 2968 wmic.exe Token: SeTakeOwnershipPrivilege 2968 wmic.exe Token: SeLoadDriverPrivilege 2968 wmic.exe Token: SeSystemProfilePrivilege 2968 wmic.exe Token: SeSystemtimePrivilege 2968 wmic.exe Token: SeProfSingleProcessPrivilege 2968 wmic.exe Token: SeIncBasePriorityPrivilege 2968 wmic.exe Token: SeCreatePagefilePrivilege 2968 wmic.exe Token: SeBackupPrivilege 2968 wmic.exe Token: SeRestorePrivilege 2968 wmic.exe Token: SeShutdownPrivilege 2968 wmic.exe Token: SeDebugPrivilege 2968 wmic.exe Token: SeSystemEnvironmentPrivilege 2968 wmic.exe Token: SeRemoteShutdownPrivilege 2968 wmic.exe Token: SeUndockPrivilege 2968 wmic.exe Token: SeManageVolumePrivilege 2968 wmic.exe Token: 33 2968 wmic.exe Token: 34 2968 wmic.exe Token: 35 2968 wmic.exe Token: 36 2968 wmic.exe Token: SeIncreaseQuotaPrivilege 2968 wmic.exe Token: SeSecurityPrivilege 2968 wmic.exe Token: SeTakeOwnershipPrivilege 2968 wmic.exe Token: SeLoadDriverPrivilege 2968 wmic.exe Token: SeSystemProfilePrivilege 2968 wmic.exe Token: SeSystemtimePrivilege 2968 wmic.exe Token: SeProfSingleProcessPrivilege 2968 wmic.exe Token: SeIncBasePriorityPrivilege 2968 wmic.exe Token: SeCreatePagefilePrivilege 2968 wmic.exe Token: SeBackupPrivilege 2968 wmic.exe Token: SeRestorePrivilege 2968 wmic.exe Token: SeShutdownPrivilege 2968 wmic.exe Token: SeDebugPrivilege 2968 wmic.exe Token: SeSystemEnvironmentPrivilege 2968 wmic.exe Token: SeRemoteShutdownPrivilege 2968 wmic.exe Token: SeUndockPrivilege 2968 wmic.exe Token: SeManageVolumePrivilege 2968 wmic.exe Token: 33 2968 wmic.exe Token: 34 2968 wmic.exe Token: 35 2968 wmic.exe Token: 36 2968 wmic.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 3592 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeDebugPrivilege 532 powershell.exe Token: SeIncreaseQuotaPrivilege 1488 wmic.exe Token: SeSecurityPrivilege 1488 wmic.exe Token: SeTakeOwnershipPrivilege 1488 wmic.exe Token: SeLoadDriverPrivilege 1488 wmic.exe Token: SeSystemProfilePrivilege 1488 wmic.exe Token: SeSystemtimePrivilege 1488 wmic.exe Token: SeProfSingleProcessPrivilege 1488 wmic.exe Token: SeIncBasePriorityPrivilege 1488 wmic.exe Token: SeCreatePagefilePrivilege 1488 wmic.exe Token: SeBackupPrivilege 1488 wmic.exe Token: SeRestorePrivilege 1488 wmic.exe Token: SeShutdownPrivilege 1488 wmic.exe Token: SeDebugPrivilege 1488 wmic.exe Token: SeSystemEnvironmentPrivilege 1488 wmic.exe Token: SeRemoteShutdownPrivilege 1488 wmic.exe Token: SeUndockPrivilege 1488 wmic.exe Token: SeManageVolumePrivilege 1488 wmic.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1028 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 5080 1412 msedge.exe 78 PID 1412 wrote to memory of 5080 1412 msedge.exe 78 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 4120 1412 msedge.exe 80 PID 1412 wrote to memory of 960 1412 msedge.exe 81 PID 1412 wrote to memory of 960 1412 msedge.exe 81 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 PID 1412 wrote to memory of 3068 1412 msedge.exe 82 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2868 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1231358831897088012/1233516767071043655/Umbral.exe?ex=662d6182&is=662c1002&hm=a3eca0624bde300b165073c384e80ff117d134e4eeaf365cc1ea0ae1329c9648&1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95ab93cb8,0x7ff95ab93cc8,0x7ff95ab93cd82⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:82⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5804 /prefetch:82⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:2968
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3676
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4800
-
C:\Users\Admin\Downloads\Umbral.exe"C:\Users\Admin\Downloads\Umbral.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\Downloads\Umbral.exe"2⤵
- Views/modifies file attributes
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:4064
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:4812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:3260
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Umbral.exe" && pause2⤵PID:4808
-
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:4868
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
Filesize
20KB
MD5b0c2da866b2e58c905829646726e6cad
SHA1a2195dd900455e39e0c2ec5640030346fc3bd263
SHA25678ef72b661cff1466aa18de6c9e6303ce86aea15a984c353434d7a6ee0cb9356
SHA5120d9311e644f98701109c7cb643d021cd45b5e5db0152b6ade912120b59464c1917ed2b3df0b7457cdaab3409c38689dcd572b238eeb8a99acd51e45fbed9a2bf
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
5KB
MD5dfda55d6ca665a53bc9bfcb76de43cac
SHA19172191fb77259cfb9871f7b28d17e584084c7e7
SHA2562256b6a11782632ce99d29b15c0545af72ffdc7d947319776e9ecb1936aa156e
SHA512e4508e8d32809bf3dd8dac383c1b1e715ed761a90da9137d70818a1716769f36a77c84e98f34758dc2523bad60e0b63a23761383cff96959406f3a6c394a6eeb
-
Filesize
5KB
MD5a01f0714223393877835a5b529535d29
SHA1af54661ce5689c2636c9f90d17c9c57501b42c57
SHA2567628c6915a9dfb046dad2db4509a839ef98cabc18720c5a7fab43b6e3a56567c
SHA512161ac088f8cde37d8b6cc06b29d8af5ae91c29d35ea067d1c8c8b6003bc50580c70c4b13ec8da35f22957f5872824a7ffb7e2e3864df9336e90e5f0df8724c5f
-
Filesize
5KB
MD5ce05779810e945b6444255793c3a3e3c
SHA1aabdc29741070d371478a994bc23a2c64b8704da
SHA2563d7cc85f35551b741a50668af146b19e77a86d768f053ab205f935550513558e
SHA512b2713332890c2a27a07bb1000b6fa1aa74916fc388fe83c081218bd0ceffb8517f41c143dc3445d16a718c2513ca81f1f9f9d04aabc8473c5811f5a315aa8e88
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d95509076efe578649860e26ad167c46
SHA1019ef30ea929b3efd8868064d97a523af66853cf
SHA2567a95f8c9cacefe23b10e48bbcb5070d6ba5fca8da0cae921e0baa56eeeb202c5
SHA512e45d211cf07585d1ed37541ce67496aed4059bc5a03bda497597e00a76d507706c2010a2e453882ffa6074d3e397bc607c0653aafd3fa74be97c7ff568846fbe
-
Filesize
11KB
MD5073299e557fd580a30e6b051ecdd75ca
SHA17f6e4bf7bdb4dafa509d943ca196c8ed2e2612b8
SHA256b459429a29d714e83a09eeb1233a521fd83fba6e6a81ea0b839fecffd32b8e13
SHA5129b21394dba5025fbe0ef0362545f6f849f42b21a2b5dbb9a841dd5bab8d50579d33f53267be5a2726940c0991c261eb11661c06f91c5a8efab5e83110689ae66
-
Filesize
12KB
MD52c5415ad178ac92dcec87916485e467f
SHA1731089d233c1a6a04f06d5f45de96dd5878c20df
SHA256b5fade42ade6ba2dd5641527c04c8c3c705d63899c364bae913c827d13c8760d
SHA5121786947e93887486977ec8dc80b60cd1a1d9d3878ddd3f90d996382b0ade1ecf0c7b42930007a428c2418330b9ba56452754f12182d835b651dcdbbbf1a22a7e
-
Filesize
944B
MD57d760ca2472bcb9fe9310090d91318ce
SHA1cb316b8560b38ea16a17626e685d5a501cd31c4a
SHA2565c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4
SHA512141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35
-
Filesize
948B
MD5d80c90c20d0f5c8f07229716f2beffef
SHA142dcd92a3a1059e5e559e1cd110ec98a3ac45e3e
SHA2565ba478485882ee7c7aa928af8c98e7754e876887e00a0c69520d20bd4926e7f6
SHA512d6a4b14a52154db7c5af19e60910774d61704e7a6243ba5f73e11f7b692ea75840730e04eaccb59387021edf57506e0c2999e4237e8d921a01053eb4a3274ecf
-
Filesize
1KB
MD583d2d0a413aaa75f465eb40c7c057609
SHA1a6cb76483b42b495c07b78938a594d4865af0a34
SHA25613b2980d7c02f6c1dd2329a7c46e18b7178012d600afd589d6f2495acbd85a80
SHA512fa8e80acdde9aa6f4bd63f6278b46527d04977f102ff39670e0eafa75566c852f667a843012e72547fb2b5a03cd3a738e95280a07e97745b86293e27303dfe84
-
Filesize
1KB
MD5eb3b72c93a86ce5252b46ddc261f2090
SHA1aec64add080b3070646c5389d545a69f17eeec6f
SHA2560e8515381c8a90dbbb1995ba72dad52d8bd9391b29d8e11bebde2dc23dcbce11
SHA512bc7ee5b5af70ca1010aff49e4aa14e16af79dbc101d42b70945ee0033c97a9585fdc0a0a5e0068ee3dd234a223363a3ffadc240b6327c2b671fe134a10d42969
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD52f23663111658be2ba0b273463ff5e60
SHA1c2af77369b83a0177bfdb90c11fad4c5f897a983
SHA256eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513
SHA512e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
229KB
MD5eadd4d3f06b7d57e1847fffe5d6068c3
SHA129d0a20659f42070f4d66d70aa3d43255a86237f
SHA256971f3b0fe84daa86f88158682f5e8c65a3562266ebc2f0a1b44fd9d2cb4e72e7
SHA5124c066218850eec918eda311cb6620e736ec467fbeb4593a67296abb532432b20e0107c8c14af490d3b5730c19ed6e1535370247de71a4e14f4491ea069451084
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b