umbral | d59f40a7e459e4f03cfafe017c0f9433714f8530757a674976a5dcc2bc68618d

Analysis

max time kernel
32s
max time network
39s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-11-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

230KB
MD5

d36aaa797c0db93779d1e7d23deb0ea1
SHA1

8c43cdc2bbd58bde7e445a9b26a745d091c93c5c
SHA256

d59f40a7e459e4f03cfafe017c0f9433714f8530757a674976a5dcc2bc68618d
SHA512

cf192d81fb909a91b989e50b7c0bb1092f130b3394b4205ce46afa9f2070f17a6461366dbad7bbc721d8449facaf2864203d274afcd95b65d3420070c0adb9e7
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4OGsLCg/7IiR0STTKEJ/b8e1mVni:noZtL+EP8OGsLCg/7IiR0STTKE1r

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3964-1-0x0000015426540000-0x0000015426580000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3536	powershell.exe
1996	powershell.exe
1572	powershell.exe
3428	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2864	cmd.exe
2480	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2412	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2480	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
844	wmic.exe
844	wmic.exe
844	wmic.exe
844	wmic.exe
3964	Umbral.exe
3536	powershell.exe
3536	powershell.exe
1996	powershell.exe
1996	powershell.exe
1572	powershell.exe
1572	powershell.exe
3140	powershell.exe
3140	powershell.exe
2096	wmic.exe
2096	wmic.exe
2096	wmic.exe
2096	wmic.exe
8	wmic.exe
8	wmic.exe
8	wmic.exe
8	wmic.exe
3460	wmic.exe
3460	wmic.exe
3460	wmic.exe
3460	wmic.exe
3428	powershell.exe
3428	powershell.exe
2412	wmic.exe
2412	wmic.exe
2412	wmic.exe
2412	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3964	Umbral.exe
Token: SeIncreaseQuotaPrivilege	844	wmic.exe
Token: SeSecurityPrivilege	844	wmic.exe
Token: SeTakeOwnershipPrivilege	844	wmic.exe
Token: SeLoadDriverPrivilege	844	wmic.exe
Token: SeSystemProfilePrivilege	844	wmic.exe
Token: SeSystemtimePrivilege	844	wmic.exe
Token: SeProfSingleProcessPrivilege	844	wmic.exe
Token: SeIncBasePriorityPrivilege	844	wmic.exe
Token: SeCreatePagefilePrivilege	844	wmic.exe
Token: SeBackupPrivilege	844	wmic.exe
Token: SeRestorePrivilege	844	wmic.exe
Token: SeShutdownPrivilege	844	wmic.exe
Token: SeDebugPrivilege	844	wmic.exe
Token: SeSystemEnvironmentPrivilege	844	wmic.exe
Token: SeRemoteShutdownPrivilege	844	wmic.exe
Token: SeUndockPrivilege	844	wmic.exe
Token: SeManageVolumePrivilege	844	wmic.exe
Token: 33	844	wmic.exe
Token: 34	844	wmic.exe
Token: 35	844	wmic.exe
Token: 36	844	wmic.exe
Token: SeIncreaseQuotaPrivilege	844	wmic.exe
Token: SeSecurityPrivilege	844	wmic.exe
Token: SeTakeOwnershipPrivilege	844	wmic.exe
Token: SeLoadDriverPrivilege	844	wmic.exe
Token: SeSystemProfilePrivilege	844	wmic.exe
Token: SeSystemtimePrivilege	844	wmic.exe
Token: SeProfSingleProcessPrivilege	844	wmic.exe
Token: SeIncBasePriorityPrivilege	844	wmic.exe
Token: SeCreatePagefilePrivilege	844	wmic.exe
Token: SeBackupPrivilege	844	wmic.exe
Token: SeRestorePrivilege	844	wmic.exe
Token: SeShutdownPrivilege	844	wmic.exe
Token: SeDebugPrivilege	844	wmic.exe
Token: SeSystemEnvironmentPrivilege	844	wmic.exe
Token: SeRemoteShutdownPrivilege	844	wmic.exe
Token: SeUndockPrivilege	844	wmic.exe
Token: SeManageVolumePrivilege	844	wmic.exe
Token: 33	844	wmic.exe
Token: 34	844	wmic.exe
Token: 35	844	wmic.exe
Token: 36	844	wmic.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3536	powershell.exe
Token: SeSecurityPrivilege	3536	powershell.exe
Token: SeTakeOwnershipPrivilege	3536	powershell.exe
Token: SeLoadDriverPrivilege	3536	powershell.exe
Token: SeSystemProfilePrivilege	3536	powershell.exe
Token: SeSystemtimePrivilege	3536	powershell.exe
Token: SeProfSingleProcessPrivilege	3536	powershell.exe
Token: SeIncBasePriorityPrivilege	3536	powershell.exe
Token: SeCreatePagefilePrivilege	3536	powershell.exe
Token: SeBackupPrivilege	3536	powershell.exe
Token: SeRestorePrivilege	3536	powershell.exe
Token: SeShutdownPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeSystemEnvironmentPrivilege	3536	powershell.exe
Token: SeRemoteShutdownPrivilege	3536	powershell.exe
Token: SeUndockPrivilege	3536	powershell.exe
Token: SeManageVolumePrivilege	3536	powershell.exe
Token: 33	3536	powershell.exe
Token: 34	3536	powershell.exe
Token: 35	3536	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 844	3964	Umbral.exe	80
PID 3964 wrote to memory of 844	3964	Umbral.exe	80
PID 3964 wrote to memory of 4504	3964	Umbral.exe	83
PID 3964 wrote to memory of 4504	3964	Umbral.exe	83
PID 3964 wrote to memory of 3536	3964	Umbral.exe	85
PID 3964 wrote to memory of 3536	3964	Umbral.exe	85
PID 3964 wrote to memory of 1996	3964	Umbral.exe	88
PID 3964 wrote to memory of 1996	3964	Umbral.exe	88
PID 3964 wrote to memory of 1572	3964	Umbral.exe	92
PID 3964 wrote to memory of 1572	3964	Umbral.exe	92
PID 3964 wrote to memory of 3140	3964	Umbral.exe	94
PID 3964 wrote to memory of 3140	3964	Umbral.exe	94
PID 3964 wrote to memory of 2096	3964	Umbral.exe	97
PID 3964 wrote to memory of 2096	3964	Umbral.exe	97
PID 3964 wrote to memory of 8	3964	Umbral.exe	99
PID 3964 wrote to memory of 8	3964	Umbral.exe	99
PID 3964 wrote to memory of 3460	3964	Umbral.exe	101
PID 3964 wrote to memory of 3460	3964	Umbral.exe	101
PID 3964 wrote to memory of 3428	3964	Umbral.exe	103
PID 3964 wrote to memory of 3428	3964	Umbral.exe	103
PID 3964 wrote to memory of 2412	3964	Umbral.exe	105
PID 3964 wrote to memory of 2412	3964	Umbral.exe	105
PID 3964 wrote to memory of 2864	3964	Umbral.exe	108
PID 3964 wrote to memory of 2864	3964	Umbral.exe	108
PID 2864 wrote to memory of 2480	2864	cmd.exe	110
PID 2864 wrote to memory of 2480	2864	cmd.exe	110

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Views/modifies file attributes
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
7edc8ec4833743d0b4f3bdbe69e0c149

SHA1
364f861b32404c9037508b769bed3d4c4399ad41

SHA256
0372204da00e409e1dbf1c11e060e2254397c3606faed5ecf2b46b27e9eec424

SHA512
f800044c6985d5e4a35c7f1c3eb81415668129f5f01b203c3df153996a731998b0477cfb1cca7e81f24cfd05a4ae131ca5c9ef44b6db04ceff74a5a973209663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc80405a5af90a05e0ab82b7f66fccfc

SHA1
7de6e897391c08df47208aef6c552276b37cf151

SHA256
ad9c4a781a8364b6bcc2b836673e5eafcdc283a485cbf581ad26b6253dbd5052

SHA512
494c44d35f1bf72f9b5b56962cfc1e1d371a5cce53b42c0e66ffbdbd886599a6f386b22ee94c3b1627bc04e8a1f201fd705d9b7333c92438a0338e86befe3f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9737dcda657a653247dcb9961716d1de

SHA1
9e6c8be84b6ef12c19e6bed64243f5db2ae18945

SHA256
48b8a71f2653b7d36591f05c3a3fb5987fc6d1270e548352690028bb58992bd2

SHA512
162bb33959bb335b52e21c81443420a46918f0f09ab35b005f171b5c919d5a8e8bf1bda4e26992e1170181c4e0ecddb703cc74564566f6de524ebfd8489464d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xibebz2d.3gh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3536-13-0x0000027F37F80000-0x0000027F37FA2000-memory.dmp

Filesize
136KB

Download
memory/3536-14-0x00007FFA34CD0000-0x00007FFA35792000-memory.dmp

Filesize
10.8MB

Download
memory/3536-15-0x00007FFA34CD0000-0x00007FFA35792000-memory.dmp

Filesize
10.8MB

Download
memory/3536-18-0x00007FFA34CD0000-0x00007FFA35792000-memory.dmp

Filesize
10.8MB

Download
memory/3536-12-0x00007FFA34CD0000-0x00007FFA35792000-memory.dmp

Filesize
10.8MB

Download
memory/3964-33-0x0000015440D00000-0x0000015440D50000-memory.dmp

Filesize
320KB

Download
memory/3964-32-0x0000015440C80000-0x0000015440CF6000-memory.dmp

Filesize
472KB

Download
memory/3964-34-0x0000015440C20000-0x0000015440C3E000-memory.dmp

Filesize
120KB

Download
memory/3964-1-0x0000015426540000-0x0000015426580000-memory.dmp

Filesize
256KB

Download
memory/3964-0-0x00007FFA34CD3000-0x00007FFA34CD5000-memory.dmp

Filesize
8KB

Download
memory/3964-59-0x0000015440C60000-0x0000015440C6A000-memory.dmp

Filesize
40KB

Download
memory/3964-60-0x0000015440D70000-0x0000015440D82000-memory.dmp

Filesize
72KB

Download
memory/3964-2-0x00007FFA34CD0000-0x00007FFA35792000-memory.dmp

Filesize
10.8MB

Download
memory/3964-80-0x00007FFA34CD0000-0x00007FFA35792000-memory.dmp

Filesize
10.8MB

Download