Overview

overview

10

Static

static

10

4a9d829d1c...f8.exe

windows7-x64

10

4a9d829d1c...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a9d829d1caa33793d986642b519ee710b3d1af421f975096e5e09c0ef4e78f8.exe

  • Size

    1.0MB

  • MD5

    5a5cbc6f945837008dc0d0ead368992d

  • SHA1

    aba12623631d97ba90e4c827d19237ac70513ab1

  • SHA256

    4a9d829d1caa33793d986642b519ee710b3d1af421f975096e5e09c0ef4e78f8

  • SHA512

    1f6b6e31ddcc0be6661673e71ef8d90f9dfe144b385de1a355d2603e40d0293a575b0e64e4478959c03fcf03d48b73c20155e8907f7b39832ab1d9fb2193178b

  • SSDEEP

    24576:ZVvTLevDohsF9gI8kgn9GuBH0dP6aPpBY87n777M777777u:ZVrLNsHL7n777M777777

Score
10/10
umbraldiscoverystealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1284180541318369281/CNUPQ-TzMEaz-_5SRj7WkWi-s8jT5iL-oUy_ew1ow9FcpiMvRa5LofG2aKVqGPyRzvfL

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a9d829d1caa33793d986642b519ee710b3d1af421f975096e5e09c0ef4e78f8.exe
    "C:\Users\Admin\AppData\Local\Temp\4a9d829d1caa33793d986642b519ee710b3d1af421f975096e5e09c0ef4e78f8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\TL.exe
      "C:\Users\Admin\AppData\Local\Temp\TL.exe"
      2⤵
      • Executes dropped EXE
      PID:2488
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TLlauncher
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TLlauncher"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TLlauncher
    Filesize

    227KB

    MD5

    ca25f5b5e0f2a63557906ce788f6fbba

    SHA1

    3359d9e479d3b0d10e317f45e7817420e45f4831

    SHA256

    756a14c17660ba1b0bbd3d82364e9b202260ae1e4a6a8c725e6e3dc75b442772

    SHA512

    94b2b285c7eedacaafa66c924678e32399c39400177966f02a96ce77690869ba7990b702bf3edabe13f15f9608c559d8af795dfc2015f03a706f0973b98b5a05

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    ad4218563b47e9a77d44614648458e39

    SHA1

    d352be5010167a5336d87e00d403c4506eb6c021

    SHA256

    fb86305788855a8e228f514215561aaf22df11a040a011d9606bf98e40463bec

    SHA512

    d1aba8a738c03e2aeedac7dfd10b4fa2cbda4671469fa8f2df1fffc1877154f9935a623d8c406eab72ba2ef2b6c04c300c45fd78ad6782e6c9d83207d3573a2f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\TL.exe
    Filesize

    583KB

    MD5

    690272e4fb07da4793b636eac9cc6733

    SHA1

    3e1baebcfddd4f2e372272cb5ed530cee5b8f145

    SHA256

    969e8f0ca48c14a43ae7eeda3674d0788830958f6010f98c9f58eab4502d2a6c

    SHA512

    add4a5e66af20878b8e026a5ac7d3e5c71ef9ccae14c10e4ee1388d6b843db5b9d9b306e2116235a21c340eb758e54081d3770404b13c12a83bd135bff78a45c

    Download Submit

  • memory/2420-0-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-1-0x0000000000970000-0x0000000000A7E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2488-9-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-11-0x0000000000960000-0x00000000009F8000-memory.dmp

    Filesize

    608KB

    Download