umbral | f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80

Analysis

max time kernel
75s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe
Size

1.6MB
MD5

4131bbc8e8e1f839b6d116fbdc75b760
SHA1

40c1cc07a70cc1183cd096ccf2f5322d4ede7149
SHA256

f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80
SHA512

908d5482a530ff722f988356beccb8c6904d5acbcdb40dc2608098e0abcfc1a1991ebb615e5ab69716f3d96ca1049dd45850ff97c632ac1304ecee0da629ca4b
SSDEEP

24576:YcNnc2ZIQ2tRXUDo42d2ZCZbyLiVLVakZdwBuC/y45doBmkI+GgUVjt:blDoh2G+LiVzAsC/y8V

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1326743463613435985/70y7ba1b6sFIhNg-JtWQPKaJNsYwIyDKQXMSsjnPN75MdFtAYWdvSFwlzd-whY1wFSoz

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001537c-12.dat	family_umbral
behavioral1/memory/2116-13-0x0000000000E80000-0x0000000000F00000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
2368	powershell.exe
2092	powershell.exe
2620	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Error.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	OQ9.exe
2116	Error.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OQ9.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2496	cmd.exe
1664	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
760	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1664	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2116	Error.exe
2620	powershell.exe
2008	powershell.exe
2368	powershell.exe
2280	powershell.exe
2092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	Error.exe
Token: SeIncreaseQuotaPrivilege	2632	wmic.exe
Token: SeSecurityPrivilege	2632	wmic.exe
Token: SeTakeOwnershipPrivilege	2632	wmic.exe
Token: SeLoadDriverPrivilege	2632	wmic.exe
Token: SeSystemProfilePrivilege	2632	wmic.exe
Token: SeSystemtimePrivilege	2632	wmic.exe
Token: SeProfSingleProcessPrivilege	2632	wmic.exe
Token: SeIncBasePriorityPrivilege	2632	wmic.exe
Token: SeCreatePagefilePrivilege	2632	wmic.exe
Token: SeBackupPrivilege	2632	wmic.exe
Token: SeRestorePrivilege	2632	wmic.exe
Token: SeShutdownPrivilege	2632	wmic.exe
Token: SeDebugPrivilege	2632	wmic.exe
Token: SeSystemEnvironmentPrivilege	2632	wmic.exe
Token: SeRemoteShutdownPrivilege	2632	wmic.exe
Token: SeUndockPrivilege	2632	wmic.exe
Token: SeManageVolumePrivilege	2632	wmic.exe
Token: 33	2632	wmic.exe
Token: 34	2632	wmic.exe
Token: 35	2632	wmic.exe
Token: SeIncreaseQuotaPrivilege	2632	wmic.exe
Token: SeSecurityPrivilege	2632	wmic.exe
Token: SeTakeOwnershipPrivilege	2632	wmic.exe
Token: SeLoadDriverPrivilege	2632	wmic.exe
Token: SeSystemProfilePrivilege	2632	wmic.exe
Token: SeSystemtimePrivilege	2632	wmic.exe
Token: SeProfSingleProcessPrivilege	2632	wmic.exe
Token: SeIncBasePriorityPrivilege	2632	wmic.exe
Token: SeCreatePagefilePrivilege	2632	wmic.exe
Token: SeBackupPrivilege	2632	wmic.exe
Token: SeRestorePrivilege	2632	wmic.exe
Token: SeShutdownPrivilege	2632	wmic.exe
Token: SeDebugPrivilege	2632	wmic.exe
Token: SeSystemEnvironmentPrivilege	2632	wmic.exe
Token: SeRemoteShutdownPrivilege	2632	wmic.exe
Token: SeUndockPrivilege	2632	wmic.exe
Token: SeManageVolumePrivilege	2632	wmic.exe
Token: 33	2632	wmic.exe
Token: 34	2632	wmic.exe
Token: 35	2632	wmic.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeIncreaseQuotaPrivilege	2372	wmic.exe
Token: SeSecurityPrivilege	2372	wmic.exe
Token: SeTakeOwnershipPrivilege	2372	wmic.exe
Token: SeLoadDriverPrivilege	2372	wmic.exe
Token: SeSystemProfilePrivilege	2372	wmic.exe
Token: SeSystemtimePrivilege	2372	wmic.exe
Token: SeProfSingleProcessPrivilege	2372	wmic.exe
Token: SeIncBasePriorityPrivilege	2372	wmic.exe
Token: SeCreatePagefilePrivilege	2372	wmic.exe
Token: SeBackupPrivilege	2372	wmic.exe
Token: SeRestorePrivilege	2372	wmic.exe
Token: SeShutdownPrivilege	2372	wmic.exe
Token: SeDebugPrivilege	2372	wmic.exe
Token: SeSystemEnvironmentPrivilege	2372	wmic.exe
Token: SeRemoteShutdownPrivilege	2372	wmic.exe
Token: SeUndockPrivilege	2372	wmic.exe
Token: SeManageVolumePrivilege	2372	wmic.exe
Token: 33	2372	wmic.exe
Token: 34	2372	wmic.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2944	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	31
PID 2284 wrote to memory of 2944	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	31
PID 2284 wrote to memory of 2944	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	31
PID 2284 wrote to memory of 2944	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	31
PID 2284 wrote to memory of 2116	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	33
PID 2284 wrote to memory of 2116	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	33
PID 2284 wrote to memory of 2116	2284	f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe	33
PID 2944 wrote to memory of 2820	2944	OQ9.exe	34
PID 2944 wrote to memory of 2820	2944	OQ9.exe	34
PID 2944 wrote to memory of 2820	2944	OQ9.exe	34
PID 2944 wrote to memory of 2820	2944	OQ9.exe	34
PID 2116 wrote to memory of 2632	2116	Error.exe	35
PID 2116 wrote to memory of 2632	2116	Error.exe	35
PID 2116 wrote to memory of 2632	2116	Error.exe	35
PID 2116 wrote to memory of 2572	2116	Error.exe	38
PID 2116 wrote to memory of 2572	2116	Error.exe	38
PID 2116 wrote to memory of 2572	2116	Error.exe	38
PID 2116 wrote to memory of 2620	2116	Error.exe	40
PID 2116 wrote to memory of 2620	2116	Error.exe	40
PID 2116 wrote to memory of 2620	2116	Error.exe	40
PID 2116 wrote to memory of 2008	2116	Error.exe	42
PID 2116 wrote to memory of 2008	2116	Error.exe	42
PID 2116 wrote to memory of 2008	2116	Error.exe	42
PID 2116 wrote to memory of 2368	2116	Error.exe	44
PID 2116 wrote to memory of 2368	2116	Error.exe	44
PID 2116 wrote to memory of 2368	2116	Error.exe	44
PID 2116 wrote to memory of 2280	2116	Error.exe	46
PID 2116 wrote to memory of 2280	2116	Error.exe	46
PID 2116 wrote to memory of 2280	2116	Error.exe	46
PID 2116 wrote to memory of 2372	2116	Error.exe	48
PID 2116 wrote to memory of 2372	2116	Error.exe	48
PID 2116 wrote to memory of 2372	2116	Error.exe	48
PID 2116 wrote to memory of 2396	2116	Error.exe	50
PID 2116 wrote to memory of 2396	2116	Error.exe	50
PID 2116 wrote to memory of 2396	2116	Error.exe	50
PID 2116 wrote to memory of 2880	2116	Error.exe	52
PID 2116 wrote to memory of 2880	2116	Error.exe	52
PID 2116 wrote to memory of 2880	2116	Error.exe	52
PID 2116 wrote to memory of 2092	2116	Error.exe	54
PID 2116 wrote to memory of 2092	2116	Error.exe	54
PID 2116 wrote to memory of 2092	2116	Error.exe	54
PID 2116 wrote to memory of 760	2116	Error.exe	56
PID 2116 wrote to memory of 760	2116	Error.exe	56
PID 2116 wrote to memory of 760	2116	Error.exe	56
PID 2116 wrote to memory of 2496	2116	Error.exe	58
PID 2116 wrote to memory of 2496	2116	Error.exe	58
PID 2116 wrote to memory of 2496	2116	Error.exe	58
PID 2496 wrote to memory of 1664	2496	cmd.exe	60
PID 2496 wrote to memory of 1664	2496	cmd.exe	60
PID 2496 wrote to memory of 1664	2496	cmd.exe	60

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe
"C:\Users\Admin\AppData\Local\Temp\f66e2d7ea0cafc94b9ae2dea2b86bdd37a26dfa02381f82ea8a791c7a6025f80N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\OQ9.exe
  "C:\Users\Admin\AppData\Local\Temp\OQ9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\Error.exe
  "C:\Users\Admin\AppData\Local\Temp\Error.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Error.exe"
    3⤵
    - Views/modifies file attributes
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Error.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2396
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2092
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:760
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Error.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Error.exe

Filesize
488KB

MD5
efddb8393687829b125b575f9058804b

SHA1
a6146d0d4aaacc16c42fc6a1846b7d2989a61469

SHA256
9cef5b1457c51099cc4c3672dd394c5a03770a830b4a89cf95f58037c08350e1

SHA512
8e8bf6e154101e2cbbfb2be05c5bf5ce2b37bb477b9902f2ebdc3499613edb6bbfd577a019a617d672d5bdd2c3855effc53dcdbe59a8edaafbb7de8e02a39bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQ9.exe

Filesize
2.4MB

MD5
f31f7e933b0c2f008fe6fb4ba26ee217

SHA1
972966e88349f85fe83d7aa1ffac8760e5b0dec9

SHA256
168eff65e316981b6b577a2d6e666b59a2e9ab4db404211d9a8d03054b63872f

SHA512
44a2189de0ec67bc2049590a9d415ba416fb67f3faa5bfd186f07e6651e3a6ff1864d5b8a3a9426946e05f8207dedf44b617175ffa3e409fab585d67d0765778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
910238132a39339d26fb03911c9b80e0

SHA1
b53c6bf748a16464a26e28d220e5d45a94dc1690

SHA256
d68538a11d953bbd55e0796943f21221ff20ebcc0c0b76b3ffb6f1818f55e443

SHA512
0b16492684d6be6b54ea5f7663da45e7948697a63d407c662b9bd7f91cbad76f389032a971129e243bf5823f861260303b10b6cc5a47c955d25db9f729817c17

Download Submit
memory/2008-28-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2008-27-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2092-57-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2116-15-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-13-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/2116-61-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-14-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-9-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2284-1-0x0000000001190000-0x0000000001338000-memory.dmp

Filesize
1.7MB

Download
memory/2620-20-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2620-21-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download