umbral | 261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc

Analysis

max time kernel
149s
max time network
22s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe
Size

1.4MB
MD5

2290a5c6cfd6f8bd2e3ad188e7eafa05
SHA1

1b863031e8556e48fa63d233b768148d87dda7c4
SHA256

261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
SHA512

13310057c8f3e54a5c5c06b5976e6b97d2930191ee6c432e59faaf561968e6e6fa261021ffd2a08b040340f05ae878d7e46fdea4127032fb51fb0b0b2bdd82d7
SSDEEP

24576:PAOmi5Vm+lBnehvY2iPr93CeF1LH1Xt5QezP9tHtR9JSWmsMrlA18VnZAWQvKsoe:E4FdetMVCK1LVXXQezP3+Wgm18VeWouS

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1330303031618834494/9EbwLYdGRckxpwmC1x4tuNXcnptDOj3OQ10dKAGSqevucBbQ362A75MKfWoz9gAFomh6

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002a0000000186cc-13.dat	family_umbral
behavioral1/memory/2932-16-0x00000000010E0000-0x0000000001120000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
2264	powershell.exe
2680	powershell.exe
2428	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe

Executes dropped EXE 2 IoCs

pid	Process
2836	Extreme Injector v3.exe
2932	Extreme Injector.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
11	discord.com
12	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2548	cmd.exe
2668	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2408	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2668	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2692	powershell.exe
2264	powershell.exe
2680	powershell.exe
2384	powershell.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	Extreme Injector.exe
Token: SeDebugPrivilege	2836	Extreme Injector v3.exe
Token: 33	2836	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2836	Extreme Injector v3.exe
Token: SeDebugPrivilege	2836	Extreme Injector v3.exe
Token: 33	2836	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2836	Extreme Injector v3.exe
Token: 33	2836	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2836	Extreme Injector v3.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: 33	2836	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2836	Extreme Injector v3.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: 33	2836	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2836	Extreme Injector v3.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: 33	2836	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2836	Extreme Injector v3.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	1980	wmic.exe
Token: SeSecurityPrivilege	1980	wmic.exe
Token: SeTakeOwnershipPrivilege	1980	wmic.exe
Token: SeLoadDriverPrivilege	1980	wmic.exe
Token: SeSystemProfilePrivilege	1980	wmic.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2836	2328	261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe	30
PID 2328 wrote to memory of 2836	2328	261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe	30
PID 2328 wrote to memory of 2836	2328	261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe	30
PID 2328 wrote to memory of 2932	2328	261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe	31
PID 2328 wrote to memory of 2932	2328	261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe	31
PID 2328 wrote to memory of 2932	2328	261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe	31
PID 2932 wrote to memory of 2752	2932	Extreme Injector.exe	32
PID 2932 wrote to memory of 2752	2932	Extreme Injector.exe	32
PID 2932 wrote to memory of 2752	2932	Extreme Injector.exe	32
PID 2932 wrote to memory of 2692	2932	Extreme Injector.exe	34
PID 2932 wrote to memory of 2692	2932	Extreme Injector.exe	34
PID 2932 wrote to memory of 2692	2932	Extreme Injector.exe	34
PID 2932 wrote to memory of 2264	2932	Extreme Injector.exe	36
PID 2932 wrote to memory of 2264	2932	Extreme Injector.exe	36
PID 2932 wrote to memory of 2264	2932	Extreme Injector.exe	36
PID 2932 wrote to memory of 2680	2932	Extreme Injector.exe	38
PID 2932 wrote to memory of 2680	2932	Extreme Injector.exe	38
PID 2932 wrote to memory of 2680	2932	Extreme Injector.exe	38
PID 2932 wrote to memory of 2384	2932	Extreme Injector.exe	40
PID 2932 wrote to memory of 2384	2932	Extreme Injector.exe	40
PID 2932 wrote to memory of 2384	2932	Extreme Injector.exe	40
PID 2932 wrote to memory of 2452	2932	Extreme Injector.exe	42
PID 2932 wrote to memory of 2452	2932	Extreme Injector.exe	42
PID 2932 wrote to memory of 2452	2932	Extreme Injector.exe	42
PID 2932 wrote to memory of 1980	2932	Extreme Injector.exe	45
PID 2932 wrote to memory of 1980	2932	Extreme Injector.exe	45
PID 2932 wrote to memory of 1980	2932	Extreme Injector.exe	45
PID 2932 wrote to memory of 1956	2932	Extreme Injector.exe	47
PID 2932 wrote to memory of 1956	2932	Extreme Injector.exe	47
PID 2932 wrote to memory of 1956	2932	Extreme Injector.exe	47
PID 2932 wrote to memory of 2428	2932	Extreme Injector.exe	49
PID 2932 wrote to memory of 2428	2932	Extreme Injector.exe	49
PID 2932 wrote to memory of 2428	2932	Extreme Injector.exe	49
PID 2932 wrote to memory of 2408	2932	Extreme Injector.exe	51
PID 2932 wrote to memory of 2408	2932	Extreme Injector.exe	51
PID 2932 wrote to memory of 2408	2932	Extreme Injector.exe	51
PID 2932 wrote to memory of 2548	2932	Extreme Injector.exe	53
PID 2932 wrote to memory of 2548	2932	Extreme Injector.exe	53
PID 2932 wrote to memory of 2548	2932	Extreme Injector.exe	53
PID 2548 wrote to memory of 2668	2548	cmd.exe	55
PID 2548 wrote to memory of 2668	2548	cmd.exe	55
PID 2548 wrote to memory of 2668	2548	cmd.exe	55

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe
"C:\Users\Admin\AppData\Local\Temp\261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2408
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
231KB

MD5
7d4400842d0ded3544bc7892c765816d

SHA1
c5a12688240f8db93e7482d16d145802445bfd71

SHA256
8b30696e9259851325272d57b9452ac2f6037231f1c6895658efb57e0445d064

SHA512
c6ba7dca5825784b680550d2cbc6528bcb0a5c1b6fbf2a65b2c54112a3c39858e01abb58915ff89c9c0011aa4200257659d516de6abd1f1d71e2eca0cadb065a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
81f0fe0fca72e25a827f21742b95ff80

SHA1
b45f6fb19f9415fab83955c25eb443c782f71128

SHA256
6a6b1c466f71ae93be2b7a475d6b48a8cc896b31bc6cd98618ae9b950b6b40ab

SHA512
4cf3bb51969e40bfe5ed14a46891e4259587a0f8d165637f6ff2399b3c096f7443e9643c6c990bd312b2a009798a1f5ef7597d7a813a35f5975ca08722979152

Download Submit
memory/2264-29-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2264-30-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2328-14-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-9-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x000000013F440000-0x000000013F5AC000-memory.dmp

Filesize
1.4MB

Download
memory/2428-59-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2692-22-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2692-23-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2836-12-0x0000000001380000-0x0000000001566000-memory.dmp

Filesize
1.9MB

Download
memory/2836-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-63-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-16-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download