umbral | 6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349

Analysis

max time kernel
37s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe
Size

1.6MB
MD5

503f1f17d355b6f29515f5748e633d58
SHA1

4723452c30fa9ebaaff836baa80fa88596e8e74b
SHA256

6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349
SHA512

3aabe3507a163eb802c556255ff2888c6c74df6aad610f1157c66e4caae29a8da063cf0b6c2bbe349e713ba1e207202174c1f0a88d7f7741559c6fe0741c16a9
SSDEEP

24576:YcNnc2ZIQ2tRXUDo42d2ZCZbyLiVLVakZdwBuC/y45doBmkI+GgUVjtL:blDoh2G+LiVzAsC/y8Vb

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1326743463613435985/70y7ba1b6sFIhNg-JtWQPKaJNsYwIyDKQXMSsjnPN75MdFtAYWdvSFwlzd-whY1wFSoz

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0036000000015d48-11.dat	family_umbral
behavioral1/memory/2596-14-0x0000000000160000-0x00000000001E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
1856	powershell.exe
1660	powershell.exe
576	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Error.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	OQ9.exe
2596	Error.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OQ9.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
900	cmd.exe
1084	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
832	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1084	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2596	Error.exe
2944	powershell.exe
576	powershell.exe
1856	powershell.exe
1604	powershell.exe
1660	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	Error.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1320	wmic.exe
Token: SeSecurityPrivilege	1320	wmic.exe
Token: SeTakeOwnershipPrivilege	1320	wmic.exe
Token: SeLoadDriverPrivilege	1320	wmic.exe
Token: SeSystemProfilePrivilege	1320	wmic.exe
Token: SeSystemtimePrivilege	1320	wmic.exe
Token: SeProfSingleProcessPrivilege	1320	wmic.exe
Token: SeIncBasePriorityPrivilege	1320	wmic.exe
Token: SeCreatePagefilePrivilege	1320	wmic.exe
Token: SeBackupPrivilege	1320	wmic.exe
Token: SeRestorePrivilege	1320	wmic.exe
Token: SeShutdownPrivilege	1320	wmic.exe
Token: SeDebugPrivilege	1320	wmic.exe
Token: SeSystemEnvironmentPrivilege	1320	wmic.exe
Token: SeRemoteShutdownPrivilege	1320	wmic.exe
Token: SeUndockPrivilege	1320	wmic.exe
Token: SeManageVolumePrivilege	1320	wmic.exe
Token: 33	1320	wmic.exe
Token: 34	1320	wmic.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2860	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	30
PID 1228 wrote to memory of 2860	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	30
PID 1228 wrote to memory of 2860	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	30
PID 1228 wrote to memory of 2860	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	30
PID 1228 wrote to memory of 2596	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	32
PID 1228 wrote to memory of 2596	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	32
PID 1228 wrote to memory of 2596	1228	6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe	32
PID 2860 wrote to memory of 2636	2860	OQ9.exe	33
PID 2860 wrote to memory of 2636	2860	OQ9.exe	33
PID 2860 wrote to memory of 2636	2860	OQ9.exe	33
PID 2860 wrote to memory of 2636	2860	OQ9.exe	33
PID 2596 wrote to memory of 2620	2596	Error.exe	34
PID 2596 wrote to memory of 2620	2596	Error.exe	34
PID 2596 wrote to memory of 2620	2596	Error.exe	34
PID 2596 wrote to memory of 2920	2596	Error.exe	37
PID 2596 wrote to memory of 2920	2596	Error.exe	37
PID 2596 wrote to memory of 2920	2596	Error.exe	37
PID 2596 wrote to memory of 2944	2596	Error.exe	39
PID 2596 wrote to memory of 2944	2596	Error.exe	39
PID 2596 wrote to memory of 2944	2596	Error.exe	39
PID 2596 wrote to memory of 576	2596	Error.exe	41
PID 2596 wrote to memory of 576	2596	Error.exe	41
PID 2596 wrote to memory of 576	2596	Error.exe	41
PID 2596 wrote to memory of 1856	2596	Error.exe	43
PID 2596 wrote to memory of 1856	2596	Error.exe	43
PID 2596 wrote to memory of 1856	2596	Error.exe	43
PID 2596 wrote to memory of 1604	2596	Error.exe	45
PID 2596 wrote to memory of 1604	2596	Error.exe	45
PID 2596 wrote to memory of 1604	2596	Error.exe	45
PID 2596 wrote to memory of 1320	2596	Error.exe	47
PID 2596 wrote to memory of 1320	2596	Error.exe	47
PID 2596 wrote to memory of 1320	2596	Error.exe	47
PID 2596 wrote to memory of 2320	2596	Error.exe	49
PID 2596 wrote to memory of 2320	2596	Error.exe	49
PID 2596 wrote to memory of 2320	2596	Error.exe	49
PID 2596 wrote to memory of 1992	2596	Error.exe	51
PID 2596 wrote to memory of 1992	2596	Error.exe	51
PID 2596 wrote to memory of 1992	2596	Error.exe	51
PID 2596 wrote to memory of 1660	2596	Error.exe	53
PID 2596 wrote to memory of 1660	2596	Error.exe	53
PID 2596 wrote to memory of 1660	2596	Error.exe	53
PID 2596 wrote to memory of 832	2596	Error.exe	55
PID 2596 wrote to memory of 832	2596	Error.exe	55
PID 2596 wrote to memory of 832	2596	Error.exe	55
PID 2596 wrote to memory of 900	2596	Error.exe	57
PID 2596 wrote to memory of 900	2596	Error.exe	57
PID 2596 wrote to memory of 900	2596	Error.exe	57
PID 900 wrote to memory of 1084	900	cmd.exe	59
PID 900 wrote to memory of 1084	900	cmd.exe	59
PID 900 wrote to memory of 1084	900	cmd.exe	59

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe
"C:\Users\Admin\AppData\Local\Temp\6ff250ce9d1b6e4035378b40b26a609d065e567d0bdf694542557b9545aac349.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\OQ9.exe
  "C:\Users\Admin\AppData\Local\Temp\OQ9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\Error.exe
  "C:\Users\Admin\AppData\Local\Temp\Error.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Error.exe"
    3⤵
    - Views/modifies file attributes
    PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Error.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2320
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1660
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:832
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Error.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Error.exe

Filesize
488KB

MD5
efddb8393687829b125b575f9058804b

SHA1
a6146d0d4aaacc16c42fc6a1846b7d2989a61469

SHA256
9cef5b1457c51099cc4c3672dd394c5a03770a830b4a89cf95f58037c08350e1

SHA512
8e8bf6e154101e2cbbfb2be05c5bf5ce2b37bb477b9902f2ebdc3499613edb6bbfd577a019a617d672d5bdd2c3855effc53dcdbe59a8edaafbb7de8e02a39bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQ9.exe

Filesize
2.4MB

MD5
f31f7e933b0c2f008fe6fb4ba26ee217

SHA1
972966e88349f85fe83d7aa1ffac8760e5b0dec9

SHA256
168eff65e316981b6b577a2d6e666b59a2e9ab4db404211d9a8d03054b63872f

SHA512
44a2189de0ec67bc2049590a9d415ba416fb67f3faa5bfd186f07e6651e3a6ff1864d5b8a3a9426946e05f8207dedf44b617175ffa3e409fab585d67d0765778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fecdfe53e080fba02677d893d342d213

SHA1
87477bfc149446971c70f2f06ffd548a0e0cf5e5

SHA256
2dd45d515d9bfcb5e24409d32782f985dc682ed293fcd841655cf476606da7ab

SHA512
127c19ac5b1fa1cbfb0c56b3a59c2ff48b59e333ef278366785f786e38a70a887a6f17d2d9029425a66b944b6dba6b2a700f5ddd23ce245d22b87c91d488d606

Download Submit
memory/576-28-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/576-27-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1228-13-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1228-3-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1228-0-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

Filesize
4KB

Download
memory/1228-1-0x0000000000810000-0x00000000009B8000-memory.dmp

Filesize
1.7MB

Download
memory/1660-57-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2596-14-0x0000000000160000-0x00000000001E0000-memory.dmp

Filesize
512KB

Download
memory/2596-15-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-61-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-20-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2944-21-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download