umbral | 38944e7579d5fcd2263e7212954619c496d4ff087360b8db6e190e1bdf5358ce

Analysis

max time kernel
93s
max time network
153s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-02-2025 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

322KB
MD5

710c071c63a8d8d1cd493c81d34834dc
SHA1

050c535a206ac05550e3670ef465efe83585a76b
SHA256

38944e7579d5fcd2263e7212954619c496d4ff087360b8db6e190e1bdf5358ce
SHA512

af1753c06c22178d1362ab964e445dbe49c5cf3c83ebceabf21b9a7c4cc30efbc66b3a28c4d4f90efba081faba84047edb190d2f05abe416ebf1a1b6c36aad13
SSDEEP

6144:PhPKqm0guLkkFZFjbnSrOsrfUVCmveA3E6Chow8rtryB8YROu+oSxOFDxXMR17:5NnnfZTSHfUV7/E6twurFG+oS4FDxXMP

Score

10^/10

umbral xworm discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.19:18254

Attributes

Install_directory
%Temp%
install_file
SecurityHost.exe
telegram
https://api.telegram.org/bot7873282441:AAFVeYQ8VZCC3gF8qlaTYIz4N-gMEL21mHI/sendMessage?chat_id=7952080340

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000b000000027e68-20.dat	family_umbral
behavioral4/memory/5472-31-0x0000025D3AD80000-0x0000025D3ADC0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000c000000027df9-6.dat	family_xworm
behavioral4/memory/4012-32-0x0000000000B50000-0x0000000000B6A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4464	powershell.exe
4492	powershell.exe
4952	powershell.exe
5064	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	5508	Process not Found

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SystemHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	Output.exe

Executes dropped EXE 2 IoCs

pid	Process
4012	1.16.5.exe
5472	SystemHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4164	cmd.exe
1120	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3744	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1120	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4464	powershell.exe
4464	powershell.exe
5064	powershell.exe
5064	powershell.exe
4492	powershell.exe
4492	powershell.exe
1988	powershell.exe
1988	powershell.exe
1372	wmic.exe
1372	wmic.exe
1372	wmic.exe
1372	wmic.exe
916	wmic.exe
916	wmic.exe
916	wmic.exe
916	wmic.exe
3740	wmic.exe
3740	wmic.exe
3740	wmic.exe
3740	wmic.exe
4952	powershell.exe
4952	powershell.exe
3744	wmic.exe
3744	wmic.exe
3744	wmic.exe
3744	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	1.16.5.exe
Token: SeDebugPrivilege	5472	SystemHost.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeIncreaseQuotaPrivilege	4464	powershell.exe
Token: SeSecurityPrivilege	4464	powershell.exe
Token: SeTakeOwnershipPrivilege	4464	powershell.exe
Token: SeLoadDriverPrivilege	4464	powershell.exe
Token: SeSystemProfilePrivilege	4464	powershell.exe
Token: SeSystemtimePrivilege	4464	powershell.exe
Token: SeProfSingleProcessPrivilege	4464	powershell.exe
Token: SeIncBasePriorityPrivilege	4464	powershell.exe
Token: SeCreatePagefilePrivilege	4464	powershell.exe
Token: SeBackupPrivilege	4464	powershell.exe
Token: SeRestorePrivilege	4464	powershell.exe
Token: SeShutdownPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeSystemEnvironmentPrivilege	4464	powershell.exe
Token: SeRemoteShutdownPrivilege	4464	powershell.exe
Token: SeUndockPrivilege	4464	powershell.exe
Token: SeManageVolumePrivilege	4464	powershell.exe
Token: 33	4464	powershell.exe
Token: 34	4464	powershell.exe
Token: 35	4464	powershell.exe
Token: 36	4464	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1372	wmic.exe
Token: SeSecurityPrivilege	1372	wmic.exe
Token: SeTakeOwnershipPrivilege	1372	wmic.exe
Token: SeLoadDriverPrivilege	1372	wmic.exe
Token: SeSystemProfilePrivilege	1372	wmic.exe
Token: SeSystemtimePrivilege	1372	wmic.exe
Token: SeProfSingleProcessPrivilege	1372	wmic.exe
Token: SeIncBasePriorityPrivilege	1372	wmic.exe
Token: SeCreatePagefilePrivilege	1372	wmic.exe
Token: SeBackupPrivilege	1372	wmic.exe
Token: SeRestorePrivilege	1372	wmic.exe
Token: SeShutdownPrivilege	1372	wmic.exe
Token: SeDebugPrivilege	1372	wmic.exe
Token: SeSystemEnvironmentPrivilege	1372	wmic.exe
Token: SeRemoteShutdownPrivilege	1372	wmic.exe
Token: SeUndockPrivilege	1372	wmic.exe
Token: SeManageVolumePrivilege	1372	wmic.exe
Token: 33	1372	wmic.exe
Token: 34	1372	wmic.exe
Token: 35	1372	wmic.exe
Token: 36	1372	wmic.exe
Token: SeIncreaseQuotaPrivilege	1372	wmic.exe
Token: SeSecurityPrivilege	1372	wmic.exe
Token: SeTakeOwnershipPrivilege	1372	wmic.exe
Token: SeLoadDriverPrivilege	1372	wmic.exe
Token: SeSystemProfilePrivilege	1372	wmic.exe
Token: SeSystemtimePrivilege	1372	wmic.exe
Token: SeProfSingleProcessPrivilege	1372	wmic.exe
Token: SeIncBasePriorityPrivilege	1372	wmic.exe
Token: SeCreatePagefilePrivilege	1372	wmic.exe
Token: SeBackupPrivilege	1372	wmic.exe
Token: SeRestorePrivilege	1372	wmic.exe
Token: SeShutdownPrivilege	1372	wmic.exe
Token: SeDebugPrivilege	1372	wmic.exe
Token: SeSystemEnvironmentPrivilege	1372	wmic.exe
Token: SeRemoteShutdownPrivilege	1372	wmic.exe
Token: SeUndockPrivilege	1372	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 4012	752	Output.exe	86
PID 752 wrote to memory of 4012	752	Output.exe	86
PID 752 wrote to memory of 5472	752	Output.exe	87
PID 752 wrote to memory of 5472	752	Output.exe	87
PID 5472 wrote to memory of 2572	5472	SystemHost.exe	88
PID 5472 wrote to memory of 2572	5472	SystemHost.exe	88
PID 5472 wrote to memory of 4464	5472	SystemHost.exe	90
PID 5472 wrote to memory of 4464	5472	SystemHost.exe	90
PID 5472 wrote to memory of 5064	5472	SystemHost.exe	94
PID 5472 wrote to memory of 5064	5472	SystemHost.exe	94
PID 5472 wrote to memory of 4492	5472	SystemHost.exe	99
PID 5472 wrote to memory of 4492	5472	SystemHost.exe	99
PID 5472 wrote to memory of 1988	5472	SystemHost.exe	101
PID 5472 wrote to memory of 1988	5472	SystemHost.exe	101
PID 5472 wrote to memory of 1372	5472	SystemHost.exe	103
PID 5472 wrote to memory of 1372	5472	SystemHost.exe	103
PID 5472 wrote to memory of 916	5472	SystemHost.exe	105
PID 5472 wrote to memory of 916	5472	SystemHost.exe	105
PID 5472 wrote to memory of 3740	5472	SystemHost.exe	107
PID 5472 wrote to memory of 3740	5472	SystemHost.exe	107
PID 5472 wrote to memory of 4952	5472	SystemHost.exe	109
PID 5472 wrote to memory of 4952	5472	SystemHost.exe	109
PID 5472 wrote to memory of 3744	5472	SystemHost.exe	111
PID 5472 wrote to memory of 3744	5472	SystemHost.exe	111
PID 5472 wrote to memory of 4164	5472	SystemHost.exe	113
PID 5472 wrote to memory of 4164	5472	SystemHost.exe	113
PID 4164 wrote to memory of 1120	4164	cmd.exe	115
PID 4164 wrote to memory of 1120	4164	cmd.exe	115

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\1.16.5.exe
  "C:\Users\Admin\AppData\Local\Temp\1.16.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\SystemHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SystemHost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5472
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\SystemHost.exe"
    3⤵
    - Views/modifies file attributes
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SystemHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:916
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4952
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious behavior: EnumeratesProcesses
    PID:3744
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\SystemHost.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbe28858dfe03aadff24015111abdcdb

SHA1
43fdcf61923227dcd3b8968187f46746095db60d

SHA256
3f6d0cbd6264ee19f4bbf0eec6989dff9b3e0aa0b47cc7b291dc0662514d2641

SHA512
deb419d379c1904316994fcd6eaf9ab6a6f25521b4aa3ee9294285594b0f9df6fb83f2481c4c1ecd64727bdbd34fee8f26a0905888a5a0a5b3abaea29848e4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dbc5ea960326e938323c86dcc0d15ea0

SHA1
4ea5b5a3220241a4956e14aeda9058863aaac8fa

SHA256
d81e86240f3c2e264cdb5a6272205ef95d62f6089a2180da19ac0cb1a82a7809

SHA512
fb1f7b633a47ff61c983dffe66f1034d17e6fc06e3a8f762446cdb0b0242ec8f51ca806760fadd5779b1bc475b6081596dafba3606e8341d289bbbb119823b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.16.5.exe

Filesize
80KB

MD5
0154c502a44c2d5f9b4d5ccbbb00dd10

SHA1
d7e0d7311c345dfd8d9b866d0cc9947da75ef194

SHA256
75d7a768d90e198c91aa274d24ff8f08ba95692b888d314aaf6278bb9a175027

SHA512
f237bbf5d80712ec3627a618dcd52bb75c379b8e5d3a9f4f10e09cabdb8dfb61a64ec6663b853b607f4add930dd19f249dfdce2b76240820bd3d5cd4ae555e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemHost.exe

Filesize
231KB

MD5
4855e5d98bb0ba10ce6acafaee9a9604

SHA1
8ef1a61d89cba2fd51460af7a902150e7066881a

SHA256
c51f4e4068a1ad51be55c670091bcddf525e4c3e4a43da4d1c1ab9fe9ac8f1e0

SHA512
39240a196a462be0c1fbf45d5d3a755767fef8d89eb4b63bcff30062be746a1237e47cb6fd4d0e980b8786416d5310bff4a40d34d7bcbc447a0c0110a31d3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2xxssl1.fwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/752-1-0x0000000000FE0000-0x0000000001036000-memory.dmp

Filesize
344KB

Download
memory/752-0-0x00007FFD30B33000-0x00007FFD30B35000-memory.dmp

Filesize
8KB

Download
memory/4012-45-0x00007FFD30B30000-0x00007FFD315F2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-33-0x00007FFD30B30000-0x00007FFD315F2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-32-0x0000000000B50000-0x0000000000B6A000-memory.dmp

Filesize
104KB

Download
memory/4012-72-0x00007FFD30B30000-0x00007FFD315F2000-memory.dmp

Filesize
10.8MB

Download
memory/4464-40-0x00000294239F0000-0x0000029423A12000-memory.dmp

Filesize
136KB

Download
memory/5472-60-0x0000025D55590000-0x0000025D555E0000-memory.dmp

Filesize
320KB

Download
memory/5472-61-0x0000025D3B240000-0x0000025D3B25E000-memory.dmp

Filesize
120KB

Download
memory/5472-59-0x0000025D55510000-0x0000025D55586000-memory.dmp

Filesize
472KB

Download
memory/5472-31-0x0000025D3AD80000-0x0000025D3ADC0000-memory.dmp

Filesize
256KB

Download
memory/5472-87-0x0000025D3CB40000-0x0000025D3CB4A000-memory.dmp

Filesize
40KB

Download
memory/5472-88-0x0000025D55490000-0x0000025D554A2000-memory.dmp

Filesize
72KB

Download
memory/5472-34-0x00007FFD30B30000-0x00007FFD315F2000-memory.dmp

Filesize
10.8MB

Download
memory/5472-104-0x00007FFD30B30000-0x00007FFD315F2000-memory.dmp

Filesize
10.8MB

Download
memory/5472-109-0x00007FFD30B30000-0x00007FFD315F2000-memory.dmp

Filesize
10.8MB

Download