Overview

overview

10

Static

static

10

7727b8188b...95.exe

windows7-x64

10

7727b8188b...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-02-2025 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7727b8188b78a605f766578aab1cb995.exe

  • Size

    19.0MB

  • MD5

    7727b8188b78a605f766578aab1cb995

  • SHA1

    4c7c56fdfdd300b421c121394ce5a1cb556f9592

  • SHA256

    bd4e54b8671c85242bf92ee9b90e237db0fecfa97a4298cfeeaaf4d1b40e6c11

  • SHA512

    4eef5259f1e33329a2b804165204d1b6c7cbba3851ae542ddcfe79fe005ad31440a983b32d3fb36ed04b1c89bae7a4e42d523002059d5d228d5a62e7593717a1

  • SSDEEP

    393216:9v0t4S8QtZbO8Z9Q9dIcBkvbxrM4mQqHtSMo+9/pWFGRw0qr2W673KH9+8J:9c2S3ZbO8Z9AeeQqHt1o+9/pWQx36d+q

Score
10/10
umbraldefense_evasiondiscoveryevasionexecutionpyinstallerstealertrojanupx

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1339207974182191194/Cbspp1D1YgKvkqPsxxLAOiahYoeW0ceIteSYlYtjG202TSZnR-Kj6vR7I8pJsgFtUunb

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Umbral payload 3 IoCs
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    defense_evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7727b8188b78a605f766578aab1cb995.exe
    "C:\Users\Admin\AppData\Local\Temp\7727b8188b78a605f766578aab1cb995.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V2.5.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2804
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V5.1.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V5.1.vbs" /elevate
        3⤵
        • Modifies Windows Defender DisableAntiSpyware settings
        • Modifies Windows Defender Real-time Protection settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2064
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1764
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2184
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:264
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:652
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3052
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:832
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
    • C:\Users\Admin\AppData\Local\Temp\AV7.6.exe
      "C:\Users\Admin\AppData\Local\Temp\AV7.6.exe"
      2⤵
      • Executes dropped EXE
      PID:2068
    • C:\Users\Admin\AppData\Local\Temp\service.exe
      "C:\Users\Admin\AppData\Local\Temp\service.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2592
    • C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe
        "C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2892
    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1148
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe
    Filesize

    11.0MB

    MD5

    1402c059929ed46f4e1285dc6aeed9bd

    SHA1

    e0bd2d6a8a43423eec705817604f28b57ce07e71

    SHA256

    1bb087fc008f5f349f8ee9ef7a9b26afafd9d20e1e3668a72f81b676184f6235

    SHA512

    c4c3d26bfa06584014d6ac68365fe32e2f29353cd25a455e335a745b75be2577d394ba1d4a6b683057a8ac677932ed3264b2d3be7632e9270f1119455b21d3e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\V2.5.vbs
    Filesize

    313B

    MD5

    b0bf0a477bcca312021177572311e666

    SHA1

    ea77332d7779938ae8e92ad35d6dea4f4be37a92

    SHA256

    af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

    SHA512

    09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\V5.1.vbs
    Filesize

    1KB

    MD5

    3183ab3e54079f5094f0438ad5d460f6

    SHA1

    850eacdf078b851378fee9b83a895a247f3ff1ed

    SHA256

    16da599511714cce9fd5888b1cc06bdb44857fc9147f9a2b5eed422d9ae40415

    SHA512

    31e996ae9eaf26a7292a6c3c0d7a4284228dec13d082a82f0b5f8825cd265a249e266b5a99c755f41dfd370ce8a179ad29780311c1f49f89dc80f5e4a99ce31e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI26122\python311.dll
    Filesize

    1.6MB

    MD5

    db09c9bbec6134db1766d369c339a0a1

    SHA1

    c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

    SHA256

    b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

    SHA512

    653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    dfe07d7cf643056a9c5d964ecfda062d

    SHA1

    3709b11e40364f0168653868b1988f3224a23885

    SHA256

    2719201fde017d87ff4876cf143a4c17607deb8937f25f90b0add5f0900b784b

    SHA512

    96d7915dc0978b86e521bf048529232bc7c5fc8a4e04d06811336870b413216c82d6f6db0341ad55b238495cbfacd389c2c1b65746ebf64b13537a85c8fcdceb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AV7.6.exe
    Filesize

    11KB

    MD5

    b8dc7fed765d83b88e907e78564d2508

    SHA1

    5f422b6a7cfdbd8eef0531056037b693e181dbe7

    SHA256

    a963b8059802e7a957627ef91d2c2fdee2671ad7d1627a34c0b39cf8e51c802f

    SHA512

    dd3bcb1738433be42e9eaff273e90e5e049fbc20540a3a20d117db8acf0e8e20e9e4c8bb243c4e3655fab179c0c1f30190c82370e02b1866db86edc5511c38bb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Update.exe
    Filesize

    1.1MB

    MD5

    bec76763245338a16c702be508f39e9a

    SHA1

    df300e6e42f8187243078bf3505a2e325923cb80

    SHA256

    49e9ff578bafe596be1a6757ddd9c59ff8b13f6ace03227f7a836520f6f50960

    SHA512

    3bd6dd997762a5c15156286ccf145044240b83846a2311d9db24f97f0dc623513166408e78eef6317231c6d0517362fb31e3bff8d1566ac96109466cfc9e7e8e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\service.exe
    Filesize

    2.6MB

    MD5

    a20ecd40423b7957b533974afe24f8ec

    SHA1

    10f90f6cd40eafa01aa1fc372db16f891ee8241d

    SHA256

    bc6b3b4d57c44a321d0b5950dcdfab45c3785b78d5863bceccb4dc850709ed96

    SHA512

    7bf012d5fdb287e74051558f8242d1edbb6f5e772c64856ff2b3657e91d187d05d83eca5e8889a4c791f7d2f58e95f1cfc829da233871dc3f2fbf668149daecc

    Download Submit

  • memory/1148-79-0x0000000000AE0000-0x0000000000E86000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1148-132-0x0000000000AE0000-0x0000000000E86000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1148-142-0x0000000000AE0000-0x0000000000E86000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1148-152-0x0000000000AE0000-0x0000000000E86000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2068-17-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2592-27-0x0000000000D00000-0x00000000010E9000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2592-149-0x0000000000D00000-0x00000000010E9000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2780-62-0x0000000004DC0000-0x0000000005166000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2780-67-0x0000000000400000-0x0000000001701000-memory.dmp

    Filesize

    19.0MB

    Download

  • memory/2780-23-0x0000000004D90000-0x0000000005179000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2892-93-0x000007FEF61B0000-0x000007FEF6798000-memory.dmp

    Filesize

    5.9MB

    Download