Overview

overview

10

Static

static

3

svchost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2025 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    603KB

  • MD5

    cbde7887e32b1c0837b4f5feaccfd19a

  • SHA1

    979443ec0ee69c4aa59ba87b7fe631f733f39a68

  • SHA256

    20367536f2263f53c3a52f574cbe883e539c7b2fb6cf344c8e1c9f6ed69c8c6c

  • SHA512

    a8dbf07713cb6773df248f13b387f9edca8083a4f838b82fbfb571a107cd28125138174192f1dd5fa3dce3ed64cfcbb1ae5be1d96a55261b8621005012f050f8

  • SSDEEP

    12288:5LQcwNyJ6oF2FqYTchKt8RjIxEWhD8Tr+38DijMCsiHzBQ:5LGNumChKt8RjOEE8Tr+32yFQ

Score
10/10
umbraldiscoverystealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Users\Admin\AppData\Roaming\Payload.exe
      "C:\Users\Admin\AppData\Roaming\Payload.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1752
        3⤵
        • Program crash
        PID:5656
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3376 -ip 3376
    1⤵
      PID:5616
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Payload.exe
      Filesize

      229KB

      MD5

      9d5f474cc6fd587802b7b140290be91f

      SHA1

      9d409c3cab7eb5c4d2c8f757cb000e9a33ea4d4f

      SHA256

      6a8322ca1b56240e886c733f0092f962a059c0729f8069632701a4dad8eb9aa5

      SHA512

      d702a4e564de4b6ad918a5d1e9a4dce28028bf1d583196b67377a67a576a612f86a0d0a1812233b8853faf6dfb162f58d628f13d12c044cf877aeec5ce42e0d5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XClient.exe
      Filesize

      364KB

      MD5

      1f6e76213763de98666126aa0bc6b7a0

      SHA1

      d38866afdc9485c053bb63b17348dc003b661ed9

      SHA256

      05ac44c4fe768827e012d4ed73ce74180be394709dadec31144eb2a6f7ca576b

      SHA512

      9f6fbabbeb52e4008783d3fea5b9e5883fbd2bb44042da722208b885a8118aa3604a2a47bfef0914690c05517de125f4e9e67028b1c1f1b685d1b2d9da9633e0

      Download Submit

    • memory/3124-28-0x00007FFB81F60000-0x00007FFB82A21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3124-2687-0x00007FFB81F60000-0x00007FFB82A21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3124-21-0x00000179A83E0000-0x00000179A8420000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3124-26-0x00007FFB81F60000-0x00007FFB82A21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3376-66-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-44-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-29-0x0000000004B70000-0x0000000005114000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3376-30-0x0000000005120000-0x0000000005198000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3376-86-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-92-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-94-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-90-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-88-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-85-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-82-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-80-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-76-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-74-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-72-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-68-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-2684-0x0000000005280000-0x00000000052E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3376-65-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-62-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-58-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-49-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-27-0x0000000004AA0000-0x0000000004B1A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3376-42-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-38-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-36-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-34-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-32-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-31-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-78-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-70-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-60-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-56-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-54-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-52-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-50-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-46-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-40-0x0000000005120000-0x0000000005193000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3376-2683-0x00000000051C0000-0x000000000525C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3376-2685-0x00000000052F0000-0x0000000005382000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3832-0-0x00007FFB81F63000-0x00007FFB81F65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3832-1-0x0000000000C50000-0x0000000000CEE000-memory.dmp

      Filesize

      632KB

      Download