Overview

overview

10

Static

static

10

c7cf70e4f1...03.exe

windows7-x64

1

c7cf70e4f1...03.exe

windows10-2004-x64

1

c7cf7f1583...df.exe

windows7-x64

3

c7cf7f1583...df.exe

windows10-2004-x64

3

c7e0e2cc0b...a4.exe

windows7-x64

10

c7e0e2cc0b...a4.exe

windows10-2004-x64

10

c82cf03dc7...94.exe

windows7-x64

3

c82cf03dc7...94.exe

windows10-2004-x64

3

c82e8ca52a...ec.exe

windows7-x64

7

c82e8ca52a...ec.exe

windows10-2004-x64

7

c855759c0f...28.exe

windows7-x64

10

c855759c0f...28.exe

windows10-2004-x64

10

c870e41803...a5.exe

windows7-x64

10

c870e41803...a5.exe

windows10-2004-x64

10

c888e1de25...e1.exe

windows7-x64

10

c888e1de25...e1.exe

windows10-2004-x64

10

c8a241ce60...9d.exe

windows7-x64

6

c8a241ce60...9d.exe

windows10-2004-x64

7

c8b8a4b9ce...ee.exe

windows7-x64

10

c8b8a4b9ce...ee.exe

windows10-2004-x64

10

c8bdecaa93...15.exe

windows7-x64

10

c8bdecaa93...15.exe

windows10-2004-x64

10

c8e7700ee6...e9.exe

windows7-x64

10

c8e7700ee6...e9.exe

windows10-2004-x64

10

c91bc52cc5...0c.exe

windows7-x64

7

c91bc52cc5...0c.exe

windows10-2004-x64

7

c93d951c2f...12.exe

windows7-x64

10

c93d951c2f...12.exe

windows10-2004-x64

10

c949630c94...1f.exe

windows7-x64

7

c949630c94...1f.exe

windows10-2004-x64

7

c94fcbd3ca...a9.exe

windows7-x64

10

c94fcbd3ca...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe

  • Size

    231KB

  • MD5

    bdce93cd17613821526bc6ca459ed2e9

  • SHA1

    a5ac6f6aaec918ef84e4229a14f7fa5e22a3125a

  • SHA256

    c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4

  • SHA512

    75f898555e2a3c82b87f94a6b0504869513309a7f386546b4b4f5c241fb311144eff19527e3fbbae38708189f28d28bb556a7441ecf7d8044cc382cc88cd6cb3

  • SSDEEP

    6144:RloZMZrIkd8g+EtXHkv/iD4G17d5nsAvLOXZkQlz7b8e1mjGi:joZCL+EP8G17d5nsAvLOXZkQlTqr

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
    "C:\Users\Admin\AppData\Local\Temp\c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2140
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      4ba5a9c59a73ad44adfa0deab02aa55b

      SHA1

      e011386710c77a7c3a18179047844f1c2b6f2af0

      SHA256

      ff1d4f8b2b5e01e74f5507d0d9eccdf7cf1c3fa58f4222e21528689ede8c09f2

      SHA512

      c2f0ba041017c0b9874043bb9c0d260745441389d49741d048a5ac862b5788a545e96659121a27e429921b7bfc31eefa2f0649517ff735717ed5dc4300f1fca7

      Download Submit

    • memory/2140-40-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2160-1-0x0000000000280000-0x00000000002C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2160-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2160-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2160-43-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2688-7-0x000007FEEDD9E000-0x000007FEEDD9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-11-0x000007FEEDAE0000-0x000007FEEE47D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2688-12-0x000007FEEDAE0000-0x000007FEEE47D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2688-10-0x000007FEEDAE0000-0x000007FEEE47D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2688-9-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2688-8-0x000000001B800000-0x000000001BAE2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2720-18-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2720-19-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

      Download