umbral | f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
100s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
Size

231KB
MD5

bdce93cd17613821526bc6ca459ed2e9
SHA1

a5ac6f6aaec918ef84e4229a14f7fa5e22a3125a
SHA256

c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4
SHA512

75f898555e2a3c82b87f94a6b0504869513309a7f386546b4b4f5c241fb311144eff19527e3fbbae38708189f28d28bb556a7441ecf7d8044cc382cc88cd6cb3
SSDEEP

6144:RloZMZrIkd8g+EtXHkv/iD4G17d5nsAvLOXZkQlz7b8e1mjGi:joZCL+EP8G17d5nsAvLOXZkQlTqr

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral6/memory/5560-1-0x0000025103C20000-0x0000025103C60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3288	powershell.exe
4412	powershell.exe
1684	powershell.exe
3448	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	discord.com
36	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1796	wmic.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3288	powershell.exe
3288	powershell.exe
4412	powershell.exe
4412	powershell.exe
1684	powershell.exe
1684	powershell.exe
4660	powershell.exe
4660	powershell.exe
3448	powershell.exe
3448	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeIncreaseQuotaPrivilege	5924	wmic.exe
Token: SeSecurityPrivilege	5924	wmic.exe
Token: SeTakeOwnershipPrivilege	5924	wmic.exe
Token: SeLoadDriverPrivilege	5924	wmic.exe
Token: SeSystemProfilePrivilege	5924	wmic.exe
Token: SeSystemtimePrivilege	5924	wmic.exe
Token: SeProfSingleProcessPrivilege	5924	wmic.exe
Token: SeIncBasePriorityPrivilege	5924	wmic.exe
Token: SeCreatePagefilePrivilege	5924	wmic.exe
Token: SeBackupPrivilege	5924	wmic.exe
Token: SeRestorePrivilege	5924	wmic.exe
Token: SeShutdownPrivilege	5924	wmic.exe
Token: SeDebugPrivilege	5924	wmic.exe
Token: SeSystemEnvironmentPrivilege	5924	wmic.exe
Token: SeRemoteShutdownPrivilege	5924	wmic.exe
Token: SeUndockPrivilege	5924	wmic.exe
Token: SeManageVolumePrivilege	5924	wmic.exe
Token: 33	5924	wmic.exe
Token: 34	5924	wmic.exe
Token: 35	5924	wmic.exe
Token: 36	5924	wmic.exe
Token: SeIncreaseQuotaPrivilege	5924	wmic.exe
Token: SeSecurityPrivilege	5924	wmic.exe
Token: SeTakeOwnershipPrivilege	5924	wmic.exe
Token: SeLoadDriverPrivilege	5924	wmic.exe
Token: SeSystemProfilePrivilege	5924	wmic.exe
Token: SeSystemtimePrivilege	5924	wmic.exe
Token: SeProfSingleProcessPrivilege	5924	wmic.exe
Token: SeIncBasePriorityPrivilege	5924	wmic.exe
Token: SeCreatePagefilePrivilege	5924	wmic.exe
Token: SeBackupPrivilege	5924	wmic.exe
Token: SeRestorePrivilege	5924	wmic.exe
Token: SeShutdownPrivilege	5924	wmic.exe
Token: SeDebugPrivilege	5924	wmic.exe
Token: SeSystemEnvironmentPrivilege	5924	wmic.exe
Token: SeRemoteShutdownPrivilege	5924	wmic.exe
Token: SeUndockPrivilege	5924	wmic.exe
Token: SeManageVolumePrivilege	5924	wmic.exe
Token: 33	5924	wmic.exe
Token: 34	5924	wmic.exe
Token: 35	5924	wmic.exe
Token: 36	5924	wmic.exe
Token: SeIncreaseQuotaPrivilege	428	wmic.exe
Token: SeSecurityPrivilege	428	wmic.exe
Token: SeTakeOwnershipPrivilege	428	wmic.exe
Token: SeLoadDriverPrivilege	428	wmic.exe
Token: SeSystemProfilePrivilege	428	wmic.exe
Token: SeSystemtimePrivilege	428	wmic.exe
Token: SeProfSingleProcessPrivilege	428	wmic.exe
Token: SeIncBasePriorityPrivilege	428	wmic.exe
Token: SeCreatePagefilePrivilege	428	wmic.exe
Token: SeBackupPrivilege	428	wmic.exe
Token: SeRestorePrivilege	428	wmic.exe
Token: SeShutdownPrivilege	428	wmic.exe
Token: SeDebugPrivilege	428	wmic.exe
Token: SeSystemEnvironmentPrivilege	428	wmic.exe
Token: SeRemoteShutdownPrivilege	428	wmic.exe
Token: SeUndockPrivilege	428	wmic.exe
Token: SeManageVolumePrivilege	428	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5560 wrote to memory of 3288	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	89
PID 5560 wrote to memory of 3288	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	89
PID 5560 wrote to memory of 4412	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	91
PID 5560 wrote to memory of 4412	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	91
PID 5560 wrote to memory of 1684	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	93
PID 5560 wrote to memory of 1684	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	93
PID 5560 wrote to memory of 4660	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	95
PID 5560 wrote to memory of 4660	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	95
PID 5560 wrote to memory of 5924	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	98
PID 5560 wrote to memory of 5924	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	98
PID 5560 wrote to memory of 428	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	102
PID 5560 wrote to memory of 428	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	102
PID 5560 wrote to memory of 2484	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	104
PID 5560 wrote to memory of 2484	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	104
PID 5560 wrote to memory of 3448	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	106
PID 5560 wrote to memory of 3448	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	106
PID 5560 wrote to memory of 1796	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	108
PID 5560 wrote to memory of 1796	5560	c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe	108

C:\Users\Admin\AppData\Local\Temp\c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
"C:\Users\Admin\AppData\Local\Temp\c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5924
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3448
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbf7cc0d06a793e1a126e0317b075c1d

SHA1
ef887e58a1a4a61776c79fd56acdf85a91e94e4e

SHA256
06e90d65a0f76b00fef041aa8f70193bf2e0300d69dee11464fad7f9a9b406fc

SHA512
0335b8d53b0a52042ab16500e6d4af9bc0cbc9b475da5b5e22480fb5445edf5a1ffccf5fb4d8bd0390fad695d3fa737bc840711fbfbb746ae183be4ec729dfe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf1b06b44fb8bc1a4f25c85e70937782

SHA1
c4adeae41a97fc11d407c398040dd109873fb2e5

SHA256
04ddc18714503a6c256830af58a731df9d9ad479e87663787e0fa92424c9b743

SHA512
07fcfc741b14ef3551fdc53a08e31020fd9e1d43ab637535a11e318c9f8d48ea37cae3913539838e74299952a868a7824982ad5dc887992686d45050cc1fc7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mck1gpbx.pae.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3288-14-0x00007FFA2E8B0000-0x00007FFA2F371000-memory.dmp

Filesize
10.8MB

Download
memory/3288-8-0x00000281FD9A0000-0x00000281FD9C2000-memory.dmp

Filesize
136KB

Download
memory/3288-15-0x00007FFA2E8B0000-0x00007FFA2F371000-memory.dmp

Filesize
10.8MB

Download
memory/3288-18-0x00007FFA2E8B0000-0x00007FFA2F371000-memory.dmp

Filesize
10.8MB

Download
memory/3288-13-0x00007FFA2E8B0000-0x00007FFA2F371000-memory.dmp

Filesize
10.8MB

Download
memory/5560-33-0x00000251059B0000-0x00000251059CE000-memory.dmp

Filesize
120KB

Download
memory/5560-32-0x00000251059E0000-0x0000025105A30000-memory.dmp

Filesize
320KB

Download
memory/5560-0-0x00007FFA2E8B3000-0x00007FFA2E8B5000-memory.dmp

Filesize
8KB

Download
memory/5560-31-0x000002511E400000-0x000002511E476000-memory.dmp

Filesize
472KB

Download
memory/5560-1-0x0000025103C20000-0x0000025103C60000-memory.dmp

Filesize
256KB

Download
memory/5560-69-0x000002511E280000-0x000002511E292000-memory.dmp

Filesize
72KB

Download
memory/5560-68-0x0000025105A30000-0x0000025105A3A000-memory.dmp

Filesize
40KB

Download
memory/5560-2-0x00007FFA2E8B0000-0x00007FFA2F371000-memory.dmp

Filesize
10.8MB

Download
memory/5560-85-0x00007FFA2E8B0000-0x00007FFA2F371000-memory.dmp

Filesize
10.8MB

Download