umbral | 3836777928625a4b88e3a9b60d4b2183993ced6aeed370c907f97ffddda81756

Analysis

max time kernel
70s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDOS.rar
Size

80KB
MD5

665e2b88cbb4f2d6619cf310efa9a718
SHA1

33ee13b7e69a9ed7668a9d95bf6eaea174e81433
SHA256

3836777928625a4b88e3a9b60d4b2183993ced6aeed370c907f97ffddda81756
SHA512

6f0a9e0126c74cec489cdd32153b3fc30b587e3b968496fedabaa438a3fc011a3bcace23744b58c3828c56c7e0164fb646611d723d309b46324b6a4228b474a4
SSDEEP

1536:999Hi0aFLF72eqD5bC699r9FfTK4LsiQaQAVkj8hdWxu5s8p4G/D0yC/qBI:dHi0aF8HD5bC699r3BtQUkjG2uS8aG/U

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1350423646270787686/H1DtvzV7Pf4VsZw447YSDqIQOVcS2sloH6hasKgLYzVDxsMia1gykUN-r3LqpFFmGFEY

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002413b-2.dat	family_umbral
behavioral1/memory/2792-5-0x000002DB7A140000-0x000002DB7A180000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Executes dropped EXE 5 IoCs

pid	Process
2792	DDOS.exe
1800	DDOS.exe
1312	DDOS.exe
2128	DDOS.exe
2220	DDOS.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ip-api.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2632	7zFM.exe
Token: 35	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeDebugPrivilege	2792	DDOS.exe
Token: SeIncreaseQuotaPrivilege	1980	wmic.exe
Token: SeSecurityPrivilege	1980	wmic.exe
Token: SeTakeOwnershipPrivilege	1980	wmic.exe
Token: SeLoadDriverPrivilege	1980	wmic.exe
Token: SeSystemProfilePrivilege	1980	wmic.exe
Token: SeSystemtimePrivilege	1980	wmic.exe
Token: SeProfSingleProcessPrivilege	1980	wmic.exe
Token: SeIncBasePriorityPrivilege	1980	wmic.exe
Token: SeCreatePagefilePrivilege	1980	wmic.exe
Token: SeBackupPrivilege	1980	wmic.exe
Token: SeRestorePrivilege	1980	wmic.exe
Token: SeShutdownPrivilege	1980	wmic.exe
Token: SeDebugPrivilege	1980	wmic.exe
Token: SeSystemEnvironmentPrivilege	1980	wmic.exe
Token: SeRemoteShutdownPrivilege	1980	wmic.exe
Token: SeUndockPrivilege	1980	wmic.exe
Token: SeManageVolumePrivilege	1980	wmic.exe
Token: 33	1980	wmic.exe
Token: 34	1980	wmic.exe
Token: 35	1980	wmic.exe
Token: 36	1980	wmic.exe
Token: SeIncreaseQuotaPrivilege	1980	wmic.exe
Token: SeSecurityPrivilege	1980	wmic.exe
Token: SeTakeOwnershipPrivilege	1980	wmic.exe
Token: SeLoadDriverPrivilege	1980	wmic.exe
Token: SeSystemProfilePrivilege	1980	wmic.exe
Token: SeSystemtimePrivilege	1980	wmic.exe
Token: SeProfSingleProcessPrivilege	1980	wmic.exe
Token: SeIncBasePriorityPrivilege	1980	wmic.exe
Token: SeCreatePagefilePrivilege	1980	wmic.exe
Token: SeBackupPrivilege	1980	wmic.exe
Token: SeRestorePrivilege	1980	wmic.exe
Token: SeShutdownPrivilege	1980	wmic.exe
Token: SeDebugPrivilege	1980	wmic.exe
Token: SeSystemEnvironmentPrivilege	1980	wmic.exe
Token: SeRemoteShutdownPrivilege	1980	wmic.exe
Token: SeUndockPrivilege	1980	wmic.exe
Token: SeManageVolumePrivilege	1980	wmic.exe
Token: 33	1980	wmic.exe
Token: 34	1980	wmic.exe
Token: 35	1980	wmic.exe
Token: 36	1980	wmic.exe
Token: SeDebugPrivilege	1800	DDOS.exe
Token: SeIncreaseQuotaPrivilege	2792	wmic.exe
Token: SeSecurityPrivilege	2792	wmic.exe
Token: SeTakeOwnershipPrivilege	2792	wmic.exe
Token: SeLoadDriverPrivilege	2792	wmic.exe
Token: SeSystemProfilePrivilege	2792	wmic.exe
Token: SeSystemtimePrivilege	2792	wmic.exe
Token: SeProfSingleProcessPrivilege	2792	wmic.exe
Token: SeIncBasePriorityPrivilege	2792	wmic.exe
Token: SeCreatePagefilePrivilege	2792	wmic.exe
Token: SeBackupPrivilege	2792	wmic.exe
Token: SeRestorePrivilege	2792	wmic.exe
Token: SeShutdownPrivilege	2792	wmic.exe
Token: SeDebugPrivilege	2792	wmic.exe
Token: SeSystemEnvironmentPrivilege	2792	wmic.exe
Token: SeRemoteShutdownPrivilege	2792	wmic.exe
Token: SeUndockPrivilege	2792	wmic.exe
Token: SeManageVolumePrivilege	2792	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2632	7zFM.exe
2632	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1980	2792	DDOS.exe	115
PID 2792 wrote to memory of 1980	2792	DDOS.exe	115
PID 1800 wrote to memory of 2792	1800	DDOS.exe	120
PID 1800 wrote to memory of 2792	1800	DDOS.exe	120
PID 2220 wrote to memory of 412	2220	DDOS.exe	127
PID 2220 wrote to memory of 412	2220	DDOS.exe	127

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DDOS.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3756

C:\Users\Admin\Desktop\DDOS.exe
"C:\Users\Admin\Desktop\DDOS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

C:\Users\Admin\Desktop\DDOS.exe
"C:\Users\Admin\Desktop\DDOS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

C:\Users\Admin\Desktop\DDOS.exe
"C:\Users\Admin\Desktop\DDOS.exe"
1⤵
- Executes dropped EXE
PID:1312
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4320

C:\Users\Admin\Desktop\DDOS.exe
"C:\Users\Admin\Desktop\DDOS.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\Desktop\DDOS.exe
"C:\Users\Admin\Desktop\DDOS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\06a2f600-45a1-4f2f-a8f4-2c62231a0458.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db

Filesize
24KB

MD5
ef0b1ad8ae35ee9eb0fc6c6ece48579e

SHA1
d48821aa52abcd6270dea779ca93a50571d2bba3

SHA256
afd59af992255dd1bec8118e25a474b522fdecc4b00b08d82fe67850d6f3be43

SHA512
cf5efaeb3c9a066ba057e2042e46686da4f30263147804a735ec78443371f0cf01fed86cf65f96810aa6af50994578074341d947e5b6f7479b1623a8c5ab6fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64

Filesize
64KB

MD5
7d8be97669b50e6cdcd403e557a85711

SHA1
0c07104d55d6a85ac7b390d31ca6e85f1f7407b8

SHA256
7f66aeca09599fcb975ac439ff766f7bc3aabbbb7dea43ab1ad4e5df5141d66e

SHA512
c913a402a36e23b52f706dc1f78a588cb86586a3ae5d4e848d09924b37a158bb602ea0e0069584c46a89a54f9caf8139566f8c23725499d1998cda5cb8c70014

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b5a4d10-648f-4480-9f81-af0d9d2f1f91.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
894688850e1251c18e2784cf5f5b49ce

SHA1
9b29effbb7012bd1192327dc5fefe9e534d3a88a

SHA256
5b08848287aea4eabe2773596249cf8a5334f5cb295a9283715fb7cda1fae0fc

SHA512
acd4bac3177aa23a6dbc86581ec8db4c0289ff359ca9448443038646d62601d7e801d849d8a7e80604adafbdb6e5843d5e26138ab2226b05e3ede197c18c46a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-1560.log

Filesize
470B

MD5
9608040fa1812478b336c6d8c8eeb4c7

SHA1
198856bb6379f943e87b1dd8dc6233b7ed8234e7

SHA256
8abb0cb8d724d0580a093366c7f18d4a33bad230f684697d582fb2df00a49dd9

SHA512
fe13cf62732cfa0be77bcd040412f8dec7c8b49e286151f8f28ad51bfbd0fb67ca9313cefcc402060e09afccdda974e59abcbc0eeea78852855ff41b45e46015

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9EE2919A-781A-48A8-B475-359C367799E2}-MicrosoftEdge_X64_133.0.3065.92.exe

Filesize
88KB

MD5
e83ba9536180e7b452398478b30ffc26

SHA1
d122e71260840b3fcc832c8e217551fe34432535

SHA256
0e9c922e7f0b02407d766a4825beffb3f66fe5801d628ea93a06734feb3bf21c

SHA512
86a5aea8d9374da7fbd938bf7fc5294b0a250d1f9b05240dc0d24a34aadbed3b589c617c00808568f23ee1d918d3f2266be22faa4691bc6b9b3655295e9d8ea2

Download Submit
C:\Users\Admin\Desktop\DDOS.exe

Filesize
229KB

MD5
d70ae24e68853d0f1f0f3b6386407d3b

SHA1
ecaf921ef9a4768948bc2cfee0e6bd93247a5324

SHA256
2f6d9f01dbdfc84cf1b407301a5cbcae18de60f7e4dac4d109182ac24219faa1

SHA512
8fceac7bd893c28adea9fdb21dcfed28047b7f58eac3ac08a39438cf186297f52941e1f7839733ed055e167950b3575c694eb56ec05dae9862e8525c361641f8

Download Submit
memory/2792-8-0x00007FFB229B0000-0x00007FFB23471000-memory.dmp

Filesize
10.8MB

Download
memory/2792-6-0x00007FFB229B0000-0x00007FFB23471000-memory.dmp

Filesize
10.8MB

Download
memory/2792-5-0x000002DB7A140000-0x000002DB7A180000-memory.dmp

Filesize
256KB

Download
memory/2792-4-0x00007FFB229B3000-0x00007FFB229B5000-memory.dmp

Filesize
8KB

Download