umbral | a73097a2473040ef00430e3bf37e00253d2a92e83ffa91fd8439d20e22760c6c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe
Size

973KB
MD5

97b25ff717bbbec7863bab2e6a7cf1cb
SHA1

45577be5cff8877bdfecaa3e53c9d4f87800a60c
SHA256

a73097a2473040ef00430e3bf37e00253d2a92e83ffa91fd8439d20e22760c6c
SHA512

b1b855185741999e2fb0071d305873f5b21bf6e82e43770cea897d6376602180ecd7691584bf726fdb5b3db1b7b5f2c120566b32cd6d395e9b9b6c0ef7ac51b2
SSDEEP

24576:N5r3iOAYe5xyrXKYZd8nixN/pSUCpM2W1GvgmyeRvJ:ui5xC61GyovJ

Score

10^/10

umbral discovery persistence stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1347583822056919130/yX79NUSPBNVr2tsX_XmaynqYqcY3gmEhP7obSFH8YBkvqiBeVsotOhGyBsTVYUbz_ykp

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012119-2.dat	family_umbral
behavioral1/memory/2420-17-0x0000000000400000-0x00000000004FB000-memory.dmp	family_umbral
behavioral1/memory/1604-19-0x0000000000AF0000-0x0000000000B30000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe"	Trojan.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
1604	ûûû.exe
1672	dll.exe
1632	Trojan.exe

Loads dropped DLL 3 IoCs

pid	Process
2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe
2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe
2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe"	Trojan.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	ûûû.exe
Token: SeIncreaseQuotaPrivilege	3064	wmic.exe
Token: SeSecurityPrivilege	3064	wmic.exe
Token: SeTakeOwnershipPrivilege	3064	wmic.exe
Token: SeLoadDriverPrivilege	3064	wmic.exe
Token: SeSystemProfilePrivilege	3064	wmic.exe
Token: SeSystemtimePrivilege	3064	wmic.exe
Token: SeProfSingleProcessPrivilege	3064	wmic.exe
Token: SeIncBasePriorityPrivilege	3064	wmic.exe
Token: SeCreatePagefilePrivilege	3064	wmic.exe
Token: SeBackupPrivilege	3064	wmic.exe
Token: SeRestorePrivilege	3064	wmic.exe
Token: SeShutdownPrivilege	3064	wmic.exe
Token: SeDebugPrivilege	3064	wmic.exe
Token: SeSystemEnvironmentPrivilege	3064	wmic.exe
Token: SeRemoteShutdownPrivilege	3064	wmic.exe
Token: SeUndockPrivilege	3064	wmic.exe
Token: SeManageVolumePrivilege	3064	wmic.exe
Token: 33	3064	wmic.exe
Token: 34	3064	wmic.exe
Token: 35	3064	wmic.exe
Token: SeIncreaseQuotaPrivilege	3064	wmic.exe
Token: SeSecurityPrivilege	3064	wmic.exe
Token: SeTakeOwnershipPrivilege	3064	wmic.exe
Token: SeLoadDriverPrivilege	3064	wmic.exe
Token: SeSystemProfilePrivilege	3064	wmic.exe
Token: SeSystemtimePrivilege	3064	wmic.exe
Token: SeProfSingleProcessPrivilege	3064	wmic.exe
Token: SeIncBasePriorityPrivilege	3064	wmic.exe
Token: SeCreatePagefilePrivilege	3064	wmic.exe
Token: SeBackupPrivilege	3064	wmic.exe
Token: SeRestorePrivilege	3064	wmic.exe
Token: SeShutdownPrivilege	3064	wmic.exe
Token: SeDebugPrivilege	3064	wmic.exe
Token: SeSystemEnvironmentPrivilege	3064	wmic.exe
Token: SeRemoteShutdownPrivilege	3064	wmic.exe
Token: SeUndockPrivilege	3064	wmic.exe
Token: SeManageVolumePrivilege	3064	wmic.exe
Token: 33	3064	wmic.exe
Token: 34	3064	wmic.exe
Token: 35	3064	wmic.exe
Token: SeShutdownPrivilege	2788	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe
1632	Trojan.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1604	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	30
PID 2420 wrote to memory of 1604	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	30
PID 2420 wrote to memory of 1604	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	30
PID 2420 wrote to memory of 1604	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	30
PID 2420 wrote to memory of 1672	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	31
PID 2420 wrote to memory of 1672	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	31
PID 2420 wrote to memory of 1672	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	31
PID 2420 wrote to memory of 1672	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	31
PID 2420 wrote to memory of 1632	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	32
PID 2420 wrote to memory of 1632	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	32
PID 2420 wrote to memory of 1632	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	32
PID 2420 wrote to memory of 1632	2420	2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe	32
PID 1604 wrote to memory of 3064	1604	ûûû.exe	35
PID 1604 wrote to memory of 3064	1604	ûûû.exe	35
PID 1604 wrote to memory of 3064	1604	ûûû.exe	35

C:\Users\Admin\AppData\Local\Temp\2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_97b25ff717bbbec7863bab2e6a7cf1cb_darkgate_ngrbot_ransomlock.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\ûûû.exe
  "C:\Users\Admin\AppData\Local\Temp\ûûû.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\dll.exe
  "C:\Users\Admin\AppData\Local\Temp\dll.exe"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
301KB

MD5
ea5800c82ef7b0929307948391709539

SHA1
a85be900314791905a77b6f97ce9cb2754ad16ff

SHA256
4aeaf773e3d50df877f407d547d9a42d49c2263e414710bdf04c968cd628a502

SHA512
b4b77c999c637b7f5204f2c643794532e541577e377e01d42ce5025f6c20408555788619c348a26b8a4974ee978abc105ebed8b89b800627bee31655503fca43

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
436KB

MD5
9d40061e58fdf0e3c3bfbe8541ec83bd

SHA1
06f1f81d6278af3afe79e44120d2604fbe2ec022

SHA256
a15c7f4653ded3d0c1639e3409f3f5a583c7e446b71f9b585aff305d02403f6e

SHA512
1d132b65d840a1b6012cd33a5011c33ad77d8c8f4d78d149acd041e10ac24e591156d868ceb02147ea33530a284d614e3b4937ba6f5d9e07fac78000828c3603

Download Submit
\Users\Admin\AppData\Local\Temp\ûûû.exe

Filesize
227KB

MD5
54e5d52122e173e267bae183e51a883a

SHA1
61074f26a9dd5aeaea6e208b461196f19392c903

SHA256
e4566da9e8ce5469834e93fc6d2ea6558c069ec30c0652b94f423d61719ef876

SHA512
5c0a776c33c150a14d1547b6485d616752f32852f1d99b2a614a2413bf91376873d9d53fac9511d7a2e4b14c431278baceaceab8dd547cd7ada96fda40898fe2

Download Submit
memory/1604-19-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1632-21-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1632-22-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1632-30-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1672-20-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/2420-17-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download