umbral | 54f3524bd85f2a9d6633f8442039e2cf49d206c29ef660e650c7137d2d9b451d

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2023 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

227KB
MD5

8b456d26ac4c2edc6fd1f47796a65151
SHA1

92054d829e679a748559264864b7f4d4d1bb96e2
SHA256

e7f32c2d9d9aa4a4b9938f4c782fe31aa75e1e1c479e8ada580170193d250eac
SHA512

3f807578f882afecf40ca992d3b237a04df136f95a52948c55efa0e0a13c8b38a68f21b68ed261062d8a42ed78bd29e942c065e522fe16415f0acdbdab174329
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD4Nqjn5nsAvHOXZkQldhb8e1mgi:ooZtL+EP8Nqjn5nsAvHOXZkQlTC

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/436-133-0x000001D96AA40000-0x000001D96AA80000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4888	wmic.exe
Token: SeSecurityPrivilege	4888	wmic.exe
Token: SeTakeOwnershipPrivilege	4888	wmic.exe
Token: SeLoadDriverPrivilege	4888	wmic.exe
Token: SeSystemProfilePrivilege	4888	wmic.exe
Token: SeSystemtimePrivilege	4888	wmic.exe
Token: SeProfSingleProcessPrivilege	4888	wmic.exe
Token: SeIncBasePriorityPrivilege	4888	wmic.exe
Token: SeCreatePagefilePrivilege	4888	wmic.exe
Token: SeBackupPrivilege	4888	wmic.exe
Token: SeRestorePrivilege	4888	wmic.exe
Token: SeShutdownPrivilege	4888	wmic.exe
Token: SeDebugPrivilege	4888	wmic.exe
Token: SeSystemEnvironmentPrivilege	4888	wmic.exe
Token: SeRemoteShutdownPrivilege	4888	wmic.exe
Token: SeUndockPrivilege	4888	wmic.exe
Token: SeManageVolumePrivilege	4888	wmic.exe
Token: 33	4888	wmic.exe
Token: 34	4888	wmic.exe
Token: 35	4888	wmic.exe
Token: 36	4888	wmic.exe
Token: SeIncreaseQuotaPrivilege	4888	wmic.exe
Token: SeSecurityPrivilege	4888	wmic.exe
Token: SeTakeOwnershipPrivilege	4888	wmic.exe
Token: SeLoadDriverPrivilege	4888	wmic.exe
Token: SeSystemProfilePrivilege	4888	wmic.exe
Token: SeSystemtimePrivilege	4888	wmic.exe
Token: SeProfSingleProcessPrivilege	4888	wmic.exe
Token: SeIncBasePriorityPrivilege	4888	wmic.exe
Token: SeCreatePagefilePrivilege	4888	wmic.exe
Token: SeBackupPrivilege	4888	wmic.exe
Token: SeRestorePrivilege	4888	wmic.exe
Token: SeShutdownPrivilege	4888	wmic.exe
Token: SeDebugPrivilege	4888	wmic.exe
Token: SeSystemEnvironmentPrivilege	4888	wmic.exe
Token: SeRemoteShutdownPrivilege	4888	wmic.exe
Token: SeUndockPrivilege	4888	wmic.exe
Token: SeManageVolumePrivilege	4888	wmic.exe
Token: 33	4888	wmic.exe
Token: 34	4888	wmic.exe
Token: 35	4888	wmic.exe
Token: 36	4888	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4888	436	Umbral.exe	79
PID 436 wrote to memory of 4888	436	Umbral.exe	79

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-133-0x000001D96AA40000-0x000001D96AA80000-memory.dmp

Filesize
256KB

Download
memory/436-134-0x000001D96D0C0000-0x000001D96D0D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads