umbral | 5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29-06-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fps unlocker.exe
Size

231KB
MD5

8e0d0543f4eb1e8e5d14a0ee3a7ac228
SHA1

adfede75871a2196e79856335aca757ccaa3c1f0
SHA256

5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7
SHA512

150aa1b2d7807e5b8283fa726015036862ee84ddcdc3b870a18da9d3f94ea7356ef2f62c0c21c1c6137a33ffa55ca52713558f08bcaeb4dca1dd63e6c8163d02
SSDEEP

6144:xloZM+rIkd8g+EtXHkv/iD41Irt4+ZRS93q459cL8b8e1mVzi:DoZtL+EP81Irt4+ZRS93q459cIge

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1088-54-0x0000000000B60000-0x0000000000BA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	Fps unlocker.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1216	1088	Fps unlocker.exe	28
PID 1088 wrote to memory of 1216	1088	Fps unlocker.exe	28
PID 1088 wrote to memory of 1216	1088	Fps unlocker.exe	28

C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe
"C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-54-0x0000000000B60000-0x0000000000BA0000-memory.dmp

Filesize
256KB

Download
memory/1088-55-0x000000001A720000-0x000000001A7A0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads