umbral | e9a5a1a833ca3d4c9cb4ffbc3df56b9afca877820407075819ffd44935220728

Analysis

max time kernel
86s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2023 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rc7.exe
Size

235KB
MD5

fa5aa7c2bfbc245ebee8440c1b3defe4
SHA1

20ecd06fbedbb5bdd5f4e2f52d73009e046cc86a
SHA256

e9a5a1a833ca3d4c9cb4ffbc3df56b9afca877820407075819ffd44935220728
SHA512

415f11596e8e4f821be610beb75142597c324a1c600f6993aa21a64280e7333996eebea7ff308eb0aa4da44ab53d6b4bdf53fef2755924c1c4fcf5dfbf742371
SSDEEP

6144:BloZM+rIkd8g+EtXHkv/iD4y7IRbhS6FuAxDeebrtb8e1mM0Ii:zoZtL+EP8y7IRbhS6FuAxDeebBMx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4792-133-0x00000211F9B10000-0x00000211F9B50000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3980	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	rc7.exe
Token: SeIncreaseQuotaPrivilege	4688	wmic.exe
Token: SeSecurityPrivilege	4688	wmic.exe
Token: SeTakeOwnershipPrivilege	4688	wmic.exe
Token: SeLoadDriverPrivilege	4688	wmic.exe
Token: SeSystemProfilePrivilege	4688	wmic.exe
Token: SeSystemtimePrivilege	4688	wmic.exe
Token: SeProfSingleProcessPrivilege	4688	wmic.exe
Token: SeIncBasePriorityPrivilege	4688	wmic.exe
Token: SeCreatePagefilePrivilege	4688	wmic.exe
Token: SeBackupPrivilege	4688	wmic.exe
Token: SeRestorePrivilege	4688	wmic.exe
Token: SeShutdownPrivilege	4688	wmic.exe
Token: SeDebugPrivilege	4688	wmic.exe
Token: SeSystemEnvironmentPrivilege	4688	wmic.exe
Token: SeRemoteShutdownPrivilege	4688	wmic.exe
Token: SeUndockPrivilege	4688	wmic.exe
Token: SeManageVolumePrivilege	4688	wmic.exe
Token: 33	4688	wmic.exe
Token: 34	4688	wmic.exe
Token: 35	4688	wmic.exe
Token: 36	4688	wmic.exe
Token: SeIncreaseQuotaPrivilege	4688	wmic.exe
Token: SeSecurityPrivilege	4688	wmic.exe
Token: SeTakeOwnershipPrivilege	4688	wmic.exe
Token: SeLoadDriverPrivilege	4688	wmic.exe
Token: SeSystemProfilePrivilege	4688	wmic.exe
Token: SeSystemtimePrivilege	4688	wmic.exe
Token: SeProfSingleProcessPrivilege	4688	wmic.exe
Token: SeIncBasePriorityPrivilege	4688	wmic.exe
Token: SeCreatePagefilePrivilege	4688	wmic.exe
Token: SeBackupPrivilege	4688	wmic.exe
Token: SeRestorePrivilege	4688	wmic.exe
Token: SeShutdownPrivilege	4688	wmic.exe
Token: SeDebugPrivilege	4688	wmic.exe
Token: SeSystemEnvironmentPrivilege	4688	wmic.exe
Token: SeRemoteShutdownPrivilege	4688	wmic.exe
Token: SeUndockPrivilege	4688	wmic.exe
Token: SeManageVolumePrivilege	4688	wmic.exe
Token: 33	4688	wmic.exe
Token: 34	4688	wmic.exe
Token: 35	4688	wmic.exe
Token: 36	4688	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3980	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4688	4792	rc7.exe	87
PID 4792 wrote to memory of 4688	4792	rc7.exe	87

C:\Users\Admin\AppData\Local\Temp\rc7.exe
"C:\Users\Admin\AppData\Local\Temp\rc7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\h.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4792-133-0x00000211F9B10000-0x00000211F9B50000-memory.dmp

Filesize
256KB

Download
memory/4792-134-0x00007FFB6FE20000-0x00007FFB708E1000-memory.dmp

Filesize
10.8MB

Download
memory/4792-135-0x00000211FB880000-0x00000211FB890000-memory.dmp

Filesize
64KB

Download
memory/4792-137-0x00007FFB6FE20000-0x00007FFB708E1000-memory.dmp

Filesize
10.8MB

Download