umbral | 03dbbb05e1588d2303720a4edfb8cb0c6dfef922b85ed66d43b67cde6bc68c3e

Resubmissions

28-07-2023 16:30

230728-tz3snseh4y 10

28-07-2023 16:28

230728-ty4ctaec58 10

Analysis

max time kernel
27s
max time network
18s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28-07-2023 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ice.exe
Size

228KB
MD5

5f25397473870629f943edcc0b137281
SHA1

368474f6392f0547bc02b138fe199a7b005d0122
SHA256

03dbbb05e1588d2303720a4edfb8cb0c6dfef922b85ed66d43b67cde6bc68c3e
SHA512

de326d719bb44fade2693afbdf79b8f89a38f4405eadf087bf75a049af27195cda9b8b2b1bae0c254d7202f3f2539217201389135b5255584e16ecb8eb6af1e7
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4v2AsbhS6FiAxDeebdyb8e1m/i:joZtL+EP8v2AsbhS6FiAxDeeb4h

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3032-54-0x0000000000C40000-0x0000000000C80000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	Ice.exe
Token: SeIncreaseQuotaPrivilege	2976	wmic.exe
Token: SeSecurityPrivilege	2976	wmic.exe
Token: SeTakeOwnershipPrivilege	2976	wmic.exe
Token: SeLoadDriverPrivilege	2976	wmic.exe
Token: SeSystemProfilePrivilege	2976	wmic.exe
Token: SeSystemtimePrivilege	2976	wmic.exe
Token: SeProfSingleProcessPrivilege	2976	wmic.exe
Token: SeIncBasePriorityPrivilege	2976	wmic.exe
Token: SeCreatePagefilePrivilege	2976	wmic.exe
Token: SeBackupPrivilege	2976	wmic.exe
Token: SeRestorePrivilege	2976	wmic.exe
Token: SeShutdownPrivilege	2976	wmic.exe
Token: SeDebugPrivilege	2976	wmic.exe
Token: SeSystemEnvironmentPrivilege	2976	wmic.exe
Token: SeRemoteShutdownPrivilege	2976	wmic.exe
Token: SeUndockPrivilege	2976	wmic.exe
Token: SeManageVolumePrivilege	2976	wmic.exe
Token: 33	2976	wmic.exe
Token: 34	2976	wmic.exe
Token: 35	2976	wmic.exe
Token: SeIncreaseQuotaPrivilege	2976	wmic.exe
Token: SeSecurityPrivilege	2976	wmic.exe
Token: SeTakeOwnershipPrivilege	2976	wmic.exe
Token: SeLoadDriverPrivilege	2976	wmic.exe
Token: SeSystemProfilePrivilege	2976	wmic.exe
Token: SeSystemtimePrivilege	2976	wmic.exe
Token: SeProfSingleProcessPrivilege	2976	wmic.exe
Token: SeIncBasePriorityPrivilege	2976	wmic.exe
Token: SeCreatePagefilePrivilege	2976	wmic.exe
Token: SeBackupPrivilege	2976	wmic.exe
Token: SeRestorePrivilege	2976	wmic.exe
Token: SeShutdownPrivilege	2976	wmic.exe
Token: SeDebugPrivilege	2976	wmic.exe
Token: SeSystemEnvironmentPrivilege	2976	wmic.exe
Token: SeRemoteShutdownPrivilege	2976	wmic.exe
Token: SeUndockPrivilege	2976	wmic.exe
Token: SeManageVolumePrivilege	2976	wmic.exe
Token: 33	2976	wmic.exe
Token: 34	2976	wmic.exe
Token: 35	2976	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2976	3032	Ice.exe	28
PID 3032 wrote to memory of 2976	3032	Ice.exe	28
PID 3032 wrote to memory of 2976	3032	Ice.exe	28

C:\Users\Admin\AppData\Local\Temp\Ice.exe
"C:\Users\Admin\AppData\Local\Temp\Ice.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-54-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/3032-55-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-56-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/3032-57-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads