umbral | ebdb426e69d0c9f964fe2180372dbb24556588c8dfb37e6cb0d5f7ea5ba0c087

Analysis

max time kernel
72s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ManualWin10 (2).exe
Size

227KB
MD5

badc4c0e18209e84ab24fe8cccb5d1c9
SHA1

736fb2619ea2bab1992b6f6f7ac34a7dc315b565
SHA256

ebdb426e69d0c9f964fe2180372dbb24556588c8dfb37e6cb0d5f7ea5ba0c087
SHA512

0cf7d30ce41005e6aede39fff624c75e875fe5c0cf20adcf202a27c5459e437e1ce4dae9f7ecf1a75f8de0913401f390da64d96f2dfddc768bc95c4ee4eabff5
SSDEEP

6144:eloZM+rIkd8g+EtXHkv/iD4UxRPdmkrHMx9YW3X2ZNb8e1mbi:IoZtL+EP8UxRPdmkrHMx9YW3X2nV

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/976-133-0x000001D870210000-0x000001D870250000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	ManualWin10 (2).exe
Token: SeIncreaseQuotaPrivilege	980	wmic.exe
Token: SeSecurityPrivilege	980	wmic.exe
Token: SeTakeOwnershipPrivilege	980	wmic.exe
Token: SeLoadDriverPrivilege	980	wmic.exe
Token: SeSystemProfilePrivilege	980	wmic.exe
Token: SeSystemtimePrivilege	980	wmic.exe
Token: SeProfSingleProcessPrivilege	980	wmic.exe
Token: SeIncBasePriorityPrivilege	980	wmic.exe
Token: SeCreatePagefilePrivilege	980	wmic.exe
Token: SeBackupPrivilege	980	wmic.exe
Token: SeRestorePrivilege	980	wmic.exe
Token: SeShutdownPrivilege	980	wmic.exe
Token: SeDebugPrivilege	980	wmic.exe
Token: SeSystemEnvironmentPrivilege	980	wmic.exe
Token: SeRemoteShutdownPrivilege	980	wmic.exe
Token: SeUndockPrivilege	980	wmic.exe
Token: SeManageVolumePrivilege	980	wmic.exe
Token: 33	980	wmic.exe
Token: 34	980	wmic.exe
Token: 35	980	wmic.exe
Token: 36	980	wmic.exe
Token: SeIncreaseQuotaPrivilege	980	wmic.exe
Token: SeSecurityPrivilege	980	wmic.exe
Token: SeTakeOwnershipPrivilege	980	wmic.exe
Token: SeLoadDriverPrivilege	980	wmic.exe
Token: SeSystemProfilePrivilege	980	wmic.exe
Token: SeSystemtimePrivilege	980	wmic.exe
Token: SeProfSingleProcessPrivilege	980	wmic.exe
Token: SeIncBasePriorityPrivilege	980	wmic.exe
Token: SeCreatePagefilePrivilege	980	wmic.exe
Token: SeBackupPrivilege	980	wmic.exe
Token: SeRestorePrivilege	980	wmic.exe
Token: SeShutdownPrivilege	980	wmic.exe
Token: SeDebugPrivilege	980	wmic.exe
Token: SeSystemEnvironmentPrivilege	980	wmic.exe
Token: SeRemoteShutdownPrivilege	980	wmic.exe
Token: SeUndockPrivilege	980	wmic.exe
Token: SeManageVolumePrivilege	980	wmic.exe
Token: 33	980	wmic.exe
Token: 34	980	wmic.exe
Token: 35	980	wmic.exe
Token: 36	980	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 980	976	ManualWin10 (2).exe	80
PID 976 wrote to memory of 980	976	ManualWin10 (2).exe	80

C:\Users\Admin\AppData\Local\Temp\ManualWin10 (2).exe
"C:\Users\Admin\AppData\Local\Temp\ManualWin10 (2).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-133-0x000001D870210000-0x000001D870250000-memory.dmp

Filesize
256KB

Download
memory/976-134-0x00007FFE31A30000-0x00007FFE324F1000-memory.dmp

Filesize
10.8MB

Download
memory/976-135-0x000001D870610000-0x000001D870620000-memory.dmp

Filesize
64KB

Download
memory/976-137-0x00007FFE31A30000-0x00007FFE324F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads