umbral | eb09b9e81896dc59b142fc7129f2926a6682d5499269cd67eb257d3234068a03

Analysis

max time kernel
32s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2023 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

262KB
MD5

dc6b2b0cc8b7bb172f8c8ba71ed9ffd9
SHA1

62c4ba576ac76491c2e9ad7939e8253013ecbc74
SHA256

eb09b9e81896dc59b142fc7129f2926a6682d5499269cd67eb257d3234068a03
SHA512

708eaa8bf9ddd2170cb5705cd7ec522225a19e5c6f6d18ce426b54a2149f0fc18c6d8735f84c8b9799dc44722886d2dbdc328eeb47f45876cec007cbd76cdd35
SSDEEP

6144:mloZM+rIkd8g+EtXHkv/iD4sFcCFdW5j+ctBI353RtYZC8e1m4hWi+wM:QoZtL+EP8sFcCFdW5j+ctBIZ7YC3b+w

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1780-133-0x00000263D9390000-0x00000263D93D8000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe
Token: 33	2496	wmic.exe
Token: 34	2496	wmic.exe
Token: 35	2496	wmic.exe
Token: 36	2496	wmic.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe
Token: 33	2496	wmic.exe
Token: 34	2496	wmic.exe
Token: 35	2496	wmic.exe
Token: 36	2496	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2496	1780	Umbral.exe	82
PID 1780 wrote to memory of 2496	1780	Umbral.exe	82

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-133-0x00000263D9390000-0x00000263D93D8000-memory.dmp

Filesize
288KB

Download
memory/1780-134-0x00007FFE9FBC0000-0x00007FFEA0681000-memory.dmp

Filesize
10.8MB

Download
memory/1780-135-0x00000263F3AB0000-0x00000263F3AC0000-memory.dmp

Filesize
64KB

Download
memory/1780-137-0x00000263F38F0000-0x00000263F39F2000-memory.dmp

Filesize
1.0MB

Download
memory/1780-138-0x00007FFE9FBC0000-0x00007FFEA0681000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads