umbral | d8f6b5f8af4f9741a4f4c8b3b8bb3618120944b660eb6387ca8d3f0bb3d6d8d6

Analysis

max time kernel
1561s
max time network
1565s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23-08-2023 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

celex-main.exe
Size

229KB
MD5

c876042a9dc5dc33a953a49aa676524f
SHA1

359f4ce116552d3118b0d866c974ef127dd3d76f
SHA256

d8f6b5f8af4f9741a4f4c8b3b8bb3618120944b660eb6387ca8d3f0bb3d6d8d6
SHA512

31f6087e90927c64bef27535321a679f7bd1f00e5c54ae52460b63c56244a8134dd47428627c9f8c99c13478a556fe4506a99f32664d64b6258b73c5c8221aaa
SSDEEP

3072:rmpcjvqySgPA9+D9Cocawot18PeXndP5xHki0sMXSl8eN7sbXKcGTSYE:WcWoPAQRrt18ePxHk7y8eNYOpS

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2968-54-0x0000000000980000-0x00000000009BE000-memory.dmp	family_umbral
behavioral1/memory/2968-56-0x000000001B0B0000-0x000000001B130000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\53E109B75151C9B5CF9B6CDE8F23734FA92DA467	celex-main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\53E109B75151C9B5CF9B6CDE8F23734FA92DA467\Blob = 0f00000001000000200000005ae5b36182d20a1f24931ea4731ebe5bde98202e588873f494fb51b4fa648afb03000000010000001400000053e109b75151c9b5cf9b6cde8f23734fa92da4672000000001000000f9020000308202f5308201dda00302010202102767b0e80b7a257a9592f5b28bd67aa2300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630333135303030305a170d3238303630313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bad0515ab7f1d3fb700e36c5ef47ed2b001f3d53461099382ddf0f1f0a2e0acc4dbbef07684d07a8fce46510415138a3a487566a8a0ba3aabcbf6082a8f28d626e322755b26383a638a9dd5bc72ef4ffa7032b26401c8fba8187fb4cd9bf54c7a33592aa6bf5580431683e5f4c52ceffa4381d7b3e949b3257f0ef7232d1a5fda365739bf7de6628fb3eb6ea85237318fcac4dd7a298db92554a0d04366090767a908c5b7c393952fcf4cd00d5e80e5a27417e3b9c924d3f852920e8773632c75079c23c48c90578bac1fa22bc5181a7dfcd412aa44d8eead5de5c6e41579ecddde597b0b5317da925f6e8543289a18ba56e5dc9c045ceeb0b468d3dd80959fd0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041434f5a338e16dab74fe46b31b3033ad22fd44dd65300d06092a864886f70d01010b050003820101006479ffe42b166029ae72f2860ec188b8b0cffe9306a085646293b3e7e0c16d673dd369a85e9151d5018928562f8057396817e18eeb75e81fe0b6ecb5c5468d35f183f1fc9a87da0e07b6c2c6c13a2db8a0fa7b6524fc395cd139e6872e87f0fc2598e721b5873be703134c09fbae88deda4504d41a8fbff1becf8feebb277c3e34b02d86dd2b9d51f03e2c733770d030db855d5b16f5270df721cc23de84a1d592dceacbd1512ffa3ad2f3ceffd270973859d1559c8efb7c0652bac43f35b72801cba1f6add6279a48c2edab3e8ebfa6ced10a093f54e6a566985d285bacd72c86ac0fad0151adad91783ddbb0eb4ec171a836728b1659ea0644031c508e9235	celex-main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\53E109B75151C9B5CF9B6CDE8F23734FA92DA467\Blob = 14000000010000001400000034f5a338e16dab74fe46b31b3033ad22fd44dd6503000000010000001400000053e109b75151c9b5cf9b6cde8f23734fa92da4670f00000001000000200000005ae5b36182d20a1f24931ea4731ebe5bde98202e588873f494fb51b4fa648afb2000000001000000f9020000308202f5308201dda00302010202102767b0e80b7a257a9592f5b28bd67aa2300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630333135303030305a170d3238303630313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bad0515ab7f1d3fb700e36c5ef47ed2b001f3d53461099382ddf0f1f0a2e0acc4dbbef07684d07a8fce46510415138a3a487566a8a0ba3aabcbf6082a8f28d626e322755b26383a638a9dd5bc72ef4ffa7032b26401c8fba8187fb4cd9bf54c7a33592aa6bf5580431683e5f4c52ceffa4381d7b3e949b3257f0ef7232d1a5fda365739bf7de6628fb3eb6ea85237318fcac4dd7a298db92554a0d04366090767a908c5b7c393952fcf4cd00d5e80e5a27417e3b9c924d3f852920e8773632c75079c23c48c90578bac1fa22bc5181a7dfcd412aa44d8eead5de5c6e41579ecddde597b0b5317da925f6e8543289a18ba56e5dc9c045ceeb0b468d3dd80959fd0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041434f5a338e16dab74fe46b31b3033ad22fd44dd65300d06092a864886f70d01010b050003820101006479ffe42b166029ae72f2860ec188b8b0cffe9306a085646293b3e7e0c16d673dd369a85e9151d5018928562f8057396817e18eeb75e81fe0b6ecb5c5468d35f183f1fc9a87da0e07b6c2c6c13a2db8a0fa7b6524fc395cd139e6872e87f0fc2598e721b5873be703134c09fbae88deda4504d41a8fbff1becf8feebb277c3e34b02d86dd2b9d51f03e2c733770d030db855d5b16f5270df721cc23de84a1d592dceacbd1512ffa3ad2f3ceffd270973859d1559c8efb7c0652bac43f35b72801cba1f6add6279a48c2edab3e8ebfa6ced10a093f54e6a566985d285bacd72c86ac0fad0151adad91783ddbb0eb4ec171a836728b1659ea0644031c508e9235	celex-main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\53E109B75151C9B5CF9B6CDE8F23734FA92DA467\Blob = 190000000100000010000000d4169baa5414447941866e4a87db1b2d0f00000001000000200000005ae5b36182d20a1f24931ea4731ebe5bde98202e588873f494fb51b4fa648afb03000000010000001400000053e109b75151c9b5cf9b6cde8f23734fa92da46714000000010000001400000034f5a338e16dab74fe46b31b3033ad22fd44dd652000000001000000f9020000308202f5308201dda00302010202102767b0e80b7a257a9592f5b28bd67aa2300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630333135303030305a170d3238303630313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bad0515ab7f1d3fb700e36c5ef47ed2b001f3d53461099382ddf0f1f0a2e0acc4dbbef07684d07a8fce46510415138a3a487566a8a0ba3aabcbf6082a8f28d626e322755b26383a638a9dd5bc72ef4ffa7032b26401c8fba8187fb4cd9bf54c7a33592aa6bf5580431683e5f4c52ceffa4381d7b3e949b3257f0ef7232d1a5fda365739bf7de6628fb3eb6ea85237318fcac4dd7a298db92554a0d04366090767a908c5b7c393952fcf4cd00d5e80e5a27417e3b9c924d3f852920e8773632c75079c23c48c90578bac1fa22bc5181a7dfcd412aa44d8eead5de5c6e41579ecddde597b0b5317da925f6e8543289a18ba56e5dc9c045ceeb0b468d3dd80959fd0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041434f5a338e16dab74fe46b31b3033ad22fd44dd65300d06092a864886f70d01010b050003820101006479ffe42b166029ae72f2860ec188b8b0cffe9306a085646293b3e7e0c16d673dd369a85e9151d5018928562f8057396817e18eeb75e81fe0b6ecb5c5468d35f183f1fc9a87da0e07b6c2c6c13a2db8a0fa7b6524fc395cd139e6872e87f0fc2598e721b5873be703134c09fbae88deda4504d41a8fbff1becf8feebb277c3e34b02d86dd2b9d51f03e2c733770d030db855d5b16f5270df721cc23de84a1d592dceacbd1512ffa3ad2f3ceffd270973859d1559c8efb7c0652bac43f35b72801cba1f6add6279a48c2edab3e8ebfa6ced10a093f54e6a566985d285bacd72c86ac0fad0151adad91783ddbb0eb4ec171a836728b1659ea0644031c508e9235	celex-main.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	celex-main.exe
Token: SeIncreaseQuotaPrivilege	544	wmic.exe
Token: SeSecurityPrivilege	544	wmic.exe
Token: SeTakeOwnershipPrivilege	544	wmic.exe
Token: SeLoadDriverPrivilege	544	wmic.exe
Token: SeSystemProfilePrivilege	544	wmic.exe
Token: SeSystemtimePrivilege	544	wmic.exe
Token: SeProfSingleProcessPrivilege	544	wmic.exe
Token: SeIncBasePriorityPrivilege	544	wmic.exe
Token: SeCreatePagefilePrivilege	544	wmic.exe
Token: SeBackupPrivilege	544	wmic.exe
Token: SeRestorePrivilege	544	wmic.exe
Token: SeShutdownPrivilege	544	wmic.exe
Token: SeDebugPrivilege	544	wmic.exe
Token: SeSystemEnvironmentPrivilege	544	wmic.exe
Token: SeRemoteShutdownPrivilege	544	wmic.exe
Token: SeUndockPrivilege	544	wmic.exe
Token: SeManageVolumePrivilege	544	wmic.exe
Token: 33	544	wmic.exe
Token: 34	544	wmic.exe
Token: 35	544	wmic.exe
Token: SeIncreaseQuotaPrivilege	544	wmic.exe
Token: SeSecurityPrivilege	544	wmic.exe
Token: SeTakeOwnershipPrivilege	544	wmic.exe
Token: SeLoadDriverPrivilege	544	wmic.exe
Token: SeSystemProfilePrivilege	544	wmic.exe
Token: SeSystemtimePrivilege	544	wmic.exe
Token: SeProfSingleProcessPrivilege	544	wmic.exe
Token: SeIncBasePriorityPrivilege	544	wmic.exe
Token: SeCreatePagefilePrivilege	544	wmic.exe
Token: SeBackupPrivilege	544	wmic.exe
Token: SeRestorePrivilege	544	wmic.exe
Token: SeShutdownPrivilege	544	wmic.exe
Token: SeDebugPrivilege	544	wmic.exe
Token: SeSystemEnvironmentPrivilege	544	wmic.exe
Token: SeRemoteShutdownPrivilege	544	wmic.exe
Token: SeUndockPrivilege	544	wmic.exe
Token: SeManageVolumePrivilege	544	wmic.exe
Token: 33	544	wmic.exe
Token: 34	544	wmic.exe
Token: 35	544	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 544	2968	celex-main.exe	32
PID 2968 wrote to memory of 544	2968	celex-main.exe	32
PID 2968 wrote to memory of 544	2968	celex-main.exe	32

C:\Users\Admin\AppData\Local\Temp\celex-main.exe
"C:\Users\Admin\AppData\Local\Temp\celex-main.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:544

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2968-54-0x0000000000980000-0x00000000009BE000-memory.dmp

Filesize
248KB

Download
memory/2968-55-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-56-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2968-57-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-58-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2968-59-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download