umbral | ed702d0b8e9551446f6ffa0363286712615e10bfdfe66d039bfc9db861f6ab19

Analysis

max time kernel
51s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2023 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial.exe
Size

251KB
MD5

bd135af56e98782a34081767be973f13
SHA1

8e60cf769dba53a1465e55831062729bedfbb146
SHA256

ed702d0b8e9551446f6ffa0363286712615e10bfdfe66d039bfc9db861f6ab19
SHA512

2c4611886912e354d823fb740dd0372ac6c2ca80235e5d37b5a37efda75c2deceba8a395e3a402dcc614014bf68518e14683cac57baa8abb330fe71e9e36ea2f
SSDEEP

6144:IloZMLrIkd8g+EtXHkv/iD4vxBomkrHMe9YW3X2B+b8e1mhbUiIQFceQx:WoZ0L+EP8vxBomkrHMe9YW3X2gWbd0e+

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1592-0-0x000001D287280000-0x000001D2872C6000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	Celestial.exe
Token: SeIncreaseQuotaPrivilege	3232	wmic.exe
Token: SeSecurityPrivilege	3232	wmic.exe
Token: SeTakeOwnershipPrivilege	3232	wmic.exe
Token: SeLoadDriverPrivilege	3232	wmic.exe
Token: SeSystemProfilePrivilege	3232	wmic.exe
Token: SeSystemtimePrivilege	3232	wmic.exe
Token: SeProfSingleProcessPrivilege	3232	wmic.exe
Token: SeIncBasePriorityPrivilege	3232	wmic.exe
Token: SeCreatePagefilePrivilege	3232	wmic.exe
Token: SeBackupPrivilege	3232	wmic.exe
Token: SeRestorePrivilege	3232	wmic.exe
Token: SeShutdownPrivilege	3232	wmic.exe
Token: SeDebugPrivilege	3232	wmic.exe
Token: SeSystemEnvironmentPrivilege	3232	wmic.exe
Token: SeRemoteShutdownPrivilege	3232	wmic.exe
Token: SeUndockPrivilege	3232	wmic.exe
Token: SeManageVolumePrivilege	3232	wmic.exe
Token: 33	3232	wmic.exe
Token: 34	3232	wmic.exe
Token: 35	3232	wmic.exe
Token: 36	3232	wmic.exe
Token: SeIncreaseQuotaPrivilege	3232	wmic.exe
Token: SeSecurityPrivilege	3232	wmic.exe
Token: SeTakeOwnershipPrivilege	3232	wmic.exe
Token: SeLoadDriverPrivilege	3232	wmic.exe
Token: SeSystemProfilePrivilege	3232	wmic.exe
Token: SeSystemtimePrivilege	3232	wmic.exe
Token: SeProfSingleProcessPrivilege	3232	wmic.exe
Token: SeIncBasePriorityPrivilege	3232	wmic.exe
Token: SeCreatePagefilePrivilege	3232	wmic.exe
Token: SeBackupPrivilege	3232	wmic.exe
Token: SeRestorePrivilege	3232	wmic.exe
Token: SeShutdownPrivilege	3232	wmic.exe
Token: SeDebugPrivilege	3232	wmic.exe
Token: SeSystemEnvironmentPrivilege	3232	wmic.exe
Token: SeRemoteShutdownPrivilege	3232	wmic.exe
Token: SeUndockPrivilege	3232	wmic.exe
Token: SeManageVolumePrivilege	3232	wmic.exe
Token: 33	3232	wmic.exe
Token: 34	3232	wmic.exe
Token: 35	3232	wmic.exe
Token: 36	3232	wmic.exe
Token: SeDebugPrivilege	2296	Celestial.exe
Token: SeIncreaseQuotaPrivilege	2656	wmic.exe
Token: SeSecurityPrivilege	2656	wmic.exe
Token: SeTakeOwnershipPrivilege	2656	wmic.exe
Token: SeLoadDriverPrivilege	2656	wmic.exe
Token: SeSystemProfilePrivilege	2656	wmic.exe
Token: SeSystemtimePrivilege	2656	wmic.exe
Token: SeProfSingleProcessPrivilege	2656	wmic.exe
Token: SeIncBasePriorityPrivilege	2656	wmic.exe
Token: SeCreatePagefilePrivilege	2656	wmic.exe
Token: SeBackupPrivilege	2656	wmic.exe
Token: SeRestorePrivilege	2656	wmic.exe
Token: SeShutdownPrivilege	2656	wmic.exe
Token: SeDebugPrivilege	2656	wmic.exe
Token: SeSystemEnvironmentPrivilege	2656	wmic.exe
Token: SeRemoteShutdownPrivilege	2656	wmic.exe
Token: SeUndockPrivilege	2656	wmic.exe
Token: SeManageVolumePrivilege	2656	wmic.exe
Token: 33	2656	wmic.exe
Token: 34	2656	wmic.exe
Token: 35	2656	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 3232	1592	Celestial.exe	85
PID 1592 wrote to memory of 3232	1592	Celestial.exe	85
PID 2296 wrote to memory of 2656	2296	Celestial.exe	105
PID 2296 wrote to memory of 2656	2296	Celestial.exe	105

C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celestial.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
memory/1592-0-0x000001D287280000-0x000001D2872C6000-memory.dmp

Filesize
280KB

Download
memory/1592-1-0x00007FF8BEDF0000-0x00007FF8BF8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1592-2-0x000001D2A1620000-0x000001D2A1630000-memory.dmp

Filesize
64KB

Download
memory/1592-4-0x00007FF8BEDF0000-0x00007FF8BF8B1000-memory.dmp

Filesize
10.8MB

Download
memory/2296-6-0x00007FF8BC760000-0x00007FF8BD221000-memory.dmp

Filesize
10.8MB

Download
memory/2296-7-0x00000268CA9E0000-0x00000268CA9F0000-memory.dmp

Filesize
64KB

Download
memory/2296-8-0x00007FF8BC760000-0x00007FF8BD221000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads