umbral | fdaf5bca3b3bad4071595db5558a1c2e927e7c6e822030d37f13a861adfee77d

Analysis

max time kernel
54s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voxiom.io Loader.exe
Size

279KB
MD5

c697c89b329c3d9061aa0ac730aa9d97
SHA1

7da83b25b7eb028c4b624a14e46b129735e7caf7
SHA256

d290b7546f6f9df3320d4b2421a42aaa8e45792be5f4865f17df2d0844ae97ec
SHA512

fbe7976ded8a7e7919158f54a0b03dfddf83afc210e5b0958afb0cab5ccaee64d886b2d67f396a5d67526684ba176da4239bf1b95d891322e2c80114a52d80d8
SSDEEP

6144:oloZM+rIkd8g+EtXHkv/iD4WFHHQ2U7X8ktoGnnGm4b8e1mkix4aghFHcR9:2oZtL+EP8+HHQ2U7X8ktoGnnGnS+ag/

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4460-0-0x00000255C93A0000-0x00000255C93EC000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	Voxiom.io Loader.exe
Token: SeIncreaseQuotaPrivilege	1816	wmic.exe
Token: SeSecurityPrivilege	1816	wmic.exe
Token: SeTakeOwnershipPrivilege	1816	wmic.exe
Token: SeLoadDriverPrivilege	1816	wmic.exe
Token: SeSystemProfilePrivilege	1816	wmic.exe
Token: SeSystemtimePrivilege	1816	wmic.exe
Token: SeProfSingleProcessPrivilege	1816	wmic.exe
Token: SeIncBasePriorityPrivilege	1816	wmic.exe
Token: SeCreatePagefilePrivilege	1816	wmic.exe
Token: SeBackupPrivilege	1816	wmic.exe
Token: SeRestorePrivilege	1816	wmic.exe
Token: SeShutdownPrivilege	1816	wmic.exe
Token: SeDebugPrivilege	1816	wmic.exe
Token: SeSystemEnvironmentPrivilege	1816	wmic.exe
Token: SeRemoteShutdownPrivilege	1816	wmic.exe
Token: SeUndockPrivilege	1816	wmic.exe
Token: SeManageVolumePrivilege	1816	wmic.exe
Token: 33	1816	wmic.exe
Token: 34	1816	wmic.exe
Token: 35	1816	wmic.exe
Token: 36	1816	wmic.exe
Token: SeIncreaseQuotaPrivilege	1816	wmic.exe
Token: SeSecurityPrivilege	1816	wmic.exe
Token: SeTakeOwnershipPrivilege	1816	wmic.exe
Token: SeLoadDriverPrivilege	1816	wmic.exe
Token: SeSystemProfilePrivilege	1816	wmic.exe
Token: SeSystemtimePrivilege	1816	wmic.exe
Token: SeProfSingleProcessPrivilege	1816	wmic.exe
Token: SeIncBasePriorityPrivilege	1816	wmic.exe
Token: SeCreatePagefilePrivilege	1816	wmic.exe
Token: SeBackupPrivilege	1816	wmic.exe
Token: SeRestorePrivilege	1816	wmic.exe
Token: SeShutdownPrivilege	1816	wmic.exe
Token: SeDebugPrivilege	1816	wmic.exe
Token: SeSystemEnvironmentPrivilege	1816	wmic.exe
Token: SeRemoteShutdownPrivilege	1816	wmic.exe
Token: SeUndockPrivilege	1816	wmic.exe
Token: SeManageVolumePrivilege	1816	wmic.exe
Token: 33	1816	wmic.exe
Token: 34	1816	wmic.exe
Token: 35	1816	wmic.exe
Token: 36	1816	wmic.exe
Token: SeDebugPrivilege	4700	Voxiom.io Loader.exe
Token: SeIncreaseQuotaPrivilege	3904	wmic.exe
Token: SeSecurityPrivilege	3904	wmic.exe
Token: SeTakeOwnershipPrivilege	3904	wmic.exe
Token: SeLoadDriverPrivilege	3904	wmic.exe
Token: SeSystemProfilePrivilege	3904	wmic.exe
Token: SeSystemtimePrivilege	3904	wmic.exe
Token: SeProfSingleProcessPrivilege	3904	wmic.exe
Token: SeIncBasePriorityPrivilege	3904	wmic.exe
Token: SeCreatePagefilePrivilege	3904	wmic.exe
Token: SeBackupPrivilege	3904	wmic.exe
Token: SeRestorePrivilege	3904	wmic.exe
Token: SeShutdownPrivilege	3904	wmic.exe
Token: SeDebugPrivilege	3904	wmic.exe
Token: SeSystemEnvironmentPrivilege	3904	wmic.exe
Token: SeRemoteShutdownPrivilege	3904	wmic.exe
Token: SeUndockPrivilege	3904	wmic.exe
Token: SeManageVolumePrivilege	3904	wmic.exe
Token: 33	3904	wmic.exe
Token: 34	3904	wmic.exe
Token: 35	3904	wmic.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1816	4460	Voxiom.io Loader.exe	87
PID 4460 wrote to memory of 1816	4460	Voxiom.io Loader.exe	87
PID 4700 wrote to memory of 3904	4700	Voxiom.io Loader.exe	101
PID 4700 wrote to memory of 3904	4700	Voxiom.io Loader.exe	101
PID 3808 wrote to memory of 3332	3808	Voxiom.io Loader.exe	107
PID 3808 wrote to memory of 3332	3808	Voxiom.io Loader.exe	107
PID 4720 wrote to memory of 4076	4720	Voxiom.io Loader.exe	111
PID 4720 wrote to memory of 4076	4720	Voxiom.io Loader.exe	111
PID 5032 wrote to memory of 3756	5032	Voxiom.io Loader.exe	116
PID 5032 wrote to memory of 3756	5032	Voxiom.io Loader.exe	116

C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3904

C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3332

C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4076

C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Voxiom.io Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Voxiom.io Loader.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
memory/3808-9-0x00007FF9A49E0000-0x00007FF9A54A1000-memory.dmp

Filesize
10.8MB

Download
memory/3808-10-0x0000022C5EDC0000-0x0000022C5EDD0000-memory.dmp

Filesize
64KB

Download
memory/3808-11-0x00007FF9A49E0000-0x00007FF9A54A1000-memory.dmp

Filesize
10.8MB

Download
memory/4460-4-0x00007FF9A7570000-0x00007FF9A8031000-memory.dmp

Filesize
10.8MB

Download
memory/4460-1-0x00007FF9A7570000-0x00007FF9A8031000-memory.dmp

Filesize
10.8MB

Download
memory/4460-0-0x00000255C93A0000-0x00000255C93EC000-memory.dmp

Filesize
304KB

Download
memory/4460-2-0x00000255E38F0000-0x00000255E3900000-memory.dmp

Filesize
64KB

Download
memory/4700-6-0x00007FF9A48C0000-0x00007FF9A5381000-memory.dmp

Filesize
10.8MB

Download
memory/4700-8-0x00007FF9A48C0000-0x00007FF9A5381000-memory.dmp

Filesize
10.8MB

Download
memory/4700-7-0x00000243B2BB0000-0x00000243B2BC0000-memory.dmp

Filesize
64KB

Download
memory/4720-12-0x00007FF9A49E0000-0x00007FF9A54A1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-13-0x0000029D5BBA0000-0x0000029D5BBB0000-memory.dmp

Filesize
64KB

Download
memory/4720-14-0x00007FF9A49E0000-0x00007FF9A54A1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-15-0x00007FF9A49E0000-0x00007FF9A54A1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-16-0x00007FF9A49E0000-0x00007FF9A54A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads