umbral | 293e2f2b00d9d2f5ee8b6e0267ff38b4052486d8846a9da1e42874ae1c461948

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

moon beta.exe
Size

229KB
MD5

a43d31f62cc5fafc444b1e45a6216fd5
SHA1

53e7567a150e695e77a91f7214f01f03ece73604
SHA256

293e2f2b00d9d2f5ee8b6e0267ff38b4052486d8846a9da1e42874ae1c461948
SHA512

a7940669a2ce2ea8687803d95e08088ec591e10463eed1410c9e5fd3c896923a22c20f47fa91bd0932c79431d9aa444fe0880515b1d69ea6edcd8549f17af084
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4PaMtrRiK1CwBzOur5bb8e1mki:noZtL+EP8PaMtrRiK1CwBzOurVe

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2212-0-0x00000000003A0000-0x00000000003E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	moon beta.exe
Token: SeIncreaseQuotaPrivilege	2636	wmic.exe
Token: SeSecurityPrivilege	2636	wmic.exe
Token: SeTakeOwnershipPrivilege	2636	wmic.exe
Token: SeLoadDriverPrivilege	2636	wmic.exe
Token: SeSystemProfilePrivilege	2636	wmic.exe
Token: SeSystemtimePrivilege	2636	wmic.exe
Token: SeProfSingleProcessPrivilege	2636	wmic.exe
Token: SeIncBasePriorityPrivilege	2636	wmic.exe
Token: SeCreatePagefilePrivilege	2636	wmic.exe
Token: SeBackupPrivilege	2636	wmic.exe
Token: SeRestorePrivilege	2636	wmic.exe
Token: SeShutdownPrivilege	2636	wmic.exe
Token: SeDebugPrivilege	2636	wmic.exe
Token: SeSystemEnvironmentPrivilege	2636	wmic.exe
Token: SeRemoteShutdownPrivilege	2636	wmic.exe
Token: SeUndockPrivilege	2636	wmic.exe
Token: SeManageVolumePrivilege	2636	wmic.exe
Token: 33	2636	wmic.exe
Token: 34	2636	wmic.exe
Token: 35	2636	wmic.exe
Token: SeIncreaseQuotaPrivilege	2636	wmic.exe
Token: SeSecurityPrivilege	2636	wmic.exe
Token: SeTakeOwnershipPrivilege	2636	wmic.exe
Token: SeLoadDriverPrivilege	2636	wmic.exe
Token: SeSystemProfilePrivilege	2636	wmic.exe
Token: SeSystemtimePrivilege	2636	wmic.exe
Token: SeProfSingleProcessPrivilege	2636	wmic.exe
Token: SeIncBasePriorityPrivilege	2636	wmic.exe
Token: SeCreatePagefilePrivilege	2636	wmic.exe
Token: SeBackupPrivilege	2636	wmic.exe
Token: SeRestorePrivilege	2636	wmic.exe
Token: SeShutdownPrivilege	2636	wmic.exe
Token: SeDebugPrivilege	2636	wmic.exe
Token: SeSystemEnvironmentPrivilege	2636	wmic.exe
Token: SeRemoteShutdownPrivilege	2636	wmic.exe
Token: SeUndockPrivilege	2636	wmic.exe
Token: SeManageVolumePrivilege	2636	wmic.exe
Token: 33	2636	wmic.exe
Token: 34	2636	wmic.exe
Token: 35	2636	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2636	2212	moon beta.exe	28
PID 2212 wrote to memory of 2636	2212	moon beta.exe	28
PID 2212 wrote to memory of 2636	2212	moon beta.exe	28

C:\Users\Admin\AppData\Local\Temp\moon beta.exe
"C:\Users\Admin\AppData\Local\Temp\moon beta.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-0-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2212-1-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-2-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download
memory/2212-3-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads