umbral | 96ac460a603a209e2c8167613b292181f7f2f5ede977258a096f7d2c4f1e3870

Analysis

max time kernel
122s
max time network
142s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 01:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dx9injector.exe
Size

632KB
MD5

d69d90a0ac5890b22e0932e7a24ba9c2
SHA1

d303ab6a4cf6e7ab113a60e2392a8ae42b455c07
SHA256

96ac460a603a209e2c8167613b292181f7f2f5ede977258a096f7d2c4f1e3870
SHA512

ec4804d65edf28de02d9889f83e37c0262da3e875a2707050213799662676f5ac9824b388f15f38312d6b303276b7a8a9cb3803e655087dce0f1d336b89bc7c8
SSDEEP

6144:XloZMLrIkd8g+EtXHkv/iD4PNWNvFuW558VHCCHTib8e1mKivanvOG2NYg7Cn+A7:1oZ0L+EP8PNWNvFuW558VHCCHy4LDA7

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2096-0-0x0000000000DE0000-0x0000000000E84000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	dx9injector.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2880	2096	dx9injector.exe	30
PID 2096 wrote to memory of 2880	2096	dx9injector.exe	30
PID 2096 wrote to memory of 2880	2096	dx9injector.exe	30

C:\Users\Admin\AppData\Local\Temp\dx9injector.exe
"C:\Users\Admin\AppData\Local\Temp\dx9injector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-0-0x0000000000DE0000-0x0000000000E84000-memory.dmp

Filesize
656KB

Download
memory/2096-1-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-2-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2096-3-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-4-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads