umbral | 29456c78a229429c66b4ce8997c9bb6593ad9b4e8928e094eb25caf4a7ee0e40

Resubmissions

25-11-2023 12:15

231125-pe82qsae24 10

25-11-2023 12:14

231125-pedwlaad98 10

25-11-2023 11:56

231125-n316csba21 10

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zul Free.exe
Size

230KB
MD5

a47cffac2602038b4cfc070f8a05243a
SHA1

4111453f445d10ef516e98a000cc84845658dabe
SHA256

29456c78a229429c66b4ce8997c9bb6593ad9b4e8928e094eb25caf4a7ee0e40
SHA512

e390d7c96e2b5b2cad52b80c276787cb37d7ca3a171868037c1f1ef9e58177baa9e07f8866e0a95560ee9e0af0a38ba218f9feeaf1f19d77915f9e5c08d4070d
SSDEEP

6144:1loZM+rIkd8g+EtXHkv/iD4tT1FzQEbqCzFQMpxbztjFK8e1mOvi:XoZtL+EP8tT1FzQEbqCzFQMpVpjy0

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4264-0-0x00000226FD650000-0x00000226FD690000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	Zul Free.exe
Token: SeIncreaseQuotaPrivilege	3768	wmic.exe
Token: SeSecurityPrivilege	3768	wmic.exe
Token: SeTakeOwnershipPrivilege	3768	wmic.exe
Token: SeLoadDriverPrivilege	3768	wmic.exe
Token: SeSystemProfilePrivilege	3768	wmic.exe
Token: SeSystemtimePrivilege	3768	wmic.exe
Token: SeProfSingleProcessPrivilege	3768	wmic.exe
Token: SeIncBasePriorityPrivilege	3768	wmic.exe
Token: SeCreatePagefilePrivilege	3768	wmic.exe
Token: SeBackupPrivilege	3768	wmic.exe
Token: SeRestorePrivilege	3768	wmic.exe
Token: SeShutdownPrivilege	3768	wmic.exe
Token: SeDebugPrivilege	3768	wmic.exe
Token: SeSystemEnvironmentPrivilege	3768	wmic.exe
Token: SeRemoteShutdownPrivilege	3768	wmic.exe
Token: SeUndockPrivilege	3768	wmic.exe
Token: SeManageVolumePrivilege	3768	wmic.exe
Token: 33	3768	wmic.exe
Token: 34	3768	wmic.exe
Token: 35	3768	wmic.exe
Token: 36	3768	wmic.exe
Token: SeIncreaseQuotaPrivilege	3768	wmic.exe
Token: SeSecurityPrivilege	3768	wmic.exe
Token: SeTakeOwnershipPrivilege	3768	wmic.exe
Token: SeLoadDriverPrivilege	3768	wmic.exe
Token: SeSystemProfilePrivilege	3768	wmic.exe
Token: SeSystemtimePrivilege	3768	wmic.exe
Token: SeProfSingleProcessPrivilege	3768	wmic.exe
Token: SeIncBasePriorityPrivilege	3768	wmic.exe
Token: SeCreatePagefilePrivilege	3768	wmic.exe
Token: SeBackupPrivilege	3768	wmic.exe
Token: SeRestorePrivilege	3768	wmic.exe
Token: SeShutdownPrivilege	3768	wmic.exe
Token: SeDebugPrivilege	3768	wmic.exe
Token: SeSystemEnvironmentPrivilege	3768	wmic.exe
Token: SeRemoteShutdownPrivilege	3768	wmic.exe
Token: SeUndockPrivilege	3768	wmic.exe
Token: SeManageVolumePrivilege	3768	wmic.exe
Token: 33	3768	wmic.exe
Token: 34	3768	wmic.exe
Token: 35	3768	wmic.exe
Token: 36	3768	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3768	4264	Zul Free.exe	85
PID 4264 wrote to memory of 3768	4264	Zul Free.exe	85

C:\Users\Admin\AppData\Local\Temp\Zul Free.exe
"C:\Users\Admin\AppData\Local\Temp\Zul Free.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4264-0-0x00000226FD650000-0x00000226FD690000-memory.dmp

Filesize
256KB

Download
memory/4264-1-0x00007FFF62020000-0x00007FFF62AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4264-2-0x00000226FF340000-0x00000226FF350000-memory.dmp

Filesize
64KB

Download
memory/4264-4-0x00007FFF62020000-0x00007FFF62AE1000-memory.dmp

Filesize
10.8MB

Download