umbral | bdc7f2fa2abd884838f90a2a44af32c48f7e87d38ed4d887c80bc2f0d4e02930

Analysis

max time kernel
126s
max time network
131s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
26-11-2023 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blood EXTERNAL.exe
Size

256KB
MD5

a4379fc86adc58efb212f662f3d6b8cc
SHA1

5bf25771ff9006b0cfb6ad820503eedc054362e6
SHA256

bdc7f2fa2abd884838f90a2a44af32c48f7e87d38ed4d887c80bc2f0d4e02930
SHA512

3434272593c73e2ea9b3110e1e54b3ceae20634796dbbc0c1191a2983031171227b968d464de9e106c148e410ecf97ac854d45c741dad00cc76b7d1977a16df1
SSDEEP

6144:oloZM+rIkd8g+EtXHkv/iD4FhHb1DA0r5SjVg8Zg+tB48e1m+ifX:2oZtL+EP8vHb1DA0r5SjVg8ZlAkf

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2792-0-0x000002375FDC0000-0x000002375FE06000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	Blood EXTERNAL.exe
Token: SeIncreaseQuotaPrivilege	640	wmic.exe
Token: SeSecurityPrivilege	640	wmic.exe
Token: SeTakeOwnershipPrivilege	640	wmic.exe
Token: SeLoadDriverPrivilege	640	wmic.exe
Token: SeSystemProfilePrivilege	640	wmic.exe
Token: SeSystemtimePrivilege	640	wmic.exe
Token: SeProfSingleProcessPrivilege	640	wmic.exe
Token: SeIncBasePriorityPrivilege	640	wmic.exe
Token: SeCreatePagefilePrivilege	640	wmic.exe
Token: SeBackupPrivilege	640	wmic.exe
Token: SeRestorePrivilege	640	wmic.exe
Token: SeShutdownPrivilege	640	wmic.exe
Token: SeDebugPrivilege	640	wmic.exe
Token: SeSystemEnvironmentPrivilege	640	wmic.exe
Token: SeRemoteShutdownPrivilege	640	wmic.exe
Token: SeUndockPrivilege	640	wmic.exe
Token: SeManageVolumePrivilege	640	wmic.exe
Token: 33	640	wmic.exe
Token: 34	640	wmic.exe
Token: 35	640	wmic.exe
Token: 36	640	wmic.exe
Token: SeIncreaseQuotaPrivilege	640	wmic.exe
Token: SeSecurityPrivilege	640	wmic.exe
Token: SeTakeOwnershipPrivilege	640	wmic.exe
Token: SeLoadDriverPrivilege	640	wmic.exe
Token: SeSystemProfilePrivilege	640	wmic.exe
Token: SeSystemtimePrivilege	640	wmic.exe
Token: SeProfSingleProcessPrivilege	640	wmic.exe
Token: SeIncBasePriorityPrivilege	640	wmic.exe
Token: SeCreatePagefilePrivilege	640	wmic.exe
Token: SeBackupPrivilege	640	wmic.exe
Token: SeRestorePrivilege	640	wmic.exe
Token: SeShutdownPrivilege	640	wmic.exe
Token: SeDebugPrivilege	640	wmic.exe
Token: SeSystemEnvironmentPrivilege	640	wmic.exe
Token: SeRemoteShutdownPrivilege	640	wmic.exe
Token: SeUndockPrivilege	640	wmic.exe
Token: SeManageVolumePrivilege	640	wmic.exe
Token: 33	640	wmic.exe
Token: 34	640	wmic.exe
Token: 35	640	wmic.exe
Token: 36	640	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 640	2792	Blood EXTERNAL.exe	71
PID 2792 wrote to memory of 640	2792	Blood EXTERNAL.exe	71

C:\Users\Admin\AppData\Local\Temp\Blood EXTERNAL.exe
"C:\Users\Admin\AppData\Local\Temp\Blood EXTERNAL.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2792-0-0x000002375FDC0000-0x000002375FE06000-memory.dmp

Filesize
280KB

Download
memory/2792-1-0x00007FFFB74F0000-0x00007FFFB7EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-2-0x000002377A490000-0x000002377A4A0000-memory.dmp

Filesize
64KB

Download
memory/2792-4-0x00007FFFB74F0000-0x00007FFFB7EDC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads