umbral | bdc7f2fa2abd884838f90a2a44af32c48f7e87d38ed4d887c80bc2f0d4e02930

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 11:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Blood EXTERNAL.exe
Size

256KB
MD5

a4379fc86adc58efb212f662f3d6b8cc
SHA1

5bf25771ff9006b0cfb6ad820503eedc054362e6
SHA256

bdc7f2fa2abd884838f90a2a44af32c48f7e87d38ed4d887c80bc2f0d4e02930
SHA512

3434272593c73e2ea9b3110e1e54b3ceae20634796dbbc0c1191a2983031171227b968d464de9e106c148e410ecf97ac854d45c741dad00cc76b7d1977a16df1
SSDEEP

6144:oloZM+rIkd8g+EtXHkv/iD4FhHb1DA0r5SjVg8Zg+tB48e1m+ifX:2oZtL+EP8vHb1DA0r5SjVg8ZlAkf

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1176-0-0x0000020E487F0000-0x0000020E48836000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	Blood EXTERNAL.exe
Token: SeIncreaseQuotaPrivilege	5112	wmic.exe
Token: SeSecurityPrivilege	5112	wmic.exe
Token: SeTakeOwnershipPrivilege	5112	wmic.exe
Token: SeLoadDriverPrivilege	5112	wmic.exe
Token: SeSystemProfilePrivilege	5112	wmic.exe
Token: SeSystemtimePrivilege	5112	wmic.exe
Token: SeProfSingleProcessPrivilege	5112	wmic.exe
Token: SeIncBasePriorityPrivilege	5112	wmic.exe
Token: SeCreatePagefilePrivilege	5112	wmic.exe
Token: SeBackupPrivilege	5112	wmic.exe
Token: SeRestorePrivilege	5112	wmic.exe
Token: SeShutdownPrivilege	5112	wmic.exe
Token: SeDebugPrivilege	5112	wmic.exe
Token: SeSystemEnvironmentPrivilege	5112	wmic.exe
Token: SeRemoteShutdownPrivilege	5112	wmic.exe
Token: SeUndockPrivilege	5112	wmic.exe
Token: SeManageVolumePrivilege	5112	wmic.exe
Token: 33	5112	wmic.exe
Token: 34	5112	wmic.exe
Token: 35	5112	wmic.exe
Token: 36	5112	wmic.exe
Token: SeIncreaseQuotaPrivilege	5112	wmic.exe
Token: SeSecurityPrivilege	5112	wmic.exe
Token: SeTakeOwnershipPrivilege	5112	wmic.exe
Token: SeLoadDriverPrivilege	5112	wmic.exe
Token: SeSystemProfilePrivilege	5112	wmic.exe
Token: SeSystemtimePrivilege	5112	wmic.exe
Token: SeProfSingleProcessPrivilege	5112	wmic.exe
Token: SeIncBasePriorityPrivilege	5112	wmic.exe
Token: SeCreatePagefilePrivilege	5112	wmic.exe
Token: SeBackupPrivilege	5112	wmic.exe
Token: SeRestorePrivilege	5112	wmic.exe
Token: SeShutdownPrivilege	5112	wmic.exe
Token: SeDebugPrivilege	5112	wmic.exe
Token: SeSystemEnvironmentPrivilege	5112	wmic.exe
Token: SeRemoteShutdownPrivilege	5112	wmic.exe
Token: SeUndockPrivilege	5112	wmic.exe
Token: SeManageVolumePrivilege	5112	wmic.exe
Token: 33	5112	wmic.exe
Token: 34	5112	wmic.exe
Token: 35	5112	wmic.exe
Token: 36	5112	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 5112	1176	Blood EXTERNAL.exe	85
PID 1176 wrote to memory of 5112	1176	Blood EXTERNAL.exe	85

C:\Users\Admin\AppData\Local\Temp\Blood EXTERNAL.exe
"C:\Users\Admin\AppData\Local\Temp\Blood EXTERNAL.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-0-0x0000020E487F0000-0x0000020E48836000-memory.dmp

Filesize
280KB

Download
memory/1176-1-0x00007FFA7E220000-0x00007FFA7ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/1176-2-0x0000020E48C30000-0x0000020E48C40000-memory.dmp

Filesize
64KB

Download
memory/1176-4-0x00007FFA7E220000-0x00007FFA7ECE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads