umbral | dee17b4eadaee39276596882c2c60a1b59451017aa91f5c255dee92ae6689449

Analysis

max time kernel
61s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2023 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RUNTWAREV2.exe
Size

227KB
MD5

6a3f3ce9e59e7f8b18895edb0ccb8e4f
SHA1

81da4be170d0e4be51014e5bccc89c09f0c95202
SHA256

dee17b4eadaee39276596882c2c60a1b59451017aa91f5c255dee92ae6689449
SHA512

b9caa7e6020d9c7b2442b351a03215a4dece45613918936f848de180b5da92286a20ea8527c676b6fd0d4843a7c2fd9f9123c85c8630e62b883a907ae0101fba
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD44AummkrHMV9YW3X2cAb8e1mxzOi:ooZtL+EP84AummkrHMV9YW3X21Azj

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4632-0-0x00000205B7340000-0x00000205B7380000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	RUNTWAREV2.exe
Token: SeIncreaseQuotaPrivilege	4420	wmic.exe
Token: SeSecurityPrivilege	4420	wmic.exe
Token: SeTakeOwnershipPrivilege	4420	wmic.exe
Token: SeLoadDriverPrivilege	4420	wmic.exe
Token: SeSystemProfilePrivilege	4420	wmic.exe
Token: SeSystemtimePrivilege	4420	wmic.exe
Token: SeProfSingleProcessPrivilege	4420	wmic.exe
Token: SeIncBasePriorityPrivilege	4420	wmic.exe
Token: SeCreatePagefilePrivilege	4420	wmic.exe
Token: SeBackupPrivilege	4420	wmic.exe
Token: SeRestorePrivilege	4420	wmic.exe
Token: SeShutdownPrivilege	4420	wmic.exe
Token: SeDebugPrivilege	4420	wmic.exe
Token: SeSystemEnvironmentPrivilege	4420	wmic.exe
Token: SeRemoteShutdownPrivilege	4420	wmic.exe
Token: SeUndockPrivilege	4420	wmic.exe
Token: SeManageVolumePrivilege	4420	wmic.exe
Token: 33	4420	wmic.exe
Token: 34	4420	wmic.exe
Token: 35	4420	wmic.exe
Token: 36	4420	wmic.exe
Token: SeIncreaseQuotaPrivilege	4420	wmic.exe
Token: SeSecurityPrivilege	4420	wmic.exe
Token: SeTakeOwnershipPrivilege	4420	wmic.exe
Token: SeLoadDriverPrivilege	4420	wmic.exe
Token: SeSystemProfilePrivilege	4420	wmic.exe
Token: SeSystemtimePrivilege	4420	wmic.exe
Token: SeProfSingleProcessPrivilege	4420	wmic.exe
Token: SeIncBasePriorityPrivilege	4420	wmic.exe
Token: SeCreatePagefilePrivilege	4420	wmic.exe
Token: SeBackupPrivilege	4420	wmic.exe
Token: SeRestorePrivilege	4420	wmic.exe
Token: SeShutdownPrivilege	4420	wmic.exe
Token: SeDebugPrivilege	4420	wmic.exe
Token: SeSystemEnvironmentPrivilege	4420	wmic.exe
Token: SeRemoteShutdownPrivilege	4420	wmic.exe
Token: SeUndockPrivilege	4420	wmic.exe
Token: SeManageVolumePrivilege	4420	wmic.exe
Token: 33	4420	wmic.exe
Token: 34	4420	wmic.exe
Token: 35	4420	wmic.exe
Token: 36	4420	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4420	4632	RUNTWAREV2.exe	85
PID 4632 wrote to memory of 4420	4632	RUNTWAREV2.exe	85

C:\Users\Admin\AppData\Local\Temp\RUNTWAREV2.exe
"C:\Users\Admin\AppData\Local\Temp\RUNTWAREV2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4632-0-0x00000205B7340000-0x00000205B7380000-memory.dmp

Filesize
256KB

Download
memory/4632-1-0x00007FFAFB260000-0x00007FFAFBD21000-memory.dmp

Filesize
10.8MB

Download
memory/4632-2-0x00000205B9180000-0x00000205B9190000-memory.dmp

Filesize
64KB

Download
memory/4632-4-0x00007FFAFB260000-0x00007FFAFBD21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads