umbral | 4656d69359cd36909ffafde605da9acaa44f231465c2cf04083f312997a79143

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proxy.exe
Size

246KB
MD5

4ef1cda1badeab461aa59991f9499754
SHA1

418fb087216cc11b6981a386fe4de673b089c3d8
SHA256

4656d69359cd36909ffafde605da9acaa44f231465c2cf04083f312997a79143
SHA512

2b4e6bcf02e18c8db8a703a109581928cdb741409e3b122a2fbdd387bac0aa8bcbcdc3e9b4673fe8309f1c885eed51b1feae505b18ccacfe9879712cf81aaf72
SSDEEP

6144:ploZM+rIkd8g+EtXHkv/iD4EXNmxfEY3vmfh8It2qI8e1mZi:boZtL+EP8EXNmxfEY3vmfh8ItcH

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000120000-0x0000000000164000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	proxy.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2100	2052	proxy.exe	28
PID 2052 wrote to memory of 2100	2052	proxy.exe	28
PID 2052 wrote to memory of 2100	2052	proxy.exe	28

C:\Users\Admin\AppData\Local\Temp\proxy.exe
"C:\Users\Admin\AppData\Local\Temp\proxy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-0-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/2052-1-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2052-2-0x000000001A970000-0x000000001A9F0000-memory.dmp

Filesize
512KB

Download
memory/2052-3-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads