umbral | a08c820009542834baeba92e8aa762d6810fd021de67b05c6429063af206e629

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseX.exe
Size

234KB
MD5

03d95fff9c762454b8a8cea89de2d9e3
SHA1

5fdc58b29e10fe6f74ab7dc7d5599b136be0394f
SHA256

a08c820009542834baeba92e8aa762d6810fd021de67b05c6429063af206e629
SHA512

183d5fae435f0ebcf562258feaed1ea782de2ab67e18a348a469129374d3ac3c73a9b8426e0f34bd4bdaf4f3fae48159c29dbdbbaf03c4a0c4ca693a4eda01d9
SSDEEP

6144:nloZM+rIkd8g+EtXHkv/iD4Lu1gBPUonLWvRsY9gfevD8e1m/Ti:loZtL+EP8Lu1gBPUonLWvRsY9DK+

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2908-0-0x0000000001200000-0x0000000001240000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	SynapseX.exe
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe
Token: SeSystemProfilePrivilege	2808	wmic.exe
Token: SeSystemtimePrivilege	2808	wmic.exe
Token: SeProfSingleProcessPrivilege	2808	wmic.exe
Token: SeIncBasePriorityPrivilege	2808	wmic.exe
Token: SeCreatePagefilePrivilege	2808	wmic.exe
Token: SeBackupPrivilege	2808	wmic.exe
Token: SeRestorePrivilege	2808	wmic.exe
Token: SeShutdownPrivilege	2808	wmic.exe
Token: SeDebugPrivilege	2808	wmic.exe
Token: SeSystemEnvironmentPrivilege	2808	wmic.exe
Token: SeRemoteShutdownPrivilege	2808	wmic.exe
Token: SeUndockPrivilege	2808	wmic.exe
Token: SeManageVolumePrivilege	2808	wmic.exe
Token: 33	2808	wmic.exe
Token: 34	2808	wmic.exe
Token: 35	2808	wmic.exe
Token: SeIncreaseQuotaPrivilege	2808	wmic.exe
Token: SeSecurityPrivilege	2808	wmic.exe
Token: SeTakeOwnershipPrivilege	2808	wmic.exe
Token: SeLoadDriverPrivilege	2808	wmic.exe
Token: SeSystemProfilePrivilege	2808	wmic.exe
Token: SeSystemtimePrivilege	2808	wmic.exe
Token: SeProfSingleProcessPrivilege	2808	wmic.exe
Token: SeIncBasePriorityPrivilege	2808	wmic.exe
Token: SeCreatePagefilePrivilege	2808	wmic.exe
Token: SeBackupPrivilege	2808	wmic.exe
Token: SeRestorePrivilege	2808	wmic.exe
Token: SeShutdownPrivilege	2808	wmic.exe
Token: SeDebugPrivilege	2808	wmic.exe
Token: SeSystemEnvironmentPrivilege	2808	wmic.exe
Token: SeRemoteShutdownPrivilege	2808	wmic.exe
Token: SeUndockPrivilege	2808	wmic.exe
Token: SeManageVolumePrivilege	2808	wmic.exe
Token: 33	2808	wmic.exe
Token: 34	2808	wmic.exe
Token: 35	2808	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2808	2908	SynapseX.exe	28
PID 2908 wrote to memory of 2808	2908	SynapseX.exe	28
PID 2908 wrote to memory of 2808	2908	SynapseX.exe	28

C:\Users\Admin\AppData\Local\Temp\SynapseX.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2908-0-0x0000000001200000-0x0000000001240000-memory.dmp

Filesize
256KB

Download
memory/2908-1-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-2-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2908-3-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads