umbral | a08c820009542834baeba92e8aa762d6810fd021de67b05c6429063af206e629

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseX.exe
Size

234KB
MD5

03d95fff9c762454b8a8cea89de2d9e3
SHA1

5fdc58b29e10fe6f74ab7dc7d5599b136be0394f
SHA256

a08c820009542834baeba92e8aa762d6810fd021de67b05c6429063af206e629
SHA512

183d5fae435f0ebcf562258feaed1ea782de2ab67e18a348a469129374d3ac3c73a9b8426e0f34bd4bdaf4f3fae48159c29dbdbbaf03c4a0c4ca693a4eda01d9
SSDEEP

6144:nloZM+rIkd8g+EtXHkv/iD4Lu1gBPUonLWvRsY9gfevD8e1m/Ti:loZtL+EP8Lu1gBPUonLWvRsY9DK+

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2140-0-0x000001F6B1090000-0x000001F6B10D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	SynapseX.exe
Token: SeIncreaseQuotaPrivilege	1164	wmic.exe
Token: SeSecurityPrivilege	1164	wmic.exe
Token: SeTakeOwnershipPrivilege	1164	wmic.exe
Token: SeLoadDriverPrivilege	1164	wmic.exe
Token: SeSystemProfilePrivilege	1164	wmic.exe
Token: SeSystemtimePrivilege	1164	wmic.exe
Token: SeProfSingleProcessPrivilege	1164	wmic.exe
Token: SeIncBasePriorityPrivilege	1164	wmic.exe
Token: SeCreatePagefilePrivilege	1164	wmic.exe
Token: SeBackupPrivilege	1164	wmic.exe
Token: SeRestorePrivilege	1164	wmic.exe
Token: SeShutdownPrivilege	1164	wmic.exe
Token: SeDebugPrivilege	1164	wmic.exe
Token: SeSystemEnvironmentPrivilege	1164	wmic.exe
Token: SeRemoteShutdownPrivilege	1164	wmic.exe
Token: SeUndockPrivilege	1164	wmic.exe
Token: SeManageVolumePrivilege	1164	wmic.exe
Token: 33	1164	wmic.exe
Token: 34	1164	wmic.exe
Token: 35	1164	wmic.exe
Token: 36	1164	wmic.exe
Token: SeIncreaseQuotaPrivilege	1164	wmic.exe
Token: SeSecurityPrivilege	1164	wmic.exe
Token: SeTakeOwnershipPrivilege	1164	wmic.exe
Token: SeLoadDriverPrivilege	1164	wmic.exe
Token: SeSystemProfilePrivilege	1164	wmic.exe
Token: SeSystemtimePrivilege	1164	wmic.exe
Token: SeProfSingleProcessPrivilege	1164	wmic.exe
Token: SeIncBasePriorityPrivilege	1164	wmic.exe
Token: SeCreatePagefilePrivilege	1164	wmic.exe
Token: SeBackupPrivilege	1164	wmic.exe
Token: SeRestorePrivilege	1164	wmic.exe
Token: SeShutdownPrivilege	1164	wmic.exe
Token: SeDebugPrivilege	1164	wmic.exe
Token: SeSystemEnvironmentPrivilege	1164	wmic.exe
Token: SeRemoteShutdownPrivilege	1164	wmic.exe
Token: SeUndockPrivilege	1164	wmic.exe
Token: SeManageVolumePrivilege	1164	wmic.exe
Token: 33	1164	wmic.exe
Token: 34	1164	wmic.exe
Token: 35	1164	wmic.exe
Token: 36	1164	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1164	2140	SynapseX.exe	84
PID 2140 wrote to memory of 1164	2140	SynapseX.exe	84

C:\Users\Admin\AppData\Local\Temp\SynapseX.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-0-0x000001F6B1090000-0x000001F6B10D0000-memory.dmp

Filesize
256KB

Download
memory/2140-1-0x00007FF8FCFB0000-0x00007FF8FDA71000-memory.dmp

Filesize
10.8MB

Download
memory/2140-2-0x000001F6B1480000-0x000001F6B1490000-memory.dmp

Filesize
64KB

Download
memory/2140-4-0x00007FF8FCFB0000-0x00007FF8FDA71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads