umbral | 685aea80db0fd039accee42b17bb7110e3c26529f361dac85f2a6d751982ce89

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/02/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExumNOVA (1).exe
Size

228KB
MD5

f3d936c9efade8ccd0a43ba19ee3ad80
SHA1

5aafc1994763497e589203d08c727cdbf481a474
SHA256

685aea80db0fd039accee42b17bb7110e3c26529f361dac85f2a6d751982ce89
SHA512

b81fa072dc5c0ad1cf08dfcf4d81984d1430f0dbf595d736d0b51249fb302229f116feb908f78e329d0cff5b81b0d517457f4b92c46dcdb0d552a78143c24f55
SSDEEP

6144:uloZMzrIkd8g+EtXHkv/iD4Nhi9fVeGJlMFXSy3g2b8e1mWi:4oZcL+EP8Nhi9fVeGJlMFXSy3/o

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3004-0-0x0000000000390000-0x00000000003D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	ExumNOVA (1).exe
Token: SeIncreaseQuotaPrivilege	3064	wmic.exe
Token: SeSecurityPrivilege	3064	wmic.exe
Token: SeTakeOwnershipPrivilege	3064	wmic.exe
Token: SeLoadDriverPrivilege	3064	wmic.exe
Token: SeSystemProfilePrivilege	3064	wmic.exe
Token: SeSystemtimePrivilege	3064	wmic.exe
Token: SeProfSingleProcessPrivilege	3064	wmic.exe
Token: SeIncBasePriorityPrivilege	3064	wmic.exe
Token: SeCreatePagefilePrivilege	3064	wmic.exe
Token: SeBackupPrivilege	3064	wmic.exe
Token: SeRestorePrivilege	3064	wmic.exe
Token: SeShutdownPrivilege	3064	wmic.exe
Token: SeDebugPrivilege	3064	wmic.exe
Token: SeSystemEnvironmentPrivilege	3064	wmic.exe
Token: SeRemoteShutdownPrivilege	3064	wmic.exe
Token: SeUndockPrivilege	3064	wmic.exe
Token: SeManageVolumePrivilege	3064	wmic.exe
Token: 33	3064	wmic.exe
Token: 34	3064	wmic.exe
Token: 35	3064	wmic.exe
Token: SeIncreaseQuotaPrivilege	3064	wmic.exe
Token: SeSecurityPrivilege	3064	wmic.exe
Token: SeTakeOwnershipPrivilege	3064	wmic.exe
Token: SeLoadDriverPrivilege	3064	wmic.exe
Token: SeSystemProfilePrivilege	3064	wmic.exe
Token: SeSystemtimePrivilege	3064	wmic.exe
Token: SeProfSingleProcessPrivilege	3064	wmic.exe
Token: SeIncBasePriorityPrivilege	3064	wmic.exe
Token: SeCreatePagefilePrivilege	3064	wmic.exe
Token: SeBackupPrivilege	3064	wmic.exe
Token: SeRestorePrivilege	3064	wmic.exe
Token: SeShutdownPrivilege	3064	wmic.exe
Token: SeDebugPrivilege	3064	wmic.exe
Token: SeSystemEnvironmentPrivilege	3064	wmic.exe
Token: SeRemoteShutdownPrivilege	3064	wmic.exe
Token: SeUndockPrivilege	3064	wmic.exe
Token: SeManageVolumePrivilege	3064	wmic.exe
Token: 33	3064	wmic.exe
Token: 34	3064	wmic.exe
Token: 35	3064	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3064	3004	ExumNOVA (1).exe	28
PID 3004 wrote to memory of 3064	3004	ExumNOVA (1).exe	28
PID 3004 wrote to memory of 3064	3004	ExumNOVA (1).exe	28

C:\Users\Admin\AppData\Local\Temp\ExumNOVA (1).exe
"C:\Users\Admin\AppData\Local\Temp\ExumNOVA (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-0-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/3004-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3004-2-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/3004-3-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads