umbral | 626e632e710f71661c007726e0195c4e60e1c7366f474c3d22a11e6b9fbfa1d8

Analysis

max time kernel
87s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

deb95e476943219d9fccc87505cc740e.exe
Size

266KB
MD5

deb95e476943219d9fccc87505cc740e
SHA1

be4325870bc9e8fe0e8233487287dd3569124bd5
SHA256

626e632e710f71661c007726e0195c4e60e1c7366f474c3d22a11e6b9fbfa1d8
SHA512

61eb326732efdc2ac4f417ee38153872d9a7afe21b8768f18262cc37ad48018d5d730dfd3c5db84d5b500513bc2e0f9b96c065eb7967adb74c0753c3ee4e42f8
SSDEEP

6144:4loZM+rIkd8g+EtXHkv/iD4RwFBJNbYMTnqL9Y0hZ67qb8e1m2iiV8vpFNEvt:moZtL+EP8RwFBJNbYMTnqL9Y0hZgWMiS

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1904-0-0x000001D623D50000-0x000001D623D98000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	deb95e476943219d9fccc87505cc740e.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: 36	2564	wmic.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: 36	2564	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2564	1904	deb95e476943219d9fccc87505cc740e.exe	86
PID 1904 wrote to memory of 2564	1904	deb95e476943219d9fccc87505cc740e.exe	86

C:\Users\Admin\AppData\Local\Temp\deb95e476943219d9fccc87505cc740e.exe
"C:\Users\Admin\AppData\Local\Temp\deb95e476943219d9fccc87505cc740e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-0-0x000001D623D50000-0x000001D623D98000-memory.dmp

Filesize
288KB

Download
memory/1904-1-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1904-2-0x000001D63E320000-0x000001D63E330000-memory.dmp

Filesize
64KB

Download
memory/1904-4-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads