umbral | 4ee620778e0fc3d0f875b64c11175f5cc3a79ffbe8515b894b70992ea3d9666a

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial Crack.exe
Size

231KB
MD5

a9a5f4d1c6b608f2e6de17b036685865
SHA1

c0b6579327fc42654822e8afe5c8cbc1b5b1ba58
SHA256

b9a85b2cf041ab3a6966291f670a076c363b994f9a52de7e94edd5b80020ab92
SHA512

a3961fce1edc8c7b267c7e9375ae1a48897bd989c700876e214ee3847a8f14f158a664c4839290b2ad678beb203fb6e92162473b76777ee7d9da58697ce1a66c
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4lMPTaL7N8e1mCKi:joZtL+EP8euBt

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/944-0-0x00000000003B0000-0x00000000003F0000-memory.dmp	family_umbral
behavioral1/memory/944-2-0x0000000000670000-0x00000000006F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	Celestial Crack.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2744	944	Celestial Crack.exe	28
PID 944 wrote to memory of 2744	944	Celestial Crack.exe	28
PID 944 wrote to memory of 2744	944	Celestial Crack.exe	28

C:\Users\Admin\AppData\Local\Temp\Celestial Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial Crack.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-0-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/944-1-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/944-2-0x0000000000670000-0x00000000006F0000-memory.dmp

Filesize
512KB

Download
memory/944-17-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads