umbral | d223ace00adcf9996234b0e5f85b14ca273ead2c01672f7abc8469cfeacf1408

Resubmissions

19-02-2024 02:04

240219-chgqfagg3z 10

19-02-2024 02:01

240219-cfpm9sha64 10

Analysis

max time kernel
17s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HavocV2.exe
Size

395KB
MD5

bbd057262f45309b69aac1969de8905d
SHA1

be351afb488c78f984213d8b8fceb0792c00414a
SHA256

d223ace00adcf9996234b0e5f85b14ca273ead2c01672f7abc8469cfeacf1408
SHA512

caf0791490f568c2ac5b2242a638a8ff557916d390470b5e04acd6c3bd49a3a69be3ae015a2eb4f10624f8cbd54b99c539011da820ef949ad17b1db88e46b12d
SSDEEP

6144:7loZM+rIkd8g+EtXHkv/iD4LD/xEKtFuHr20VJgU0b8e1m/lm4iUG:ZoZtL+EP8LD/xEKtFuHr20VJghzBh

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/420-0-0x0000021E20120000-0x0000021E20188000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	420	HavocV2.exe
Token: SeIncreaseQuotaPrivilege	3992	wmic.exe
Token: SeSecurityPrivilege	3992	wmic.exe
Token: SeTakeOwnershipPrivilege	3992	wmic.exe
Token: SeLoadDriverPrivilege	3992	wmic.exe
Token: SeSystemProfilePrivilege	3992	wmic.exe
Token: SeSystemtimePrivilege	3992	wmic.exe
Token: SeProfSingleProcessPrivilege	3992	wmic.exe
Token: SeIncBasePriorityPrivilege	3992	wmic.exe
Token: SeCreatePagefilePrivilege	3992	wmic.exe
Token: SeBackupPrivilege	3992	wmic.exe
Token: SeRestorePrivilege	3992	wmic.exe
Token: SeShutdownPrivilege	3992	wmic.exe
Token: SeDebugPrivilege	3992	wmic.exe
Token: SeSystemEnvironmentPrivilege	3992	wmic.exe
Token: SeRemoteShutdownPrivilege	3992	wmic.exe
Token: SeUndockPrivilege	3992	wmic.exe
Token: SeManageVolumePrivilege	3992	wmic.exe
Token: 33	3992	wmic.exe
Token: 34	3992	wmic.exe
Token: 35	3992	wmic.exe
Token: 36	3992	wmic.exe
Token: SeIncreaseQuotaPrivilege	3992	wmic.exe
Token: SeSecurityPrivilege	3992	wmic.exe
Token: SeTakeOwnershipPrivilege	3992	wmic.exe
Token: SeLoadDriverPrivilege	3992	wmic.exe
Token: SeSystemProfilePrivilege	3992	wmic.exe
Token: SeSystemtimePrivilege	3992	wmic.exe
Token: SeProfSingleProcessPrivilege	3992	wmic.exe
Token: SeIncBasePriorityPrivilege	3992	wmic.exe
Token: SeCreatePagefilePrivilege	3992	wmic.exe
Token: SeBackupPrivilege	3992	wmic.exe
Token: SeRestorePrivilege	3992	wmic.exe
Token: SeShutdownPrivilege	3992	wmic.exe
Token: SeDebugPrivilege	3992	wmic.exe
Token: SeSystemEnvironmentPrivilege	3992	wmic.exe
Token: SeRemoteShutdownPrivilege	3992	wmic.exe
Token: SeUndockPrivilege	3992	wmic.exe
Token: SeManageVolumePrivilege	3992	wmic.exe
Token: 33	3992	wmic.exe
Token: 34	3992	wmic.exe
Token: 35	3992	wmic.exe
Token: 36	3992	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 3992	420	HavocV2.exe	75
PID 420 wrote to memory of 3992	420	HavocV2.exe	75

C:\Users\Admin\AppData\Local\Temp\HavocV2.exe
"C:\Users\Admin\AppData\Local\Temp\HavocV2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-0-0x0000021E20120000-0x0000021E20188000-memory.dmp

Filesize
416KB

Download
memory/420-1-0x00007FFC599D0000-0x00007FFC5A3BC000-memory.dmp

Filesize
9.9MB

Download
memory/420-2-0x0000021E20550000-0x0000021E20560000-memory.dmp

Filesize
64KB

Download
memory/420-4-0x00007FFC599D0000-0x00007FFC5A3BC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads