umbral | dc11360acf8f01be72fb50c373151b074c843e23acd14bbf459f952932ed79db

Resubmissions

20-02-2024 04:04

240220-emykvsaf5s 10

20-02-2024 04:01

240220-elnz2abc35 3

Analysis

max time kernel
16s
max time network
18s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Steam.exe
Size

765KB
MD5

888d4a78e9c446900067465ada4b5f16
SHA1

43e52673ff86ab636dc69d7ecefa044ab9ade21e
SHA256

dc11360acf8f01be72fb50c373151b074c843e23acd14bbf459f952932ed79db
SHA512

b6159e05c4b4cb9668f2ed780903153514ad90d9a34dc30da7ba26c494dc4928fad97c1f2d3d554c435435123e1fdbc5dd284243f5163d94f0fcc05a9b19d45d
SSDEEP

6144:+y8dQia/duhetNmtxpgmLKzmseFuaTOYYmWWTMNlOuKLMhp+GIIIIIIIhIIIIII3:+y8dWEEGjFHsLBi

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002a780-4.dat	family_umbral
behavioral1/memory/4924-11-0x00000218FE300000-0x00000218FE382000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 1 IoCs

pid	Process
4924	Steam.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Steam.exe	Steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	Steam.exe
Token: SeIncreaseQuotaPrivilege	32	wmic.exe
Token: SeSecurityPrivilege	32	wmic.exe
Token: SeTakeOwnershipPrivilege	32	wmic.exe
Token: SeLoadDriverPrivilege	32	wmic.exe
Token: SeSystemProfilePrivilege	32	wmic.exe
Token: SeSystemtimePrivilege	32	wmic.exe
Token: SeProfSingleProcessPrivilege	32	wmic.exe
Token: SeIncBasePriorityPrivilege	32	wmic.exe
Token: SeCreatePagefilePrivilege	32	wmic.exe
Token: SeBackupPrivilege	32	wmic.exe
Token: SeRestorePrivilege	32	wmic.exe
Token: SeShutdownPrivilege	32	wmic.exe
Token: SeDebugPrivilege	32	wmic.exe
Token: SeSystemEnvironmentPrivilege	32	wmic.exe
Token: SeRemoteShutdownPrivilege	32	wmic.exe
Token: SeUndockPrivilege	32	wmic.exe
Token: SeManageVolumePrivilege	32	wmic.exe
Token: 33	32	wmic.exe
Token: 34	32	wmic.exe
Token: 35	32	wmic.exe
Token: 36	32	wmic.exe
Token: SeIncreaseQuotaPrivilege	32	wmic.exe
Token: SeSecurityPrivilege	32	wmic.exe
Token: SeTakeOwnershipPrivilege	32	wmic.exe
Token: SeLoadDriverPrivilege	32	wmic.exe
Token: SeSystemProfilePrivilege	32	wmic.exe
Token: SeSystemtimePrivilege	32	wmic.exe
Token: SeProfSingleProcessPrivilege	32	wmic.exe
Token: SeIncBasePriorityPrivilege	32	wmic.exe
Token: SeCreatePagefilePrivilege	32	wmic.exe
Token: SeBackupPrivilege	32	wmic.exe
Token: SeRestorePrivilege	32	wmic.exe
Token: SeShutdownPrivilege	32	wmic.exe
Token: SeDebugPrivilege	32	wmic.exe
Token: SeSystemEnvironmentPrivilege	32	wmic.exe
Token: SeRemoteShutdownPrivilege	32	wmic.exe
Token: SeUndockPrivilege	32	wmic.exe
Token: SeManageVolumePrivilege	32	wmic.exe
Token: 33	32	wmic.exe
Token: 34	32	wmic.exe
Token: 35	32	wmic.exe
Token: 36	32	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 4924	716	Steam.exe	79
PID 716 wrote to memory of 4924	716	Steam.exe	79
PID 4924 wrote to memory of 32	4924	Steam.exe	81
PID 4924 wrote to memory of 32	4924	Steam.exe	81

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\Steam.exe
  "C:\Windows\Steam.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Steam.exe

Filesize
495KB

MD5
0f305065fcccc8be8253a197ee3e0a88

SHA1
94696b4a7bfc72206005ff40b1a216a3b88786e8

SHA256
8b43255477dbd9e15699b4d6c42f63c945e6be86ef52ef59c4e86252629bc118

SHA512
3d0276508da2ed3d2abbda7aca20c6523979d878bddb5b4a638edc28063c41de6c0300d59c6f62347150ee8add382d8dfd2a2d97bd041b3b24159536cb5f2468

Download Submit
memory/4924-11-0x00000218FE300000-0x00000218FE382000-memory.dmp

Filesize
520KB

Download
memory/4924-12-0x00007FF9F50F0000-0x00007FF9F5BB2000-memory.dmp

Filesize
10.8MB

Download
memory/4924-13-0x00000218FF700000-0x00000218FF710000-memory.dmp

Filesize
64KB

Download
memory/4924-15-0x00007FF9F50F0000-0x00007FF9F5BB2000-memory.dmp

Filesize
10.8MB

Download