umbral | edd1e3ff0f0c032599ce66382d4f4487660fd283ba5d3013fa3374c4604449b4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

231KB
MD5

5a16bf141dbcf75260bad1c54966e13c
SHA1

634be534e99829d3eadf84ca3012e2f1258d89a5
SHA256

edd1e3ff0f0c032599ce66382d4f4487660fd283ba5d3013fa3374c4604449b4
SHA512

847ac52edf8e62dd3aca4b98c671133e579cd2a1b4f8d69a4066fff08d0ed658848bda4613f42c74e70814ddb00580e06114503d312fcf4df81162d8b85b1725
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4C9MsyVtGtTOMdRYW4l+VF8e1mWj44Di:joZtL+EP8C9MsyVtGtTOMdRYvl6y4O

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1908-0-0x0000000000210000-0x0000000000250000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3068	wmic.exe
Token: SeSecurityPrivilege	3068	wmic.exe
Token: SeTakeOwnershipPrivilege	3068	wmic.exe
Token: SeLoadDriverPrivilege	3068	wmic.exe
Token: SeSystemProfilePrivilege	3068	wmic.exe
Token: SeSystemtimePrivilege	3068	wmic.exe
Token: SeProfSingleProcessPrivilege	3068	wmic.exe
Token: SeIncBasePriorityPrivilege	3068	wmic.exe
Token: SeCreatePagefilePrivilege	3068	wmic.exe
Token: SeBackupPrivilege	3068	wmic.exe
Token: SeRestorePrivilege	3068	wmic.exe
Token: SeShutdownPrivilege	3068	wmic.exe
Token: SeDebugPrivilege	3068	wmic.exe
Token: SeSystemEnvironmentPrivilege	3068	wmic.exe
Token: SeRemoteShutdownPrivilege	3068	wmic.exe
Token: SeUndockPrivilege	3068	wmic.exe
Token: SeManageVolumePrivilege	3068	wmic.exe
Token: 33	3068	wmic.exe
Token: 34	3068	wmic.exe
Token: 35	3068	wmic.exe
Token: SeIncreaseQuotaPrivilege	3068	wmic.exe
Token: SeSecurityPrivilege	3068	wmic.exe
Token: SeTakeOwnershipPrivilege	3068	wmic.exe
Token: SeLoadDriverPrivilege	3068	wmic.exe
Token: SeSystemProfilePrivilege	3068	wmic.exe
Token: SeSystemtimePrivilege	3068	wmic.exe
Token: SeProfSingleProcessPrivilege	3068	wmic.exe
Token: SeIncBasePriorityPrivilege	3068	wmic.exe
Token: SeCreatePagefilePrivilege	3068	wmic.exe
Token: SeBackupPrivilege	3068	wmic.exe
Token: SeRestorePrivilege	3068	wmic.exe
Token: SeShutdownPrivilege	3068	wmic.exe
Token: SeDebugPrivilege	3068	wmic.exe
Token: SeSystemEnvironmentPrivilege	3068	wmic.exe
Token: SeRemoteShutdownPrivilege	3068	wmic.exe
Token: SeUndockPrivilege	3068	wmic.exe
Token: SeManageVolumePrivilege	3068	wmic.exe
Token: 33	3068	wmic.exe
Token: 34	3068	wmic.exe
Token: 35	3068	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3068	1908	Umbral.exe	28
PID 1908 wrote to memory of 3068	1908	Umbral.exe	28
PID 1908 wrote to memory of 3068	1908	Umbral.exe	28

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-0-0x0000000000210000-0x0000000000250000-memory.dmp

Filesize
256KB

Download
memory/1908-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1908-2-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1908-3-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads