umbral | 33da805f17a081bcddedae6be9cc2427d0a9b786cd62c1e44440893c02e04bb8

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6867bdcccea54ee53c6a50c31b512bd1.exe
Size

394KB
MD5

6867bdcccea54ee53c6a50c31b512bd1
SHA1

5d0e8e73b38eb1d5cfcb158dac68a121466d6719
SHA256

33da805f17a081bcddedae6be9cc2427d0a9b786cd62c1e44440893c02e04bb8
SHA512

6740a2333e8aadbc02f4d63e466ef6f02f4b914bbe3abea9aeeb31d5c10774cc7a2a86e2d4ecc714cf899dd10656114da569a537c5a49ba7f591766f7a60e90c
SSDEEP

6144:aloZM+rIkd8g+EtXHkv/iD4LD/xEKtFuHr20VJgU0b8e1m/lm4iUG:koZtL+EP8LD/xEKtFuHr20VJghzBh

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2692-0-0x00000000008D0000-0x0000000000938000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Detects executables attemping to enumerate video devices using WMI 1 IoCs

resource	yara_rule
behavioral1/memory/2692-0-0x00000000008D0000-0x0000000000938000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing possible sandbox analysis VM names 1 IoCs

resource	yara_rule
behavioral1/memory/2692-0-0x00000000008D0000-0x0000000000938000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral1/memory/2692-0-0x00000000008D0000-0x0000000000938000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Detects executables containing possible sandbox system UUIDs 1 IoCs

resource	yara_rule
behavioral1/memory/2692-0-0x00000000008D0000-0x0000000000938000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	6867bdcccea54ee53c6a50c31b512bd1.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2608	2692	6867bdcccea54ee53c6a50c31b512bd1.exe	28
PID 2692 wrote to memory of 2608	2692	6867bdcccea54ee53c6a50c31b512bd1.exe	28
PID 2692 wrote to memory of 2608	2692	6867bdcccea54ee53c6a50c31b512bd1.exe	28

C:\Users\Admin\AppData\Local\Temp\6867bdcccea54ee53c6a50c31b512bd1.exe
"C:\Users\Admin\AppData\Local\Temp\6867bdcccea54ee53c6a50c31b512bd1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-0-0x00000000008D0000-0x0000000000938000-memory.dmp

Filesize
416KB

Download
memory/2692-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-2-0x000000001A810000-0x000000001A890000-memory.dmp

Filesize
512KB

Download
memory/2692-3-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download