umbral | 6dc0348b0f789df9b0f10d3ec7710be4b968f49c1dd047d3ac5402ad5e14fbd6

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cynosys.exe
Size

229KB
MD5

44712f3532cebbe19d97d59c16baad09
SHA1

77d521294b8deac4745dab8b843ebc5f875ac26c
SHA256

6dc0348b0f789df9b0f10d3ec7710be4b968f49c1dd047d3ac5402ad5e14fbd6
SHA512

06433d35fc99d4cf6b05322659672f41901bb788fde0e89a2e61b32fca33fb67fcf01a69d196adeafa7e90b254d2ca68a805cd612a5e2352fe0a9ba07dbcaf2a
SSDEEP

6144:lloZMxrIkd8g+EtXHkv/iD4wPAVdLocD0abtIExe5Y+lU8e1mXUi:noZiL+EP84AVdLocD0abtIExUIKd

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000A00000-0x0000000000A40000-memory.dmp	family_umbral
behavioral1/memory/3020-2-0x0000000000500000-0x0000000000580000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	Cynosys.exe
Token: SeIncreaseQuotaPrivilege	2960	wmic.exe
Token: SeSecurityPrivilege	2960	wmic.exe
Token: SeTakeOwnershipPrivilege	2960	wmic.exe
Token: SeLoadDriverPrivilege	2960	wmic.exe
Token: SeSystemProfilePrivilege	2960	wmic.exe
Token: SeSystemtimePrivilege	2960	wmic.exe
Token: SeProfSingleProcessPrivilege	2960	wmic.exe
Token: SeIncBasePriorityPrivilege	2960	wmic.exe
Token: SeCreatePagefilePrivilege	2960	wmic.exe
Token: SeBackupPrivilege	2960	wmic.exe
Token: SeRestorePrivilege	2960	wmic.exe
Token: SeShutdownPrivilege	2960	wmic.exe
Token: SeDebugPrivilege	2960	wmic.exe
Token: SeSystemEnvironmentPrivilege	2960	wmic.exe
Token: SeRemoteShutdownPrivilege	2960	wmic.exe
Token: SeUndockPrivilege	2960	wmic.exe
Token: SeManageVolumePrivilege	2960	wmic.exe
Token: 33	2960	wmic.exe
Token: 34	2960	wmic.exe
Token: 35	2960	wmic.exe
Token: SeIncreaseQuotaPrivilege	2960	wmic.exe
Token: SeSecurityPrivilege	2960	wmic.exe
Token: SeTakeOwnershipPrivilege	2960	wmic.exe
Token: SeLoadDriverPrivilege	2960	wmic.exe
Token: SeSystemProfilePrivilege	2960	wmic.exe
Token: SeSystemtimePrivilege	2960	wmic.exe
Token: SeProfSingleProcessPrivilege	2960	wmic.exe
Token: SeIncBasePriorityPrivilege	2960	wmic.exe
Token: SeCreatePagefilePrivilege	2960	wmic.exe
Token: SeBackupPrivilege	2960	wmic.exe
Token: SeRestorePrivilege	2960	wmic.exe
Token: SeShutdownPrivilege	2960	wmic.exe
Token: SeDebugPrivilege	2960	wmic.exe
Token: SeSystemEnvironmentPrivilege	2960	wmic.exe
Token: SeRemoteShutdownPrivilege	2960	wmic.exe
Token: SeUndockPrivilege	2960	wmic.exe
Token: SeManageVolumePrivilege	2960	wmic.exe
Token: 33	2960	wmic.exe
Token: 34	2960	wmic.exe
Token: 35	2960	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2960	3020	Cynosys.exe	28
PID 3020 wrote to memory of 2960	3020	Cynosys.exe	28
PID 3020 wrote to memory of 2960	3020	Cynosys.exe	28

C:\Users\Admin\AppData\Local\Temp\Cynosys.exe
"C:\Users\Admin\AppData\Local\Temp\Cynosys.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3020-0-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/3020-1-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-2-0x0000000000500000-0x0000000000580000-memory.dmp

Filesize
512KB

Download
memory/3020-3-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads