umbral | 6dc0348b0f789df9b0f10d3ec7710be4b968f49c1dd047d3ac5402ad5e14fbd6

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cynosys.exe
Size

229KB
MD5

44712f3532cebbe19d97d59c16baad09
SHA1

77d521294b8deac4745dab8b843ebc5f875ac26c
SHA256

6dc0348b0f789df9b0f10d3ec7710be4b968f49c1dd047d3ac5402ad5e14fbd6
SHA512

06433d35fc99d4cf6b05322659672f41901bb788fde0e89a2e61b32fca33fb67fcf01a69d196adeafa7e90b254d2ca68a805cd612a5e2352fe0a9ba07dbcaf2a
SSDEEP

6144:lloZMxrIkd8g+EtXHkv/iD4wPAVdLocD0abtIExe5Y+lU8e1mXUi:noZiL+EP84AVdLocD0abtIExUIKd

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4412-0-0x0000019811BD0000-0x0000019811C10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	Cynosys.exe
Token: SeIncreaseQuotaPrivilege	1748	wmic.exe
Token: SeSecurityPrivilege	1748	wmic.exe
Token: SeTakeOwnershipPrivilege	1748	wmic.exe
Token: SeLoadDriverPrivilege	1748	wmic.exe
Token: SeSystemProfilePrivilege	1748	wmic.exe
Token: SeSystemtimePrivilege	1748	wmic.exe
Token: SeProfSingleProcessPrivilege	1748	wmic.exe
Token: SeIncBasePriorityPrivilege	1748	wmic.exe
Token: SeCreatePagefilePrivilege	1748	wmic.exe
Token: SeBackupPrivilege	1748	wmic.exe
Token: SeRestorePrivilege	1748	wmic.exe
Token: SeShutdownPrivilege	1748	wmic.exe
Token: SeDebugPrivilege	1748	wmic.exe
Token: SeSystemEnvironmentPrivilege	1748	wmic.exe
Token: SeRemoteShutdownPrivilege	1748	wmic.exe
Token: SeUndockPrivilege	1748	wmic.exe
Token: SeManageVolumePrivilege	1748	wmic.exe
Token: 33	1748	wmic.exe
Token: 34	1748	wmic.exe
Token: 35	1748	wmic.exe
Token: 36	1748	wmic.exe
Token: SeIncreaseQuotaPrivilege	1748	wmic.exe
Token: SeSecurityPrivilege	1748	wmic.exe
Token: SeTakeOwnershipPrivilege	1748	wmic.exe
Token: SeLoadDriverPrivilege	1748	wmic.exe
Token: SeSystemProfilePrivilege	1748	wmic.exe
Token: SeSystemtimePrivilege	1748	wmic.exe
Token: SeProfSingleProcessPrivilege	1748	wmic.exe
Token: SeIncBasePriorityPrivilege	1748	wmic.exe
Token: SeCreatePagefilePrivilege	1748	wmic.exe
Token: SeBackupPrivilege	1748	wmic.exe
Token: SeRestorePrivilege	1748	wmic.exe
Token: SeShutdownPrivilege	1748	wmic.exe
Token: SeDebugPrivilege	1748	wmic.exe
Token: SeSystemEnvironmentPrivilege	1748	wmic.exe
Token: SeRemoteShutdownPrivilege	1748	wmic.exe
Token: SeUndockPrivilege	1748	wmic.exe
Token: SeManageVolumePrivilege	1748	wmic.exe
Token: 33	1748	wmic.exe
Token: 34	1748	wmic.exe
Token: 35	1748	wmic.exe
Token: 36	1748	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1748	4412	Cynosys.exe	89
PID 4412 wrote to memory of 1748	4412	Cynosys.exe	89

C:\Users\Admin\AppData\Local\Temp\Cynosys.exe
"C:\Users\Admin\AppData\Local\Temp\Cynosys.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4412-0-0x0000019811BD0000-0x0000019811C10000-memory.dmp

Filesize
256KB

Download
memory/4412-1-0x00007FF841030000-0x00007FF841AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-2-0x000001982C140000-0x000001982C150000-memory.dmp

Filesize
64KB

Download
memory/4412-4-0x00007FF841030000-0x00007FF841AF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads