umbral | a56f91fc9c991c4a2c3f29d2aee8d7729ba0e3209f45f8d38e3854cbeb1905cf

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UDware.exe
Size

230KB
MD5

a8239dd24c8bcc00d3ba4472126d0739
SHA1

453ee2f28b1c5cb171f02be902c694ffc3afaf78
SHA256

a56f91fc9c991c4a2c3f29d2aee8d7729ba0e3209f45f8d38e3854cbeb1905cf
SHA512

a6f0e2dbbdd1bbf6e8b024984653df910c12c9222a13ec2982da98f08a7002f222a0165c05a0ea9889a67c237516e4d6382650bfc37e7fbc2eb211fdfb8df4b7
SSDEEP

6144:1loZM+rIkd8g+EtXHkv/iD4fY1OsTPkNFQu//OFfbtxjY8e1mli:XoZtL+EP8fY1OsTPkNFQu//O1xx6z

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2364-0-0x0000000001190000-0x00000000011D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	UDware.exe
Token: SeIncreaseQuotaPrivilege	2548	wmic.exe
Token: SeSecurityPrivilege	2548	wmic.exe
Token: SeTakeOwnershipPrivilege	2548	wmic.exe
Token: SeLoadDriverPrivilege	2548	wmic.exe
Token: SeSystemProfilePrivilege	2548	wmic.exe
Token: SeSystemtimePrivilege	2548	wmic.exe
Token: SeProfSingleProcessPrivilege	2548	wmic.exe
Token: SeIncBasePriorityPrivilege	2548	wmic.exe
Token: SeCreatePagefilePrivilege	2548	wmic.exe
Token: SeBackupPrivilege	2548	wmic.exe
Token: SeRestorePrivilege	2548	wmic.exe
Token: SeShutdownPrivilege	2548	wmic.exe
Token: SeDebugPrivilege	2548	wmic.exe
Token: SeSystemEnvironmentPrivilege	2548	wmic.exe
Token: SeRemoteShutdownPrivilege	2548	wmic.exe
Token: SeUndockPrivilege	2548	wmic.exe
Token: SeManageVolumePrivilege	2548	wmic.exe
Token: 33	2548	wmic.exe
Token: 34	2548	wmic.exe
Token: 35	2548	wmic.exe
Token: SeIncreaseQuotaPrivilege	2548	wmic.exe
Token: SeSecurityPrivilege	2548	wmic.exe
Token: SeTakeOwnershipPrivilege	2548	wmic.exe
Token: SeLoadDriverPrivilege	2548	wmic.exe
Token: SeSystemProfilePrivilege	2548	wmic.exe
Token: SeSystemtimePrivilege	2548	wmic.exe
Token: SeProfSingleProcessPrivilege	2548	wmic.exe
Token: SeIncBasePriorityPrivilege	2548	wmic.exe
Token: SeCreatePagefilePrivilege	2548	wmic.exe
Token: SeBackupPrivilege	2548	wmic.exe
Token: SeRestorePrivilege	2548	wmic.exe
Token: SeShutdownPrivilege	2548	wmic.exe
Token: SeDebugPrivilege	2548	wmic.exe
Token: SeSystemEnvironmentPrivilege	2548	wmic.exe
Token: SeRemoteShutdownPrivilege	2548	wmic.exe
Token: SeUndockPrivilege	2548	wmic.exe
Token: SeManageVolumePrivilege	2548	wmic.exe
Token: 33	2548	wmic.exe
Token: 34	2548	wmic.exe
Token: 35	2548	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2548	2364	UDware.exe	28
PID 2364 wrote to memory of 2548	2364	UDware.exe	28
PID 2364 wrote to memory of 2548	2364	UDware.exe	28

C:\Users\Admin\AppData\Local\Temp\UDware.exe
"C:\Users\Admin\AppData\Local\Temp\UDware.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-0-0x0000000001190000-0x00000000011D0000-memory.dmp

Filesize
256KB

Download
memory/2364-1-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-2-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/2364-3-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads