umbral | 9041042642f5c0b67443490fc595aaaa1858c3a8582602969f1af568cad398e9

Analysis

max time kernel
1653s
max time network
1626s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PeerDistAD.exe
Size

229KB
MD5

afa8bb7e6708d4b5c056079f642b65f9
SHA1

3cadcd7a2da0bc26fd7912f46bdc692e51752913
SHA256

9041042642f5c0b67443490fc595aaaa1858c3a8582602969f1af568cad398e9
SHA512

46392d04c3827a9f1602685bae2b10a69306839ce3af5b51889a70925e48654e0b8793ae4f68a4ce94f7c7dc71d0d69f0437583417b32cef9619024294351ed4
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4Z/kJ2U7X8+toGnnGr8+cI8e1mAi:noZtL+EP8Z/kJ2U7X8+toGnnGr8S6

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/436-0-0x000001CC209E0000-0x000001CC20A20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	PeerDistAD.exe
Token: SeIncreaseQuotaPrivilege	1584	wmic.exe
Token: SeSecurityPrivilege	1584	wmic.exe
Token: SeTakeOwnershipPrivilege	1584	wmic.exe
Token: SeLoadDriverPrivilege	1584	wmic.exe
Token: SeSystemProfilePrivilege	1584	wmic.exe
Token: SeSystemtimePrivilege	1584	wmic.exe
Token: SeProfSingleProcessPrivilege	1584	wmic.exe
Token: SeIncBasePriorityPrivilege	1584	wmic.exe
Token: SeCreatePagefilePrivilege	1584	wmic.exe
Token: SeBackupPrivilege	1584	wmic.exe
Token: SeRestorePrivilege	1584	wmic.exe
Token: SeShutdownPrivilege	1584	wmic.exe
Token: SeDebugPrivilege	1584	wmic.exe
Token: SeSystemEnvironmentPrivilege	1584	wmic.exe
Token: SeRemoteShutdownPrivilege	1584	wmic.exe
Token: SeUndockPrivilege	1584	wmic.exe
Token: SeManageVolumePrivilege	1584	wmic.exe
Token: 33	1584	wmic.exe
Token: 34	1584	wmic.exe
Token: 35	1584	wmic.exe
Token: 36	1584	wmic.exe
Token: SeIncreaseQuotaPrivilege	1584	wmic.exe
Token: SeSecurityPrivilege	1584	wmic.exe
Token: SeTakeOwnershipPrivilege	1584	wmic.exe
Token: SeLoadDriverPrivilege	1584	wmic.exe
Token: SeSystemProfilePrivilege	1584	wmic.exe
Token: SeSystemtimePrivilege	1584	wmic.exe
Token: SeProfSingleProcessPrivilege	1584	wmic.exe
Token: SeIncBasePriorityPrivilege	1584	wmic.exe
Token: SeCreatePagefilePrivilege	1584	wmic.exe
Token: SeBackupPrivilege	1584	wmic.exe
Token: SeRestorePrivilege	1584	wmic.exe
Token: SeShutdownPrivilege	1584	wmic.exe
Token: SeDebugPrivilege	1584	wmic.exe
Token: SeSystemEnvironmentPrivilege	1584	wmic.exe
Token: SeRemoteShutdownPrivilege	1584	wmic.exe
Token: SeUndockPrivilege	1584	wmic.exe
Token: SeManageVolumePrivilege	1584	wmic.exe
Token: 33	1584	wmic.exe
Token: 34	1584	wmic.exe
Token: 35	1584	wmic.exe
Token: 36	1584	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1584	436	PeerDistAD.exe	85
PID 436 wrote to memory of 1584	436	PeerDistAD.exe	85

C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe
"C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-0-0x000001CC209E0000-0x000001CC20A20000-memory.dmp

Filesize
256KB

Download
memory/436-1-0x00007FF8B74D0000-0x00007FF8B7F91000-memory.dmp

Filesize
10.8MB

Download
memory/436-2-0x000001CC20E60000-0x000001CC20E70000-memory.dmp

Filesize
64KB

Download
memory/436-4-0x00007FF8B74D0000-0x00007FF8B7F91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads