umbral | 56fc44d67e6f5da9d9a9aff9c07826b9680f3b0211eddd0b5a1e49d458bce46f

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.builder.exe
Size

227KB
MD5

322135f613ef605e98df134458cc4753
SHA1

7c573533103f0dac7d907478e3ece5d0d171d679
SHA256

56fc44d67e6f5da9d9a9aff9c07826b9680f3b0211eddd0b5a1e49d458bce46f
SHA512

ab85dd153a591a5f359d47b55fee57b84fe0bd6c5a7ef0e3f128e95ee176d0dccb695cd577f1e8f278ed4eb75056a90af48d32c74825f49918e4ac65cc47376f
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD48G4oIuphCyn6opNsw8b8e1mcLi:ooZtL+EP88G4oIuphCyn6opNsh7G

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2924-0-0x0000022EED750000-0x0000022EED790000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	Umbral.builder.exe
Token: SeIncreaseQuotaPrivilege	1084	wmic.exe
Token: SeSecurityPrivilege	1084	wmic.exe
Token: SeTakeOwnershipPrivilege	1084	wmic.exe
Token: SeLoadDriverPrivilege	1084	wmic.exe
Token: SeSystemProfilePrivilege	1084	wmic.exe
Token: SeSystemtimePrivilege	1084	wmic.exe
Token: SeProfSingleProcessPrivilege	1084	wmic.exe
Token: SeIncBasePriorityPrivilege	1084	wmic.exe
Token: SeCreatePagefilePrivilege	1084	wmic.exe
Token: SeBackupPrivilege	1084	wmic.exe
Token: SeRestorePrivilege	1084	wmic.exe
Token: SeShutdownPrivilege	1084	wmic.exe
Token: SeDebugPrivilege	1084	wmic.exe
Token: SeSystemEnvironmentPrivilege	1084	wmic.exe
Token: SeRemoteShutdownPrivilege	1084	wmic.exe
Token: SeUndockPrivilege	1084	wmic.exe
Token: SeManageVolumePrivilege	1084	wmic.exe
Token: 33	1084	wmic.exe
Token: 34	1084	wmic.exe
Token: 35	1084	wmic.exe
Token: 36	1084	wmic.exe
Token: SeIncreaseQuotaPrivilege	1084	wmic.exe
Token: SeSecurityPrivilege	1084	wmic.exe
Token: SeTakeOwnershipPrivilege	1084	wmic.exe
Token: SeLoadDriverPrivilege	1084	wmic.exe
Token: SeSystemProfilePrivilege	1084	wmic.exe
Token: SeSystemtimePrivilege	1084	wmic.exe
Token: SeProfSingleProcessPrivilege	1084	wmic.exe
Token: SeIncBasePriorityPrivilege	1084	wmic.exe
Token: SeCreatePagefilePrivilege	1084	wmic.exe
Token: SeBackupPrivilege	1084	wmic.exe
Token: SeRestorePrivilege	1084	wmic.exe
Token: SeShutdownPrivilege	1084	wmic.exe
Token: SeDebugPrivilege	1084	wmic.exe
Token: SeSystemEnvironmentPrivilege	1084	wmic.exe
Token: SeRemoteShutdownPrivilege	1084	wmic.exe
Token: SeUndockPrivilege	1084	wmic.exe
Token: SeManageVolumePrivilege	1084	wmic.exe
Token: 33	1084	wmic.exe
Token: 34	1084	wmic.exe
Token: 35	1084	wmic.exe
Token: 36	1084	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1084	2924	Umbral.builder.exe	90
PID 2924 wrote to memory of 1084	2924	Umbral.builder.exe	90

C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-0-0x0000022EED750000-0x0000022EED790000-memory.dmp

Filesize
256KB

Download
memory/2924-1-0x00007FF9B6020000-0x00007FF9B6AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2924-2-0x0000022EEFB40000-0x0000022EEFB50000-memory.dmp

Filesize
64KB

Download
memory/2924-4-0x00007FF9B6020000-0x00007FF9B6AE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads