umbral | 11e06b3c4301175f96442f0295d9dfade52bf2e9712d2a84da3c54d4d4dd47b9

Analysis

max time kernel
33s
max time network
24s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-03-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bulder.exe
Size

228KB
MD5

d8de90f21ece872c78887d8532bc4724
SHA1

8abf63837160fe18efb7629ed630402cf9bcb361
SHA256

11e06b3c4301175f96442f0295d9dfade52bf2e9712d2a84da3c54d4d4dd47b9
SHA512

1c02c2560f8a198b0cea474a0b90ef9b5050a3ccbb242ed1600ddf149bb4166a85d69a66622b07884f4ad59e3da447b74e1682f9376ea8d1a54ae48c2776bc49
SSDEEP

6144:xloZM+rIkd8g+EtXHkv/iD4F9KUw2xpaAPyAxVkjab8e1mci:DoZtL+EP8F9KUw2xpaAPyAxVkyG

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000C60000-0x0000000000CA0000-memory.dmp	family_umbral
behavioral1/memory/2308-2-0x000000001AB10000-0x000000001AB90000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	bulder.exe
Token: SeIncreaseQuotaPrivilege	2584	wmic.exe
Token: SeSecurityPrivilege	2584	wmic.exe
Token: SeTakeOwnershipPrivilege	2584	wmic.exe
Token: SeLoadDriverPrivilege	2584	wmic.exe
Token: SeSystemProfilePrivilege	2584	wmic.exe
Token: SeSystemtimePrivilege	2584	wmic.exe
Token: SeProfSingleProcessPrivilege	2584	wmic.exe
Token: SeIncBasePriorityPrivilege	2584	wmic.exe
Token: SeCreatePagefilePrivilege	2584	wmic.exe
Token: SeBackupPrivilege	2584	wmic.exe
Token: SeRestorePrivilege	2584	wmic.exe
Token: SeShutdownPrivilege	2584	wmic.exe
Token: SeDebugPrivilege	2584	wmic.exe
Token: SeSystemEnvironmentPrivilege	2584	wmic.exe
Token: SeRemoteShutdownPrivilege	2584	wmic.exe
Token: SeUndockPrivilege	2584	wmic.exe
Token: SeManageVolumePrivilege	2584	wmic.exe
Token: 33	2584	wmic.exe
Token: 34	2584	wmic.exe
Token: 35	2584	wmic.exe
Token: SeIncreaseQuotaPrivilege	2584	wmic.exe
Token: SeSecurityPrivilege	2584	wmic.exe
Token: SeTakeOwnershipPrivilege	2584	wmic.exe
Token: SeLoadDriverPrivilege	2584	wmic.exe
Token: SeSystemProfilePrivilege	2584	wmic.exe
Token: SeSystemtimePrivilege	2584	wmic.exe
Token: SeProfSingleProcessPrivilege	2584	wmic.exe
Token: SeIncBasePriorityPrivilege	2584	wmic.exe
Token: SeCreatePagefilePrivilege	2584	wmic.exe
Token: SeBackupPrivilege	2584	wmic.exe
Token: SeRestorePrivilege	2584	wmic.exe
Token: SeShutdownPrivilege	2584	wmic.exe
Token: SeDebugPrivilege	2584	wmic.exe
Token: SeSystemEnvironmentPrivilege	2584	wmic.exe
Token: SeRemoteShutdownPrivilege	2584	wmic.exe
Token: SeUndockPrivilege	2584	wmic.exe
Token: SeManageVolumePrivilege	2584	wmic.exe
Token: 33	2584	wmic.exe
Token: 34	2584	wmic.exe
Token: 35	2584	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2584	2308	bulder.exe	28
PID 2308 wrote to memory of 2584	2308	bulder.exe	28
PID 2308 wrote to memory of 2584	2308	bulder.exe	28

C:\Users\Admin\AppData\Local\Temp\bulder.exe
"C:\Users\Admin\AppData\Local\Temp\bulder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-0-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/2308-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-2-0x000000001AB10000-0x000000001AB90000-memory.dmp

Filesize
512KB

Download
memory/2308-3-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads