umbral | eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-03-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000f0000000006fd-20.exe
Size

227KB
MD5

05c183f8c0d871d6081f1ea4096805e4
SHA1

4a05aba815c8471fca4fcc9a789683385b0c24ca
SHA256

eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849
SHA512

ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347
SSDEEP

6144:+loZMcrIkd8g+EtXHkv/iD4AoHV1DA0rVSjVg8ZTXwb8e1m/i:ooZDL+EP8AoHV1DA0rVSjVg8ZM1

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2732-0-0x0000000000310000-0x0000000000350000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	0x000f0000000006fd-20.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2720	2732	0x000f0000000006fd-20.exe	28
PID 2732 wrote to memory of 2720	2732	0x000f0000000006fd-20.exe	28
PID 2732 wrote to memory of 2720	2732	0x000f0000000006fd-20.exe	28

C:\Users\Admin\AppData\Local\Temp\0x000f0000000006fd-20.exe
"C:\Users\Admin\AppData\Local\Temp\0x000f0000000006fd-20.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-0-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2732-1-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-2-0x000000001A9D0000-0x000000001AA50000-memory.dmp

Filesize
512KB

Download
memory/2732-3-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads