Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 18:10
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Umbral.exe
-
Size
229KB
-
MD5
ac6dc91bec5d51b9b8f7b36642f875db
-
SHA1
ebf088795549ec27047225f14b3263c7b022168e
-
SHA256
cb32d0fc4534e19ae8009edacbe41b2aac5755b8c7bf233fd4c9b39a00f9b318
-
SHA512
d44f953ea4aac986c5eea7242ad0d0b6143117781ab9f35537523ad0f4cf95b23c5aeb223ba74febba96afd9006b3f20edbc2bba2113661aa6d56368c93598da
-
SSDEEP
6144:tloZM+rIkd8g+EtXHkv/iD4qacRCg/7IER0STTKreb8e1mHi:voZtL+EP8qacRCg/7IER0STTK2Z
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/1968-0-0x00000000000F0000-0x0000000000130000-memory.dmp family_umbral behavioral1/memory/1968-2-0x000000001A8A0000-0x000000001A920000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1968 Umbral.exe Token: SeIncreaseQuotaPrivilege 2512 wmic.exe Token: SeSecurityPrivilege 2512 wmic.exe Token: SeTakeOwnershipPrivilege 2512 wmic.exe Token: SeLoadDriverPrivilege 2512 wmic.exe Token: SeSystemProfilePrivilege 2512 wmic.exe Token: SeSystemtimePrivilege 2512 wmic.exe Token: SeProfSingleProcessPrivilege 2512 wmic.exe Token: SeIncBasePriorityPrivilege 2512 wmic.exe Token: SeCreatePagefilePrivilege 2512 wmic.exe Token: SeBackupPrivilege 2512 wmic.exe Token: SeRestorePrivilege 2512 wmic.exe Token: SeShutdownPrivilege 2512 wmic.exe Token: SeDebugPrivilege 2512 wmic.exe Token: SeSystemEnvironmentPrivilege 2512 wmic.exe Token: SeRemoteShutdownPrivilege 2512 wmic.exe Token: SeUndockPrivilege 2512 wmic.exe Token: SeManageVolumePrivilege 2512 wmic.exe Token: 33 2512 wmic.exe Token: 34 2512 wmic.exe Token: 35 2512 wmic.exe Token: SeIncreaseQuotaPrivilege 2512 wmic.exe Token: SeSecurityPrivilege 2512 wmic.exe Token: SeTakeOwnershipPrivilege 2512 wmic.exe Token: SeLoadDriverPrivilege 2512 wmic.exe Token: SeSystemProfilePrivilege 2512 wmic.exe Token: SeSystemtimePrivilege 2512 wmic.exe Token: SeProfSingleProcessPrivilege 2512 wmic.exe Token: SeIncBasePriorityPrivilege 2512 wmic.exe Token: SeCreatePagefilePrivilege 2512 wmic.exe Token: SeBackupPrivilege 2512 wmic.exe Token: SeRestorePrivilege 2512 wmic.exe Token: SeShutdownPrivilege 2512 wmic.exe Token: SeDebugPrivilege 2512 wmic.exe Token: SeSystemEnvironmentPrivilege 2512 wmic.exe Token: SeRemoteShutdownPrivilege 2512 wmic.exe Token: SeUndockPrivilege 2512 wmic.exe Token: SeManageVolumePrivilege 2512 wmic.exe Token: 33 2512 wmic.exe Token: 34 2512 wmic.exe Token: 35 2512 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2512 1968 Umbral.exe 28 PID 1968 wrote to memory of 2512 1968 Umbral.exe 28 PID 1968 wrote to memory of 2512 1968 Umbral.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512
-