umbral | 0e4f60dac056f2c2b989e90990ee53c6c22d1dad6f4b5c033ef0213f0e386bcf

Resubmissions

05-05-2024 20:19

240505-y3vzfsfh87 10

05-05-2024 20:15

240505-y1k2gacg3y 10

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pulse.exe
Size

229KB
MD5

5edea2e562816e345ef04ef26875c7b0
SHA1

6e3894d1eb6236c238e94efe1cd0f418982a4bd0
SHA256

0e4f60dac056f2c2b989e90990ee53c6c22d1dad6f4b5c033ef0213f0e386bcf
SHA512

366fff12180f37f0e6528ca7c295e615c789c14de6266dd401108133ff20f1db047e590fe1f8a5ed6548e78ce6dbecfc4e84755d5bc5142f55fa16a5981c707d
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4xIyh4+ZRSJ3q459ckNb8e1mxi:noZtL+EP8xIyh4+ZRSJ3q459cUD

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2272-1-0x0000020A60DE0000-0x0000020A60E20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	pulse.exe
Token: SeIncreaseQuotaPrivilege	4308	wmic.exe
Token: SeSecurityPrivilege	4308	wmic.exe
Token: SeTakeOwnershipPrivilege	4308	wmic.exe
Token: SeLoadDriverPrivilege	4308	wmic.exe
Token: SeSystemProfilePrivilege	4308	wmic.exe
Token: SeSystemtimePrivilege	4308	wmic.exe
Token: SeProfSingleProcessPrivilege	4308	wmic.exe
Token: SeIncBasePriorityPrivilege	4308	wmic.exe
Token: SeCreatePagefilePrivilege	4308	wmic.exe
Token: SeBackupPrivilege	4308	wmic.exe
Token: SeRestorePrivilege	4308	wmic.exe
Token: SeShutdownPrivilege	4308	wmic.exe
Token: SeDebugPrivilege	4308	wmic.exe
Token: SeSystemEnvironmentPrivilege	4308	wmic.exe
Token: SeRemoteShutdownPrivilege	4308	wmic.exe
Token: SeUndockPrivilege	4308	wmic.exe
Token: SeManageVolumePrivilege	4308	wmic.exe
Token: 33	4308	wmic.exe
Token: 34	4308	wmic.exe
Token: 35	4308	wmic.exe
Token: 36	4308	wmic.exe
Token: SeIncreaseQuotaPrivilege	4308	wmic.exe
Token: SeSecurityPrivilege	4308	wmic.exe
Token: SeTakeOwnershipPrivilege	4308	wmic.exe
Token: SeLoadDriverPrivilege	4308	wmic.exe
Token: SeSystemProfilePrivilege	4308	wmic.exe
Token: SeSystemtimePrivilege	4308	wmic.exe
Token: SeProfSingleProcessPrivilege	4308	wmic.exe
Token: SeIncBasePriorityPrivilege	4308	wmic.exe
Token: SeCreatePagefilePrivilege	4308	wmic.exe
Token: SeBackupPrivilege	4308	wmic.exe
Token: SeRestorePrivilege	4308	wmic.exe
Token: SeShutdownPrivilege	4308	wmic.exe
Token: SeDebugPrivilege	4308	wmic.exe
Token: SeSystemEnvironmentPrivilege	4308	wmic.exe
Token: SeRemoteShutdownPrivilege	4308	wmic.exe
Token: SeUndockPrivilege	4308	wmic.exe
Token: SeManageVolumePrivilege	4308	wmic.exe
Token: 33	4308	wmic.exe
Token: 34	4308	wmic.exe
Token: 35	4308	wmic.exe
Token: 36	4308	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4308	2272	pulse.exe	72
PID 2272 wrote to memory of 4308	2272	pulse.exe	72

C:\Users\Admin\AppData\Local\Temp\pulse.exe
"C:\Users\Admin\AppData\Local\Temp\pulse.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2272-0-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x0000020A60DE0000-0x0000020A60E20000-memory.dmp

Filesize
256KB

Download
memory/2272-2-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-4-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads