umbral | c9284451e9c756e38ee65feed1db743bc535066136851e71c707402607e06501

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

229KB
MD5

518a530502d5793fddad2cf074af8850
SHA1

6ff6542721e9cf284129daf442c193911dda8367
SHA256

c9284451e9c756e38ee65feed1db743bc535066136851e71c707402607e06501
SHA512

232768823683c549468b0a11122a4c4831d528ad5861f1930714d9c7840405ac3fb145e7a8d85a3b14d6f92d93e41be692176755fb590bdfb6295cd80788c545
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4deC+pNbYMTgqL9Y0hBpb8e1meIi:noZtL+EP8deC+pNbYMTgqL9Y0h/R

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2900-1-0x0000000000990000-0x00000000009D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2600	2900	Umbral.exe	28
PID 2900 wrote to memory of 2600	2900	Umbral.exe	28
PID 2900 wrote to memory of 2600	2900	Umbral.exe	28

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000000990000-0x00000000009D0000-memory.dmp

Filesize
256KB

Download
memory/2900-2-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2900-3-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads