umbral | 73207e68fd2611a51968b6903020cedf7d6c07eeb7e8570de6ac533d93d31e25

Analysis

max time kernel
1793s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C37boot/C37Bootstrapper.exe
Size

405KB
MD5

c8294556e29920bfcc619529da141096
SHA1

7dad1b482c1d3baeade911400027e615e2ea52ff
SHA256

26deb9a0264cccfdef387610235e9e9032144c8e73561c3d0007c248a6c84dc3
SHA512

1ac29a6ecdf761d85d3b1b64910f7edd865238d1d6b159532efb8260fa9af35c7db06892359ba9efe7bd571ec2bd259a0621721666fd5b085e92f68848f63af6
SSDEEP

6144:nloZM+rIkd8g+EtXHkv/iD4w85EFzQEb3CzFQMpFlb8e1mBiEqkRH:loZtL+EP8w85EFzQEb3CzFQMpfvEJ

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4964-1-0x00000122FD960000-0x00000122FD9CC000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

C37Bootstrapper.exewmic.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4964	C37Bootstrapper.exe
Token: SeIncreaseQuotaPrivilege	1264	wmic.exe
Token: SeSecurityPrivilege	1264	wmic.exe
Token: SeTakeOwnershipPrivilege	1264	wmic.exe
Token: SeLoadDriverPrivilege	1264	wmic.exe
Token: SeSystemProfilePrivilege	1264	wmic.exe
Token: SeSystemtimePrivilege	1264	wmic.exe
Token: SeProfSingleProcessPrivilege	1264	wmic.exe
Token: SeIncBasePriorityPrivilege	1264	wmic.exe
Token: SeCreatePagefilePrivilege	1264	wmic.exe
Token: SeBackupPrivilege	1264	wmic.exe
Token: SeRestorePrivilege	1264	wmic.exe
Token: SeShutdownPrivilege	1264	wmic.exe
Token: SeDebugPrivilege	1264	wmic.exe
Token: SeSystemEnvironmentPrivilege	1264	wmic.exe
Token: SeRemoteShutdownPrivilege	1264	wmic.exe
Token: SeUndockPrivilege	1264	wmic.exe
Token: SeManageVolumePrivilege	1264	wmic.exe
Token: 33	1264	wmic.exe
Token: 34	1264	wmic.exe
Token: 35	1264	wmic.exe
Token: 36	1264	wmic.exe
Token: SeIncreaseQuotaPrivilege	1264	wmic.exe
Token: SeSecurityPrivilege	1264	wmic.exe
Token: SeTakeOwnershipPrivilege	1264	wmic.exe
Token: SeLoadDriverPrivilege	1264	wmic.exe
Token: SeSystemProfilePrivilege	1264	wmic.exe
Token: SeSystemtimePrivilege	1264	wmic.exe
Token: SeProfSingleProcessPrivilege	1264	wmic.exe
Token: SeIncBasePriorityPrivilege	1264	wmic.exe
Token: SeCreatePagefilePrivilege	1264	wmic.exe
Token: SeBackupPrivilege	1264	wmic.exe
Token: SeRestorePrivilege	1264	wmic.exe
Token: SeShutdownPrivilege	1264	wmic.exe
Token: SeDebugPrivilege	1264	wmic.exe
Token: SeSystemEnvironmentPrivilege	1264	wmic.exe
Token: SeRemoteShutdownPrivilege	1264	wmic.exe
Token: SeUndockPrivilege	1264	wmic.exe
Token: SeManageVolumePrivilege	1264	wmic.exe
Token: 33	1264	wmic.exe
Token: 34	1264	wmic.exe
Token: 35	1264	wmic.exe
Token: 36	1264	wmic.exe
Token: SeManageVolumePrivilege	1292	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

C37Bootstrapper.exe

description	pid	process	target process
PID 4964 wrote to memory of 1264	4964	C37Bootstrapper.exe	wmic.exe
PID 4964 wrote to memory of 1264	4964	C37Bootstrapper.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3608 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:4980

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-5-0x00000184C6090000-0x00000184C60A0000-memory.dmp

Filesize
64KB

Download
memory/1292-21-0x00000184C6190000-0x00000184C61A0000-memory.dmp

Filesize
64KB

Download
memory/1292-37-0x00000184CE500000-0x00000184CE501000-memory.dmp

Filesize
4KB

Download
memory/1292-39-0x00000184CE530000-0x00000184CE531000-memory.dmp

Filesize
4KB

Download
memory/1292-40-0x00000184CE530000-0x00000184CE531000-memory.dmp

Filesize
4KB

Download
memory/1292-41-0x00000184CE640000-0x00000184CE641000-memory.dmp

Filesize
4KB

Download
memory/4964-0-0x00007FF8A2363000-0x00007FF8A2365000-memory.dmp

Filesize
8KB

Download
memory/4964-1-0x00000122FD960000-0x00000122FD9CC000-memory.dmp

Filesize
432KB

Download
memory/4964-2-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4964-4-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download