umbral | ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe
Size

6.5MB
MD5

332ba662e3c3f073ae86fee29789571d
SHA1

5901a5ef0817d5e56f54b4d2a4385717a1b21975
SHA256

ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf
SHA512

8a00f9595aa18ec77b268a4b3d37888ddb45fd567a09597f5bd369f767f7a5003784606ecc92943a1f8b02d2ae9afa8cc9b99e40d8f03f9aaef2c511cac4845b
SSDEEP

196608:o4hV+n8bqD6SiCwDYHLiOYf6OQlmfVuwcP/OCw3P:o4Xc8bqD6SDkhamfVuwcP/jQ

Score

10^/10

umbral pyinstaller stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1240053523601690654/qfHBS3pgxWWBBKRxgQoR2nk1l0xj4MzBSYbqOqyW4FoI1DOOuzXnQta5yMql-1kPExM_

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a7c-5.dat	family_umbral
behavioral1/memory/3008-7-0x0000000000CF0000-0x0000000000D30000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Detects executables attemping to enumerate video devices using WMI 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a7c-5.dat	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/3008-7-0x0000000000CF0000-0x0000000000D30000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing possible sandbox analysis VM names 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a7c-5.dat	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
behavioral1/memory/3008-7-0x0000000000CF0000-0x0000000000D30000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Detects executables containing possible sandbox analysis VM usernames 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a7c-5.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3008-7-0x0000000000CF0000-0x0000000000D30000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Detects executables containing possible sandbox system UUIDs 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a7c-5.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
behavioral1/memory/3008-7-0x0000000000CF0000-0x0000000000D30000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Executes dropped EXE 3 IoCs

pid	Process
3008	Umbral.exe
2676	cracked_lunar.exe
2988	cracked_lunar.exe

Loads dropped DLL 4 IoCs

pid	Process
2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe
2556	Process not Found
2676	cracked_lunar.exe
2988	cracked_lunar.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0031000000015eaf-12.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3008	2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe	28
PID 2252 wrote to memory of 3008	2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe	28
PID 2252 wrote to memory of 3008	2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe	28
PID 2252 wrote to memory of 2676	2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe	29
PID 2252 wrote to memory of 2676	2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe	29
PID 2252 wrote to memory of 2676	2252	ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe	29
PID 2676 wrote to memory of 2988	2676	cracked_lunar.exe	31
PID 2676 wrote to memory of 2988	2676	cracked_lunar.exe	31
PID 2676 wrote to memory of 2988	2676	cracked_lunar.exe	31
PID 3008 wrote to memory of 2964	3008	Umbral.exe	32
PID 3008 wrote to memory of 2964	3008	Umbral.exe	32
PID 3008 wrote to memory of 2964	3008	Umbral.exe	32

C:\Users\Admin\AppData\Local\Temp\ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe
"C:\Users\Admin\AppData\Local\Temp\ae1d6b818db2e9097ca27a9ebdc79ac9f1ac6904305416cc20b0dd532c1fe4bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe
  "C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe
    "C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
05ae0d8ad164e11750e3552344e1ff01

SHA1
41b27283ba72e1651ac5065fe56187a2706eb069

SHA256
33224838e69caedeab2c5d062cc2c9361183b09a41a43aa867e0707f2f9651dc

SHA512
b33307d09333901236c919cba683df3d57baf2b9460ca757f8134dabeb730109d9e303a6d51caf21d0844b40192e5929b4a3d04a60f526ffac18fb290a0a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe

Filesize
6.7MB

MD5
a935a661746292c72c43f96a685fb148

SHA1
464e4e832670ced5441b507a85fe79a4bdeb4802

SHA256
524753508a50c33f404a87441625e1d9967d0c1a11b31c534e2d60b838fb1589

SHA512
68e9a17255eab3ad2ae27442d1921a084c882ec59b6a498fbf3e8ab3e6b06b8c78a9e33871051b5bf9e5c974cf5b381433b1fdfd3b4ba2369ca91269de52bcf3

Download Submit
memory/2252-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000000120000-0x00000000007B2000-memory.dmp

Filesize
6.6MB

Download
memory/2252-32-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-7-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/3008-33-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-46-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download