umbral | 31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe
Size

455KB
MD5

2ef41c1b58df5c7204770c5b599f361a
SHA1

6cb5318175b19409a511a28f8f79aba50d7bc8cc
SHA256

31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb
SHA512

6367d7aae6431976e70e01faa41b730a20e99336780b1a368797765e73557224f12e11c417f3fde89ceddf0afcdd05a2790ac77a6bbb406097fb069d8e084abb
SSDEEP

6144:DFob20/TesMPbgBfVlWbKABdpFViyIoP/E0oys2oL62mGCsWRBmkfReNxa/YyCRZ:EqP0JVlWK4So5s2JvJD7fRb/9CRAV

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1252175796043513908/aC5-XwIWIrkxvztpoeIjyB7EG1IDIe4Uz4bAMFAjl2H6KtYUCPqqQkESuXBHBE5JW2uX

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x003800000001566b-9.dat	family_umbral
behavioral1/memory/1956-12-0x00000000010D0000-0x0000000001110000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 2 IoCs

pid	Process
2564	Client.exe
1956	Umbral.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2564	2868	31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe	28
PID 2868 wrote to memory of 2564	2868	31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe	28
PID 2868 wrote to memory of 2564	2868	31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe	28
PID 2868 wrote to memory of 1956	2868	31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe	29
PID 2868 wrote to memory of 1956	2868	31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe	29
PID 2868 wrote to memory of 1956	2868	31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe	29
PID 1956 wrote to memory of 2508	1956	Umbral.exe	31
PID 1956 wrote to memory of 2508	1956	Umbral.exe	31
PID 1956 wrote to memory of 2508	1956	Umbral.exe	31

C:\Users\Admin\AppData\Local\Temp\31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe
"C:\Users\Admin\AppData\Local\Temp\31e4b84acc0e087764e3608e94949c75fa86c665af401b4f3248a5a03ee92bcb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
569KB

MD5
62c311d8e63f11d2d0a2035fc249e1cb

SHA1
2dbf4cd76faf5201898f5721f095c7de01a6fe4b

SHA256
5ccceef40894f9720673067bca19c478464a49d37debd328f073fad3657c2084

SHA512
8cd92f69c945231ce3569f0e0cd826273ecf8e5d345677e147bd1f3033b607ff9e535c9e5fbcc84500ccc92def86fa6c79595716d11fde2795029bd0d8b0d824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
80b73234d85822b232343c03e21b73f8

SHA1
18a5f4a710726c287c7915a3bdfe9f701b42f959

SHA256
0de2a1ea807817d1bada4b20a0a6964930e03abea4f0073cae7c837d54e1b46f

SHA512
9847bf319dc82c0ee3fac9171f0546381b57e03796c5e0407b11c3bae2759e2af5eb024c102e35d5d37ab890e872bea7af66c55cec0b0e1955e517e769f167e0

Download Submit
memory/1956-12-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/2564-13-0x0000000000310000-0x00000000003A4000-memory.dmp

Filesize
592KB

Download
memory/2868-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000001310000-0x0000000001388000-memory.dmp

Filesize
480KB

Download
memory/2868-14-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-15-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download