umbral | 7f1e40b82781c6149dd6f963e81636d226fc993f11e0c842f0df1b3e7a10caf8

Analysis

max time kernel
15s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-07-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBoostrap .exe
Size

229KB
MD5

b7741b6a5e172eff7edfdc9ab19a649f
SHA1

9c80488d840a98dac3860e21f1fa6be89cc3e898
SHA256

7f1e40b82781c6149dd6f963e81636d226fc993f11e0c842f0df1b3e7a10caf8
SHA512

d1e8a4005dd8554a45434568025a19270c871e778fb640daf7eefcb9aaf11a487c5b6c68d88572727888adf7207b0cafc9f97021557ce4c8437afa6750714552
SSDEEP

6144:tloZMNrIkd8g+EtXHkv/iD4gnEt5nsAvcOXZkQlTLb8e1msi:voZ2L+EP8gnEt5nsAvcOXZkQljW

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2796-1-0x00000270B2ED0000-0x00000270B2F10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	SolaraBoostrap .exe
Token: SeIncreaseQuotaPrivilege	1004	wmic.exe
Token: SeSecurityPrivilege	1004	wmic.exe
Token: SeTakeOwnershipPrivilege	1004	wmic.exe
Token: SeLoadDriverPrivilege	1004	wmic.exe
Token: SeSystemProfilePrivilege	1004	wmic.exe
Token: SeSystemtimePrivilege	1004	wmic.exe
Token: SeProfSingleProcessPrivilege	1004	wmic.exe
Token: SeIncBasePriorityPrivilege	1004	wmic.exe
Token: SeCreatePagefilePrivilege	1004	wmic.exe
Token: SeBackupPrivilege	1004	wmic.exe
Token: SeRestorePrivilege	1004	wmic.exe
Token: SeShutdownPrivilege	1004	wmic.exe
Token: SeDebugPrivilege	1004	wmic.exe
Token: SeSystemEnvironmentPrivilege	1004	wmic.exe
Token: SeRemoteShutdownPrivilege	1004	wmic.exe
Token: SeUndockPrivilege	1004	wmic.exe
Token: SeManageVolumePrivilege	1004	wmic.exe
Token: 33	1004	wmic.exe
Token: 34	1004	wmic.exe
Token: 35	1004	wmic.exe
Token: 36	1004	wmic.exe
Token: SeIncreaseQuotaPrivilege	1004	wmic.exe
Token: SeSecurityPrivilege	1004	wmic.exe
Token: SeTakeOwnershipPrivilege	1004	wmic.exe
Token: SeLoadDriverPrivilege	1004	wmic.exe
Token: SeSystemProfilePrivilege	1004	wmic.exe
Token: SeSystemtimePrivilege	1004	wmic.exe
Token: SeProfSingleProcessPrivilege	1004	wmic.exe
Token: SeIncBasePriorityPrivilege	1004	wmic.exe
Token: SeCreatePagefilePrivilege	1004	wmic.exe
Token: SeBackupPrivilege	1004	wmic.exe
Token: SeRestorePrivilege	1004	wmic.exe
Token: SeShutdownPrivilege	1004	wmic.exe
Token: SeDebugPrivilege	1004	wmic.exe
Token: SeSystemEnvironmentPrivilege	1004	wmic.exe
Token: SeRemoteShutdownPrivilege	1004	wmic.exe
Token: SeUndockPrivilege	1004	wmic.exe
Token: SeManageVolumePrivilege	1004	wmic.exe
Token: 33	1004	wmic.exe
Token: 34	1004	wmic.exe
Token: 35	1004	wmic.exe
Token: 36	1004	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1004	2796	SolaraBoostrap .exe	72
PID 2796 wrote to memory of 1004	2796	SolaraBoostrap .exe	72

C:\Users\Admin\AppData\Local\Temp\SolaraBoostrap .exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBoostrap .exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-0-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x00000270B2ED0000-0x00000270B2F10000-memory.dmp

Filesize
256KB

Download
memory/2796-2-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-4-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads