umbral | 7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8 | Triage

Analysis

max time kernel
23s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 16:56

Sharing

Report Analysis Logs

General

Target

dead.exe
Size

254KB
MD5

41a555bbc081356100cafdd006d3c096
SHA1

bf4f81ed8b698b9865098fccabff0bbbe3ca3255
SHA256

7e45b79940116f8a1de3a75f82e5209d0279d99479a24778e1590dd739b6ddf8
SHA512

1bc00d609264c523ab114e845a26edb9a611b927a583730880916f04efeee9c37c4529559a47854e422ab8530ab8edbb87754a755f50939c29e5a14e4b74efbc
SSDEEP

6144:+4oZo8KbOUtoAXAEeDh0x7axHU3FmRaW8ejI82V:9oZAOUo90ufIl

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2516-1-0x0000000000C50000-0x0000000000C96000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2952	2516	dead.exe	30
PID 2516 wrote to memory of 2952	2516	dead.exe	30
PID 2516 wrote to memory of 2952	2516	dead.exe	30

C:\Users\Admin\AppData\Local\Temp\dead.exe
"C:\Users\Admin\AppData\Local\Temp\dead.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2516 -s 548
  2⤵
  PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2516-1-0x0000000000C50000-0x0000000000C96000-memory.dmp

Filesize
280KB

Download