umbral | 65fe3aca61ba85663615daadb56fb3bc8e49db4348ae0df15309d22e7d406c68

Analysis

max time kernel
16s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-07-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y.exe
Size

229KB
MD5

e55c738dfd6a954e2639c1a6cf3cf33d
SHA1

ec44eb7e74102001e534268513bbd84f37ac689d
SHA256

65fe3aca61ba85663615daadb56fb3bc8e49db4348ae0df15309d22e7d406c68
SHA512

7fd358cd8ac0f99906a0ddd1b7e27c0eebd7e783820036de6e447d9857992d3ed8a82c919a994d9ca159387dcf2f87e7c0c1ed3e6fa072909e85daa7cc2aa5ea
SSDEEP

6144:9loZM+rIkd8g+EtXHkv/iD4NvdfL+8D/0BVA+Pv+h9UC6ly8e1m73i:foZtL+EP8tdfL+8D/0BVA+Pv+hmKb

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4704-0-0x00000201E9D00000-0x00000201E9D40000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	y.exe
Token: SeIncreaseQuotaPrivilege	3820	wmic.exe
Token: SeSecurityPrivilege	3820	wmic.exe
Token: SeTakeOwnershipPrivilege	3820	wmic.exe
Token: SeLoadDriverPrivilege	3820	wmic.exe
Token: SeSystemProfilePrivilege	3820	wmic.exe
Token: SeSystemtimePrivilege	3820	wmic.exe
Token: SeProfSingleProcessPrivilege	3820	wmic.exe
Token: SeIncBasePriorityPrivilege	3820	wmic.exe
Token: SeCreatePagefilePrivilege	3820	wmic.exe
Token: SeBackupPrivilege	3820	wmic.exe
Token: SeRestorePrivilege	3820	wmic.exe
Token: SeShutdownPrivilege	3820	wmic.exe
Token: SeDebugPrivilege	3820	wmic.exe
Token: SeSystemEnvironmentPrivilege	3820	wmic.exe
Token: SeRemoteShutdownPrivilege	3820	wmic.exe
Token: SeUndockPrivilege	3820	wmic.exe
Token: SeManageVolumePrivilege	3820	wmic.exe
Token: 33	3820	wmic.exe
Token: 34	3820	wmic.exe
Token: 35	3820	wmic.exe
Token: 36	3820	wmic.exe
Token: SeIncreaseQuotaPrivilege	3820	wmic.exe
Token: SeSecurityPrivilege	3820	wmic.exe
Token: SeTakeOwnershipPrivilege	3820	wmic.exe
Token: SeLoadDriverPrivilege	3820	wmic.exe
Token: SeSystemProfilePrivilege	3820	wmic.exe
Token: SeSystemtimePrivilege	3820	wmic.exe
Token: SeProfSingleProcessPrivilege	3820	wmic.exe
Token: SeIncBasePriorityPrivilege	3820	wmic.exe
Token: SeCreatePagefilePrivilege	3820	wmic.exe
Token: SeBackupPrivilege	3820	wmic.exe
Token: SeRestorePrivilege	3820	wmic.exe
Token: SeShutdownPrivilege	3820	wmic.exe
Token: SeDebugPrivilege	3820	wmic.exe
Token: SeSystemEnvironmentPrivilege	3820	wmic.exe
Token: SeRemoteShutdownPrivilege	3820	wmic.exe
Token: SeUndockPrivilege	3820	wmic.exe
Token: SeManageVolumePrivilege	3820	wmic.exe
Token: 33	3820	wmic.exe
Token: 34	3820	wmic.exe
Token: 35	3820	wmic.exe
Token: 36	3820	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3820	4704	y.exe	72
PID 4704 wrote to memory of 3820	4704	y.exe	72

C:\Users\Admin\AppData\Local\Temp\y.exe
"C:\Users\Admin\AppData\Local\Temp\y.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4704-0-0x00000201E9D00000-0x00000201E9D40000-memory.dmp

Filesize
256KB

Download
memory/4704-1-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmp

Filesize
4KB

Download
memory/4704-2-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/4704-4-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads