umbral | bef3f8e3350b00f7e902560de251dc029553ec078edaf49531c1fe8ec220eb3b

Analysis

max time kernel
133s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driverloader.exe
Size

229KB
MD5

42c033c1207be55401d27198335476f4
SHA1

6f17af9dabde85f9285e45f443aa64bcb61c35f7
SHA256

bef3f8e3350b00f7e902560de251dc029553ec078edaf49531c1fe8ec220eb3b
SHA512

5a02690e14dd014fd2e46e98fc8ac54e6ad6a6d3698b9ee95774874e1eddddcaf094782c6d10660a3f83016c1b881c21d68bd8d9be6af5a0c88e2acea10aac1d
SSDEEP

6144:FloZMLrIkd8g+EtXHkv/iD4HVO3zZqStVY5rWWDBHb8e1mqDi:HoZ0L+EP8HVO3zZqStVY5rWWDF/O

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4140-1-0x00000232CEF80000-0x00000232CEFC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	driverloader.exe
Token: SeIncreaseQuotaPrivilege	5032	wmic.exe
Token: SeSecurityPrivilege	5032	wmic.exe
Token: SeTakeOwnershipPrivilege	5032	wmic.exe
Token: SeLoadDriverPrivilege	5032	wmic.exe
Token: SeSystemProfilePrivilege	5032	wmic.exe
Token: SeSystemtimePrivilege	5032	wmic.exe
Token: SeProfSingleProcessPrivilege	5032	wmic.exe
Token: SeIncBasePriorityPrivilege	5032	wmic.exe
Token: SeCreatePagefilePrivilege	5032	wmic.exe
Token: SeBackupPrivilege	5032	wmic.exe
Token: SeRestorePrivilege	5032	wmic.exe
Token: SeShutdownPrivilege	5032	wmic.exe
Token: SeDebugPrivilege	5032	wmic.exe
Token: SeSystemEnvironmentPrivilege	5032	wmic.exe
Token: SeRemoteShutdownPrivilege	5032	wmic.exe
Token: SeUndockPrivilege	5032	wmic.exe
Token: SeManageVolumePrivilege	5032	wmic.exe
Token: 33	5032	wmic.exe
Token: 34	5032	wmic.exe
Token: 35	5032	wmic.exe
Token: 36	5032	wmic.exe
Token: SeIncreaseQuotaPrivilege	5032	wmic.exe
Token: SeSecurityPrivilege	5032	wmic.exe
Token: SeTakeOwnershipPrivilege	5032	wmic.exe
Token: SeLoadDriverPrivilege	5032	wmic.exe
Token: SeSystemProfilePrivilege	5032	wmic.exe
Token: SeSystemtimePrivilege	5032	wmic.exe
Token: SeProfSingleProcessPrivilege	5032	wmic.exe
Token: SeIncBasePriorityPrivilege	5032	wmic.exe
Token: SeCreatePagefilePrivilege	5032	wmic.exe
Token: SeBackupPrivilege	5032	wmic.exe
Token: SeRestorePrivilege	5032	wmic.exe
Token: SeShutdownPrivilege	5032	wmic.exe
Token: SeDebugPrivilege	5032	wmic.exe
Token: SeSystemEnvironmentPrivilege	5032	wmic.exe
Token: SeRemoteShutdownPrivilege	5032	wmic.exe
Token: SeUndockPrivilege	5032	wmic.exe
Token: SeManageVolumePrivilege	5032	wmic.exe
Token: 33	5032	wmic.exe
Token: 34	5032	wmic.exe
Token: 35	5032	wmic.exe
Token: 36	5032	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 5032	4140	driverloader.exe	73
PID 4140 wrote to memory of 5032	4140	driverloader.exe	73

C:\Users\Admin\AppData\Local\Temp\driverloader.exe
"C:\Users\Admin\AppData\Local\Temp\driverloader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4140-0-0x00007FFB5E433000-0x00007FFB5E434000-memory.dmp

Filesize
4KB

Download
memory/4140-1-0x00000232CEF80000-0x00000232CEFC0000-memory.dmp

Filesize
256KB

Download
memory/4140-2-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-4-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads