umbral | 5c37ed0542974bf478e1e6ff614395e6110bfc4726494e72f76b62e014bda0ff

Analysis

max time kernel
133s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drivers.exe
Size

229KB
MD5

8275af467a6e5859869a13eabc03cc15
SHA1

e70d0630ff34f6a1c72ab4343dc01c6dd4c53bc1
SHA256

5c37ed0542974bf478e1e6ff614395e6110bfc4726494e72f76b62e014bda0ff
SHA512

87497047b564694a15193d6b5e7d13fbfbbeeec2f14993c09a79b52fa9781ede36136d1c688d264ccd2c45ea93d5f372c210ae54066de02e3abf7d15428d4e6a
SSDEEP

6144:lloZMLrIkd8g+EtXHkv/iD4yEay5nsAv4OXZkQlpAb8e1mGi:noZ0L+EP8yEay5nsAv4OXZkQlu4

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3348-1-0x00000244CD8A0000-0x00000244CD8E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	drivers.exe
Token: SeIncreaseQuotaPrivilege	3248	wmic.exe
Token: SeSecurityPrivilege	3248	wmic.exe
Token: SeTakeOwnershipPrivilege	3248	wmic.exe
Token: SeLoadDriverPrivilege	3248	wmic.exe
Token: SeSystemProfilePrivilege	3248	wmic.exe
Token: SeSystemtimePrivilege	3248	wmic.exe
Token: SeProfSingleProcessPrivilege	3248	wmic.exe
Token: SeIncBasePriorityPrivilege	3248	wmic.exe
Token: SeCreatePagefilePrivilege	3248	wmic.exe
Token: SeBackupPrivilege	3248	wmic.exe
Token: SeRestorePrivilege	3248	wmic.exe
Token: SeShutdownPrivilege	3248	wmic.exe
Token: SeDebugPrivilege	3248	wmic.exe
Token: SeSystemEnvironmentPrivilege	3248	wmic.exe
Token: SeRemoteShutdownPrivilege	3248	wmic.exe
Token: SeUndockPrivilege	3248	wmic.exe
Token: SeManageVolumePrivilege	3248	wmic.exe
Token: 33	3248	wmic.exe
Token: 34	3248	wmic.exe
Token: 35	3248	wmic.exe
Token: 36	3248	wmic.exe
Token: SeIncreaseQuotaPrivilege	3248	wmic.exe
Token: SeSecurityPrivilege	3248	wmic.exe
Token: SeTakeOwnershipPrivilege	3248	wmic.exe
Token: SeLoadDriverPrivilege	3248	wmic.exe
Token: SeSystemProfilePrivilege	3248	wmic.exe
Token: SeSystemtimePrivilege	3248	wmic.exe
Token: SeProfSingleProcessPrivilege	3248	wmic.exe
Token: SeIncBasePriorityPrivilege	3248	wmic.exe
Token: SeCreatePagefilePrivilege	3248	wmic.exe
Token: SeBackupPrivilege	3248	wmic.exe
Token: SeRestorePrivilege	3248	wmic.exe
Token: SeShutdownPrivilege	3248	wmic.exe
Token: SeDebugPrivilege	3248	wmic.exe
Token: SeSystemEnvironmentPrivilege	3248	wmic.exe
Token: SeRemoteShutdownPrivilege	3248	wmic.exe
Token: SeUndockPrivilege	3248	wmic.exe
Token: SeManageVolumePrivilege	3248	wmic.exe
Token: 33	3248	wmic.exe
Token: 34	3248	wmic.exe
Token: 35	3248	wmic.exe
Token: 36	3248	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3248	3348	drivers.exe	75
PID 3348 wrote to memory of 3248	3348	drivers.exe	75

C:\Users\Admin\AppData\Local\Temp\drivers.exe
"C:\Users\Admin\AppData\Local\Temp\drivers.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3348-0-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp

Filesize
4KB

Download
memory/3348-1-0x00000244CD8A0000-0x00000244CD8E0000-memory.dmp

Filesize
256KB

Download
memory/3348-2-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/3348-4-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads