umbral | 3d37df482191306f97b6a590305624e1316082e2b655812f4cda62641afd20e1

Analysis

max time kernel
16s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

secondslut.exe
Size

229KB
MD5

1d2a9064181fffe2ae21bb90c9691d2b
SHA1

eb03952450e8f309fb04058759e142740eb08069
SHA256

3d37df482191306f97b6a590305624e1316082e2b655812f4cda62641afd20e1
SHA512

fd25b17d558304b816fdc76bdc979f0e054dd7090ee3051044ce3fa0ed4e1e1d059f447b412b0827d6897a43e21bda5d6e476b7ee2f78d8f3d233e9f04c82328
SSDEEP

6144:FloZM3fsXtioRkts/cnnK6cMl97ERPlO2Zjc1niinbVb8e1moi:HoZ1tlRk83Ml97ERPlO2Zjc1niinZ2

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4112-1-0x0000021FDD380000-0x0000021FDD3C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	secondslut.exe
Token: SeIncreaseQuotaPrivilege	4492	wmic.exe
Token: SeSecurityPrivilege	4492	wmic.exe
Token: SeTakeOwnershipPrivilege	4492	wmic.exe
Token: SeLoadDriverPrivilege	4492	wmic.exe
Token: SeSystemProfilePrivilege	4492	wmic.exe
Token: SeSystemtimePrivilege	4492	wmic.exe
Token: SeProfSingleProcessPrivilege	4492	wmic.exe
Token: SeIncBasePriorityPrivilege	4492	wmic.exe
Token: SeCreatePagefilePrivilege	4492	wmic.exe
Token: SeBackupPrivilege	4492	wmic.exe
Token: SeRestorePrivilege	4492	wmic.exe
Token: SeShutdownPrivilege	4492	wmic.exe
Token: SeDebugPrivilege	4492	wmic.exe
Token: SeSystemEnvironmentPrivilege	4492	wmic.exe
Token: SeRemoteShutdownPrivilege	4492	wmic.exe
Token: SeUndockPrivilege	4492	wmic.exe
Token: SeManageVolumePrivilege	4492	wmic.exe
Token: 33	4492	wmic.exe
Token: 34	4492	wmic.exe
Token: 35	4492	wmic.exe
Token: 36	4492	wmic.exe
Token: SeIncreaseQuotaPrivilege	4492	wmic.exe
Token: SeSecurityPrivilege	4492	wmic.exe
Token: SeTakeOwnershipPrivilege	4492	wmic.exe
Token: SeLoadDriverPrivilege	4492	wmic.exe
Token: SeSystemProfilePrivilege	4492	wmic.exe
Token: SeSystemtimePrivilege	4492	wmic.exe
Token: SeProfSingleProcessPrivilege	4492	wmic.exe
Token: SeIncBasePriorityPrivilege	4492	wmic.exe
Token: SeCreatePagefilePrivilege	4492	wmic.exe
Token: SeBackupPrivilege	4492	wmic.exe
Token: SeRestorePrivilege	4492	wmic.exe
Token: SeShutdownPrivilege	4492	wmic.exe
Token: SeDebugPrivilege	4492	wmic.exe
Token: SeSystemEnvironmentPrivilege	4492	wmic.exe
Token: SeRemoteShutdownPrivilege	4492	wmic.exe
Token: SeUndockPrivilege	4492	wmic.exe
Token: SeManageVolumePrivilege	4492	wmic.exe
Token: 33	4492	wmic.exe
Token: 34	4492	wmic.exe
Token: 35	4492	wmic.exe
Token: 36	4492	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4492	4112	secondslut.exe	82
PID 4112 wrote to memory of 4492	4112	secondslut.exe	82

C:\Users\Admin\AppData\Local\Temp\secondslut.exe
"C:\Users\Admin\AppData\Local\Temp\secondslut.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4112-0-0x00007FFCEFFE3000-0x00007FFCEFFE5000-memory.dmp

Filesize
8KB

Download
memory/4112-1-0x0000021FDD380000-0x0000021FDD3C0000-memory.dmp

Filesize
256KB

Download
memory/4112-2-0x00007FFCEFFE0000-0x00007FFCF0AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4112-4-0x00007FFCEFFE0000-0x00007FFCF0AA1000-memory.dmp

Filesize
10.8MB

Download