umbral | da67c760cdb0419ba9d5821c8d5a6ed04942e0da3c096b00c8774d44b3dab405

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClipYt.exe
Size

229KB
MD5

fc4de89b0cf7da7277dbd14e86ada670
SHA1

d4fe1aac0747d50d3c74bde54ff44fe0d40d1fed
SHA256

da67c760cdb0419ba9d5821c8d5a6ed04942e0da3c096b00c8774d44b3dab405
SHA512

932a0ec9b0a984982a481c5cb279440ed8056eef30151d2157349079b3a20584e1c634abf6a2a93275889a57bb402d44c9cf6e1d78d1b8be82aaa1184967a4b6
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4C2B1Yshj58e1mkC9ei:noZtL+EP8fvC9T

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1728-1-0x00000000011E0000-0x0000000001220000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	ClipYt.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3056	1728	ClipYt.exe	30
PID 1728 wrote to memory of 3056	1728	ClipYt.exe	30
PID 1728 wrote to memory of 3056	1728	ClipYt.exe	30

C:\Users\Admin\AppData\Local\Temp\ClipYt.exe
"C:\Users\Admin\AppData\Local\Temp\ClipYt.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000011E0000-0x0000000001220000-memory.dmp

Filesize
256KB

Download
memory/1728-2-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-3-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download