umbral | 4c19159d4f39a778bc189a23249cbb1f3985e8203dea388aaffb0493c64d7763

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

botCreator.exe
Size

488KB
MD5

668d42a2877f3c06ca17a413325174d4
SHA1

697e43404eb5e6a36f529cdd96321956ac809b3e
SHA256

4c19159d4f39a778bc189a23249cbb1f3985e8203dea388aaffb0493c64d7763
SHA512

b475b3e505d76e99f0d3de5214633749cfb62b724a71797440a383ddc08c6e8b82ca9dfa411a2c8c8cec7e5aa10c24d9d8b8dea31fb20d2b58e73de1f43962ed
SSDEEP

12288:WoZ1tlRk83MlrfFwiAfboTxUyzzq4HRPVgk9dRv/:f5r3YFwiAfboTxUyzzq4xPVP

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1632-1-0x0000000001180000-0x0000000001200000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	botCreator.exe
Token: SeIncreaseQuotaPrivilege	3044	wmic.exe
Token: SeSecurityPrivilege	3044	wmic.exe
Token: SeTakeOwnershipPrivilege	3044	wmic.exe
Token: SeLoadDriverPrivilege	3044	wmic.exe
Token: SeSystemProfilePrivilege	3044	wmic.exe
Token: SeSystemtimePrivilege	3044	wmic.exe
Token: SeProfSingleProcessPrivilege	3044	wmic.exe
Token: SeIncBasePriorityPrivilege	3044	wmic.exe
Token: SeCreatePagefilePrivilege	3044	wmic.exe
Token: SeBackupPrivilege	3044	wmic.exe
Token: SeRestorePrivilege	3044	wmic.exe
Token: SeShutdownPrivilege	3044	wmic.exe
Token: SeDebugPrivilege	3044	wmic.exe
Token: SeSystemEnvironmentPrivilege	3044	wmic.exe
Token: SeRemoteShutdownPrivilege	3044	wmic.exe
Token: SeUndockPrivilege	3044	wmic.exe
Token: SeManageVolumePrivilege	3044	wmic.exe
Token: 33	3044	wmic.exe
Token: 34	3044	wmic.exe
Token: 35	3044	wmic.exe
Token: SeIncreaseQuotaPrivilege	3044	wmic.exe
Token: SeSecurityPrivilege	3044	wmic.exe
Token: SeTakeOwnershipPrivilege	3044	wmic.exe
Token: SeLoadDriverPrivilege	3044	wmic.exe
Token: SeSystemProfilePrivilege	3044	wmic.exe
Token: SeSystemtimePrivilege	3044	wmic.exe
Token: SeProfSingleProcessPrivilege	3044	wmic.exe
Token: SeIncBasePriorityPrivilege	3044	wmic.exe
Token: SeCreatePagefilePrivilege	3044	wmic.exe
Token: SeBackupPrivilege	3044	wmic.exe
Token: SeRestorePrivilege	3044	wmic.exe
Token: SeShutdownPrivilege	3044	wmic.exe
Token: SeDebugPrivilege	3044	wmic.exe
Token: SeSystemEnvironmentPrivilege	3044	wmic.exe
Token: SeRemoteShutdownPrivilege	3044	wmic.exe
Token: SeUndockPrivilege	3044	wmic.exe
Token: SeManageVolumePrivilege	3044	wmic.exe
Token: 33	3044	wmic.exe
Token: 34	3044	wmic.exe
Token: 35	3044	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3044	1632	botCreator.exe	30
PID 1632 wrote to memory of 3044	1632	botCreator.exe	30
PID 1632 wrote to memory of 3044	1632	botCreator.exe	30

C:\Users\Admin\AppData\Local\Temp\botCreator.exe
"C:\Users\Admin\AppData\Local\Temp\botCreator.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/1632-1-0x0000000001180000-0x0000000001200000-memory.dmp

Filesize
512KB

Download
memory/1632-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-3-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download