umbral | db8fbbc43181b78f543602b7c6f8431d8af032ea15fc1cd4b83889779e6e9987

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW LANDS HWID SPOOFER.exe
Size

229KB
MD5

a2869b69c6e0e6e125431dac1021e8c3
SHA1

96b433c54ed12d57457e32297c94517669b97f79
SHA256

db8fbbc43181b78f543602b7c6f8431d8af032ea15fc1cd4b83889779e6e9987
SHA512

be6de2bf9e8ceb9e6a1a138ea71507ff10c0506f63e94cd1acb2fce4b3560ada3ea07c561a03c99c87f435b0584218bc8dc9f3718314af703ce5cb9c47bd9b0b
SSDEEP

6144:9loZMcrIkd8g+EtXHkv/iD4fHYtxdx8e1mP2i:foZrL+EP8PIxjE7

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000040000-0x0000000000080000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	NEW LANDS HWID SPOOFER.exe
Token: SeIncreaseQuotaPrivilege	2440	wmic.exe
Token: SeSecurityPrivilege	2440	wmic.exe
Token: SeTakeOwnershipPrivilege	2440	wmic.exe
Token: SeLoadDriverPrivilege	2440	wmic.exe
Token: SeSystemProfilePrivilege	2440	wmic.exe
Token: SeSystemtimePrivilege	2440	wmic.exe
Token: SeProfSingleProcessPrivilege	2440	wmic.exe
Token: SeIncBasePriorityPrivilege	2440	wmic.exe
Token: SeCreatePagefilePrivilege	2440	wmic.exe
Token: SeBackupPrivilege	2440	wmic.exe
Token: SeRestorePrivilege	2440	wmic.exe
Token: SeShutdownPrivilege	2440	wmic.exe
Token: SeDebugPrivilege	2440	wmic.exe
Token: SeSystemEnvironmentPrivilege	2440	wmic.exe
Token: SeRemoteShutdownPrivilege	2440	wmic.exe
Token: SeUndockPrivilege	2440	wmic.exe
Token: SeManageVolumePrivilege	2440	wmic.exe
Token: 33	2440	wmic.exe
Token: 34	2440	wmic.exe
Token: 35	2440	wmic.exe
Token: SeIncreaseQuotaPrivilege	2440	wmic.exe
Token: SeSecurityPrivilege	2440	wmic.exe
Token: SeTakeOwnershipPrivilege	2440	wmic.exe
Token: SeLoadDriverPrivilege	2440	wmic.exe
Token: SeSystemProfilePrivilege	2440	wmic.exe
Token: SeSystemtimePrivilege	2440	wmic.exe
Token: SeProfSingleProcessPrivilege	2440	wmic.exe
Token: SeIncBasePriorityPrivilege	2440	wmic.exe
Token: SeCreatePagefilePrivilege	2440	wmic.exe
Token: SeBackupPrivilege	2440	wmic.exe
Token: SeRestorePrivilege	2440	wmic.exe
Token: SeShutdownPrivilege	2440	wmic.exe
Token: SeDebugPrivilege	2440	wmic.exe
Token: SeSystemEnvironmentPrivilege	2440	wmic.exe
Token: SeRemoteShutdownPrivilege	2440	wmic.exe
Token: SeUndockPrivilege	2440	wmic.exe
Token: SeManageVolumePrivilege	2440	wmic.exe
Token: 33	2440	wmic.exe
Token: 34	2440	wmic.exe
Token: 35	2440	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2440	2848	NEW LANDS HWID SPOOFER.exe	30
PID 2848 wrote to memory of 2440	2848	NEW LANDS HWID SPOOFER.exe	30
PID 2848 wrote to memory of 2440	2848	NEW LANDS HWID SPOOFER.exe	30

C:\Users\Admin\AppData\Local\Temp\NEW LANDS HWID SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\NEW LANDS HWID SPOOFER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000040000-0x0000000000080000-memory.dmp

Filesize
256KB

Download
memory/2848-2-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-3-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download