umbral | db8fbbc43181b78f543602b7c6f8431d8af032ea15fc1cd4b83889779e6e9987

Analysis

max time kernel
93s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW LANDS HWID SPOOFER.exe
Size

229KB
MD5

a2869b69c6e0e6e125431dac1021e8c3
SHA1

96b433c54ed12d57457e32297c94517669b97f79
SHA256

db8fbbc43181b78f543602b7c6f8431d8af032ea15fc1cd4b83889779e6e9987
SHA512

be6de2bf9e8ceb9e6a1a138ea71507ff10c0506f63e94cd1acb2fce4b3560ada3ea07c561a03c99c87f435b0584218bc8dc9f3718314af703ce5cb9c47bd9b0b
SSDEEP

6144:9loZMcrIkd8g+EtXHkv/iD4fHYtxdx8e1mP2i:foZrL+EP8PIxjE7

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1076-1-0x0000021D3B9B0000-0x0000021D3B9F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	NEW LANDS HWID SPOOFER.exe
Token: SeIncreaseQuotaPrivilege	4460	wmic.exe
Token: SeSecurityPrivilege	4460	wmic.exe
Token: SeTakeOwnershipPrivilege	4460	wmic.exe
Token: SeLoadDriverPrivilege	4460	wmic.exe
Token: SeSystemProfilePrivilege	4460	wmic.exe
Token: SeSystemtimePrivilege	4460	wmic.exe
Token: SeProfSingleProcessPrivilege	4460	wmic.exe
Token: SeIncBasePriorityPrivilege	4460	wmic.exe
Token: SeCreatePagefilePrivilege	4460	wmic.exe
Token: SeBackupPrivilege	4460	wmic.exe
Token: SeRestorePrivilege	4460	wmic.exe
Token: SeShutdownPrivilege	4460	wmic.exe
Token: SeDebugPrivilege	4460	wmic.exe
Token: SeSystemEnvironmentPrivilege	4460	wmic.exe
Token: SeRemoteShutdownPrivilege	4460	wmic.exe
Token: SeUndockPrivilege	4460	wmic.exe
Token: SeManageVolumePrivilege	4460	wmic.exe
Token: 33	4460	wmic.exe
Token: 34	4460	wmic.exe
Token: 35	4460	wmic.exe
Token: 36	4460	wmic.exe
Token: SeIncreaseQuotaPrivilege	4460	wmic.exe
Token: SeSecurityPrivilege	4460	wmic.exe
Token: SeTakeOwnershipPrivilege	4460	wmic.exe
Token: SeLoadDriverPrivilege	4460	wmic.exe
Token: SeSystemProfilePrivilege	4460	wmic.exe
Token: SeSystemtimePrivilege	4460	wmic.exe
Token: SeProfSingleProcessPrivilege	4460	wmic.exe
Token: SeIncBasePriorityPrivilege	4460	wmic.exe
Token: SeCreatePagefilePrivilege	4460	wmic.exe
Token: SeBackupPrivilege	4460	wmic.exe
Token: SeRestorePrivilege	4460	wmic.exe
Token: SeShutdownPrivilege	4460	wmic.exe
Token: SeDebugPrivilege	4460	wmic.exe
Token: SeSystemEnvironmentPrivilege	4460	wmic.exe
Token: SeRemoteShutdownPrivilege	4460	wmic.exe
Token: SeUndockPrivilege	4460	wmic.exe
Token: SeManageVolumePrivilege	4460	wmic.exe
Token: 33	4460	wmic.exe
Token: 34	4460	wmic.exe
Token: 35	4460	wmic.exe
Token: 36	4460	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4460	1076	NEW LANDS HWID SPOOFER.exe	82
PID 1076 wrote to memory of 4460	1076	NEW LANDS HWID SPOOFER.exe	82

C:\Users\Admin\AppData\Local\Temp\NEW LANDS HWID SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\NEW LANDS HWID SPOOFER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-0-0x00007FF81C163000-0x00007FF81C165000-memory.dmp

Filesize
8KB

Download
memory/1076-1-0x0000021D3B9B0000-0x0000021D3B9F0000-memory.dmp

Filesize
256KB

Download
memory/1076-2-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download
memory/1076-4-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

Filesize
10.8MB

Download