umbral | e88b3a06ac0cbf4130b1c66dde276a4062f472a71d2bf72048ffb577318d5979

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GeoLocate (1)/GeoLocate/Start.bat
Size

65B
MD5

35fe1bc3ce269544b91a4f9d224627c6
SHA1

6c84b83ed36f95b805687e5c500e44faf0d144db
SHA256

6ed72f86689c84cc2f2680a99d47dd92a4dc9941ff483530814148a587e729c7
SHA512

aa72112556953f27f84e1b97de54574776a5043e924caf0935fac3db4c0c6a13db4a85467f7df0755667860b591ae50252358e72374a766a93a18ecfb3ec1403

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral7/memory/2888-2-0x0000000000DA0000-0x0000000000DE0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GeoLocate.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1936	GeoLocate.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	skid.exe
Token: SeIncreaseQuotaPrivilege	2660	wmic.exe
Token: SeSecurityPrivilege	2660	wmic.exe
Token: SeTakeOwnershipPrivilege	2660	wmic.exe
Token: SeLoadDriverPrivilege	2660	wmic.exe
Token: SeSystemProfilePrivilege	2660	wmic.exe
Token: SeSystemtimePrivilege	2660	wmic.exe
Token: SeProfSingleProcessPrivilege	2660	wmic.exe
Token: SeIncBasePriorityPrivilege	2660	wmic.exe
Token: SeCreatePagefilePrivilege	2660	wmic.exe
Token: SeBackupPrivilege	2660	wmic.exe
Token: SeRestorePrivilege	2660	wmic.exe
Token: SeShutdownPrivilege	2660	wmic.exe
Token: SeDebugPrivilege	2660	wmic.exe
Token: SeSystemEnvironmentPrivilege	2660	wmic.exe
Token: SeRemoteShutdownPrivilege	2660	wmic.exe
Token: SeUndockPrivilege	2660	wmic.exe
Token: SeManageVolumePrivilege	2660	wmic.exe
Token: 33	2660	wmic.exe
Token: 34	2660	wmic.exe
Token: 35	2660	wmic.exe
Token: SeIncreaseQuotaPrivilege	2660	wmic.exe
Token: SeSecurityPrivilege	2660	wmic.exe
Token: SeTakeOwnershipPrivilege	2660	wmic.exe
Token: SeLoadDriverPrivilege	2660	wmic.exe
Token: SeSystemProfilePrivilege	2660	wmic.exe
Token: SeSystemtimePrivilege	2660	wmic.exe
Token: SeProfSingleProcessPrivilege	2660	wmic.exe
Token: SeIncBasePriorityPrivilege	2660	wmic.exe
Token: SeCreatePagefilePrivilege	2660	wmic.exe
Token: SeBackupPrivilege	2660	wmic.exe
Token: SeRestorePrivilege	2660	wmic.exe
Token: SeShutdownPrivilege	2660	wmic.exe
Token: SeDebugPrivilege	2660	wmic.exe
Token: SeSystemEnvironmentPrivilege	2660	wmic.exe
Token: SeRemoteShutdownPrivilege	2660	wmic.exe
Token: SeUndockPrivilege	2660	wmic.exe
Token: SeManageVolumePrivilege	2660	wmic.exe
Token: 33	2660	wmic.exe
Token: 34	2660	wmic.exe
Token: 35	2660	wmic.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1936	2852	cmd.exe	31
PID 2852 wrote to memory of 1936	2852	cmd.exe	31
PID 2852 wrote to memory of 1936	2852	cmd.exe	31
PID 2852 wrote to memory of 1936	2852	cmd.exe	31
PID 2852 wrote to memory of 2888	2852	cmd.exe	32
PID 2852 wrote to memory of 2888	2852	cmd.exe	32
PID 2852 wrote to memory of 2888	2852	cmd.exe	32
PID 2888 wrote to memory of 2660	2888	skid.exe	34
PID 2888 wrote to memory of 2660	2888	skid.exe	34
PID 2888 wrote to memory of 2660	2888	skid.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Src\GeoLocate.exe
  Src/GeoLocate.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Src\Files\skid.exe
  Src/Files/skid.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-1-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/1936-3-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1936-4-0x00000000041B0000-0x0000000004262000-memory.dmp

Filesize
712KB

Download
memory/1936-6-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2888-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2888-2-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download
memory/2888-5-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download