umbral | e88b3a06ac0cbf4130b1c66dde276a4062f472a71d2bf72048ffb577318d5979

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GeoLocate (1)/GeoLocate/Start.bat
Size

65B
MD5

35fe1bc3ce269544b91a4f9d224627c6
SHA1

6c84b83ed36f95b805687e5c500e44faf0d144db
SHA256

6ed72f86689c84cc2f2680a99d47dd92a4dc9941ff483530814148a587e729c7
SHA512

aa72112556953f27f84e1b97de54574776a5043e924caf0935fac3db4c0c6a13db4a85467f7df0755667860b591ae50252358e72374a766a93a18ecfb3ec1403

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral7/memory/2364-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp	family_umbral
behavioral7/memory/2364-5-0x000000001B2D0000-0x000000001B350000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GeoLocate.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2836	GeoLocate.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	skid.exe
Token: SeIncreaseQuotaPrivilege	3060	wmic.exe
Token: SeSecurityPrivilege	3060	wmic.exe
Token: SeTakeOwnershipPrivilege	3060	wmic.exe
Token: SeLoadDriverPrivilege	3060	wmic.exe
Token: SeSystemProfilePrivilege	3060	wmic.exe
Token: SeSystemtimePrivilege	3060	wmic.exe
Token: SeProfSingleProcessPrivilege	3060	wmic.exe
Token: SeIncBasePriorityPrivilege	3060	wmic.exe
Token: SeCreatePagefilePrivilege	3060	wmic.exe
Token: SeBackupPrivilege	3060	wmic.exe
Token: SeRestorePrivilege	3060	wmic.exe
Token: SeShutdownPrivilege	3060	wmic.exe
Token: SeDebugPrivilege	3060	wmic.exe
Token: SeSystemEnvironmentPrivilege	3060	wmic.exe
Token: SeRemoteShutdownPrivilege	3060	wmic.exe
Token: SeUndockPrivilege	3060	wmic.exe
Token: SeManageVolumePrivilege	3060	wmic.exe
Token: 33	3060	wmic.exe
Token: 34	3060	wmic.exe
Token: 35	3060	wmic.exe
Token: SeIncreaseQuotaPrivilege	3060	wmic.exe
Token: SeSecurityPrivilege	3060	wmic.exe
Token: SeTakeOwnershipPrivilege	3060	wmic.exe
Token: SeLoadDriverPrivilege	3060	wmic.exe
Token: SeSystemProfilePrivilege	3060	wmic.exe
Token: SeSystemtimePrivilege	3060	wmic.exe
Token: SeProfSingleProcessPrivilege	3060	wmic.exe
Token: SeIncBasePriorityPrivilege	3060	wmic.exe
Token: SeCreatePagefilePrivilege	3060	wmic.exe
Token: SeBackupPrivilege	3060	wmic.exe
Token: SeRestorePrivilege	3060	wmic.exe
Token: SeShutdownPrivilege	3060	wmic.exe
Token: SeDebugPrivilege	3060	wmic.exe
Token: SeSystemEnvironmentPrivilege	3060	wmic.exe
Token: SeRemoteShutdownPrivilege	3060	wmic.exe
Token: SeUndockPrivilege	3060	wmic.exe
Token: SeManageVolumePrivilege	3060	wmic.exe
Token: 33	3060	wmic.exe
Token: 34	3060	wmic.exe
Token: 35	3060	wmic.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2836	2232	cmd.exe	32
PID 2232 wrote to memory of 2836	2232	cmd.exe	32
PID 2232 wrote to memory of 2836	2232	cmd.exe	32
PID 2232 wrote to memory of 2836	2232	cmd.exe	32
PID 2232 wrote to memory of 2364	2232	cmd.exe	33
PID 2232 wrote to memory of 2364	2232	cmd.exe	33
PID 2232 wrote to memory of 2364	2232	cmd.exe	33
PID 2364 wrote to memory of 3060	2364	skid.exe	35
PID 2364 wrote to memory of 3060	2364	skid.exe	35
PID 2364 wrote to memory of 3060	2364	skid.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Src\GeoLocate.exe
  Src/GeoLocate.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\GeoLocate (1)\GeoLocate\Src\Files\skid.exe
  Src/Files/skid.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/2364-5-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2836-1-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/2836-3-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2836-4-0x0000000000790000-0x0000000000842000-memory.dmp

Filesize
712KB

Download
memory/2836-6-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download