umbral | 3a2b81f84a4ed157b1a059be3046930972ee8480be3b67ebf15e9bbc941cf883

Analysis

max time kernel
15s
max time network
21s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
15-10-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Primordial/Primordial.exe
Size

231KB
MD5

2a9d5da0bb69d53e1b68178bc63e9390
SHA1

b1170f7ca36ea613188a272dc8ff8720a586de3a
SHA256

b575e722311556b67bc4f2ff77470063e5453e8f9952ddcd33afec9bdefc3902
SHA512

372288f96c8d39cba9529e7c44ce4b083eddf50dc3c3317b7b97c02d07018cdc2e0913da3e8309d548f80d68c95b9dd65e4febd4d7ca3b4d6a8df3360cf6aca3
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4ZvHYe5xypXKYZd8ZC6lY8e1mGi:joZtL+EP8pHYe5xypXKYZd8dk2

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral16/memory/3280-1-0x0000023F5A5F0000-0x0000023F5A630000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

Primordial.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3280	Primordial.exe
Token: SeIncreaseQuotaPrivilege	4160	wmic.exe
Token: SeSecurityPrivilege	4160	wmic.exe
Token: SeTakeOwnershipPrivilege	4160	wmic.exe
Token: SeLoadDriverPrivilege	4160	wmic.exe
Token: SeSystemProfilePrivilege	4160	wmic.exe
Token: SeSystemtimePrivilege	4160	wmic.exe
Token: SeProfSingleProcessPrivilege	4160	wmic.exe
Token: SeIncBasePriorityPrivilege	4160	wmic.exe
Token: SeCreatePagefilePrivilege	4160	wmic.exe
Token: SeBackupPrivilege	4160	wmic.exe
Token: SeRestorePrivilege	4160	wmic.exe
Token: SeShutdownPrivilege	4160	wmic.exe
Token: SeDebugPrivilege	4160	wmic.exe
Token: SeSystemEnvironmentPrivilege	4160	wmic.exe
Token: SeRemoteShutdownPrivilege	4160	wmic.exe
Token: SeUndockPrivilege	4160	wmic.exe
Token: SeManageVolumePrivilege	4160	wmic.exe
Token: 33	4160	wmic.exe
Token: 34	4160	wmic.exe
Token: 35	4160	wmic.exe
Token: 36	4160	wmic.exe
Token: SeIncreaseQuotaPrivilege	4160	wmic.exe
Token: SeSecurityPrivilege	4160	wmic.exe
Token: SeTakeOwnershipPrivilege	4160	wmic.exe
Token: SeLoadDriverPrivilege	4160	wmic.exe
Token: SeSystemProfilePrivilege	4160	wmic.exe
Token: SeSystemtimePrivilege	4160	wmic.exe
Token: SeProfSingleProcessPrivilege	4160	wmic.exe
Token: SeIncBasePriorityPrivilege	4160	wmic.exe
Token: SeCreatePagefilePrivilege	4160	wmic.exe
Token: SeBackupPrivilege	4160	wmic.exe
Token: SeRestorePrivilege	4160	wmic.exe
Token: SeShutdownPrivilege	4160	wmic.exe
Token: SeDebugPrivilege	4160	wmic.exe
Token: SeSystemEnvironmentPrivilege	4160	wmic.exe
Token: SeRemoteShutdownPrivilege	4160	wmic.exe
Token: SeUndockPrivilege	4160	wmic.exe
Token: SeManageVolumePrivilege	4160	wmic.exe
Token: 33	4160	wmic.exe
Token: 34	4160	wmic.exe
Token: 35	4160	wmic.exe
Token: 36	4160	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Primordial.exe

description	pid	process	target process
PID 3280 wrote to memory of 4160	3280	Primordial.exe	wmic.exe
PID 3280 wrote to memory of 4160	3280	Primordial.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Primordial\Primordial.exe
"C:\Users\Admin\AppData\Local\Temp\Primordial\Primordial.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3280-0-0x00007FFF49BA3000-0x00007FFF49BA4000-memory.dmp

Filesize
4KB

Download
memory/3280-1-0x0000023F5A5F0000-0x0000023F5A630000-memory.dmp

Filesize
256KB

Download
memory/3280-2-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/3280-4-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download