umbral | 839498d96202c30898aefe9567bf03a5612f437829886b3d6db1839c9d058466

Analysis

max time kernel
316s
max time network
1590s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-10-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RC7.exe
Size

232KB
MD5

d59f28e91f0758221b66e6f5c4cc793c
SHA1

5cf89331e57cabba6b6844ee0d1ee3bb5916c7a2
SHA256

839498d96202c30898aefe9567bf03a5612f437829886b3d6db1839c9d058466
SHA512

ee27b92796473a021a104581d950438a367a37dd7214b73ef70af59cccfe64e6460a38fabc7a2e9f1a77194e99902e280823701499f8212a7df64151f10bf642
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4o3l8rRiK1ewBzOuraAb8e1mw4i:joZtL+EP8o3l8rRiK1ewBzOur/hB

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3640-1-0x000001F4BFE60000-0x000001F4BFEA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	RC7.exe
Token: SeIncreaseQuotaPrivilege	1252	wmic.exe
Token: SeSecurityPrivilege	1252	wmic.exe
Token: SeTakeOwnershipPrivilege	1252	wmic.exe
Token: SeLoadDriverPrivilege	1252	wmic.exe
Token: SeSystemProfilePrivilege	1252	wmic.exe
Token: SeSystemtimePrivilege	1252	wmic.exe
Token: SeProfSingleProcessPrivilege	1252	wmic.exe
Token: SeIncBasePriorityPrivilege	1252	wmic.exe
Token: SeCreatePagefilePrivilege	1252	wmic.exe
Token: SeBackupPrivilege	1252	wmic.exe
Token: SeRestorePrivilege	1252	wmic.exe
Token: SeShutdownPrivilege	1252	wmic.exe
Token: SeDebugPrivilege	1252	wmic.exe
Token: SeSystemEnvironmentPrivilege	1252	wmic.exe
Token: SeRemoteShutdownPrivilege	1252	wmic.exe
Token: SeUndockPrivilege	1252	wmic.exe
Token: SeManageVolumePrivilege	1252	wmic.exe
Token: 33	1252	wmic.exe
Token: 34	1252	wmic.exe
Token: 35	1252	wmic.exe
Token: 36	1252	wmic.exe
Token: SeIncreaseQuotaPrivilege	1252	wmic.exe
Token: SeSecurityPrivilege	1252	wmic.exe
Token: SeTakeOwnershipPrivilege	1252	wmic.exe
Token: SeLoadDriverPrivilege	1252	wmic.exe
Token: SeSystemProfilePrivilege	1252	wmic.exe
Token: SeSystemtimePrivilege	1252	wmic.exe
Token: SeProfSingleProcessPrivilege	1252	wmic.exe
Token: SeIncBasePriorityPrivilege	1252	wmic.exe
Token: SeCreatePagefilePrivilege	1252	wmic.exe
Token: SeBackupPrivilege	1252	wmic.exe
Token: SeRestorePrivilege	1252	wmic.exe
Token: SeShutdownPrivilege	1252	wmic.exe
Token: SeDebugPrivilege	1252	wmic.exe
Token: SeSystemEnvironmentPrivilege	1252	wmic.exe
Token: SeRemoteShutdownPrivilege	1252	wmic.exe
Token: SeUndockPrivilege	1252	wmic.exe
Token: SeManageVolumePrivilege	1252	wmic.exe
Token: 33	1252	wmic.exe
Token: 34	1252	wmic.exe
Token: 35	1252	wmic.exe
Token: 36	1252	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 1252	3640	RC7.exe	73
PID 3640 wrote to memory of 1252	3640	RC7.exe	73

C:\Users\Admin\AppData\Local\Temp\RC7.exe
"C:\Users\Admin\AppData\Local\Temp\RC7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SyncShow.vbe"
1⤵
PID:540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3640-0-0x00007FFB54CE3000-0x00007FFB54CE4000-memory.dmp

Filesize
4KB

Download
memory/3640-1-0x000001F4BFE60000-0x000001F4BFEA0000-memory.dmp

Filesize
256KB

Download
memory/3640-2-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/3640-4-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads