umbral | f1957d71c46891f4531175340ff6d01cfab6ec22f17bec699bfa0c803c0964dc

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbra1.exe
Size

227KB
MD5

e05f912c51e4a9928935a2738eab71fb
SHA1

d200445ad98692386f1980466139533e8e63903c
SHA256

f1957d71c46891f4531175340ff6d01cfab6ec22f17bec699bfa0c803c0964dc
SHA512

35bb91dd64598ddf2c839097b398c1aa685b82abf60781fc1684d26490c096c3adc3f6cfa4f56be4d2a5aa6ac987acd369626072735d0e16185f55dfc53163e7
SSDEEP

6144:eloZM+rIkd8g+EtXHkv/iD4A0CoNbYMTUqL9Y0hIVb8e1m7i:IoZtL+EP8A0CoNbYMTUqL9Y0hYx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4904-1-0x0000024D8BA30000-0x0000024D8BA70000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	Umbra1.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4816	4904	Umbra1.exe	85
PID 4904 wrote to memory of 4816	4904	Umbra1.exe	85

C:\Users\Admin\AppData\Local\Temp\Umbra1.exe
"C:\Users\Admin\AppData\Local\Temp\Umbra1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4904-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

Filesize
8KB

Download
memory/4904-1-0x0000024D8BA30000-0x0000024D8BA70000-memory.dmp

Filesize
256KB

Download
memory/4904-2-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/4904-4-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download