umbral | f1957d71c46891f4531175340ff6d01cfab6ec22f17bec699bfa0c803c0964dc

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbra1.exe
Size

227KB
MD5

e05f912c51e4a9928935a2738eab71fb
SHA1

d200445ad98692386f1980466139533e8e63903c
SHA256

f1957d71c46891f4531175340ff6d01cfab6ec22f17bec699bfa0c803c0964dc
SHA512

35bb91dd64598ddf2c839097b398c1aa685b82abf60781fc1684d26490c096c3adc3f6cfa4f56be4d2a5aa6ac987acd369626072735d0e16185f55dfc53163e7
SSDEEP

6144:eloZM+rIkd8g+EtXHkv/iD4A0CoNbYMTUqL9Y0hIVb8e1m7i:IoZtL+EP8A0CoNbYMTUqL9Y0hYx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1528-1-0x0000000000960000-0x00000000009A0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	Umbra1.exe
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2128	1528	Umbra1.exe	30
PID 1528 wrote to memory of 2128	1528	Umbra1.exe	30
PID 1528 wrote to memory of 2128	1528	Umbra1.exe	30

C:\Users\Admin\AppData\Local\Temp\Umbra1.exe
"C:\Users\Admin\AppData\Local\Temp\Umbra1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/1528-1-0x0000000000960000-0x00000000009A0000-memory.dmp

Filesize
256KB

Download
memory/1528-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1528-3-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download