Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 16:37
Behavioral task
behavioral1
Sample
Umbral.bin.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Umbral.bin.exe
-
Size
232KB
-
MD5
1377d5688f3780885e77a0ec534be5b7
-
SHA1
91628df86ab2fdf204781d970d0635103a01aa1d
-
SHA256
f925d39bf8715d44d8558e287076c2783318767b3dda49715147cb38a762c5a2
-
SHA512
b4fb4e7d708fc1167d193e44ce8b44187e2ac69b8bfa522f7b2e8d9871eebefc6b60e9521aa7e444c3c21b986112b4c2f91ced78d2a9b2bc79b569817c4564c2
-
SSDEEP
6144:KloZM+rIkd8g+EtXHkv/iD4/fvrsyVtGDTOMdWDjo+b8e1mNoi:0oZtL+EP8/fvrsyVtGDTOMdWDvQ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2220-1-0x0000000000900000-0x0000000000940000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2220 Umbral.bin.exe Token: SeIncreaseQuotaPrivilege 2820 wmic.exe Token: SeSecurityPrivilege 2820 wmic.exe Token: SeTakeOwnershipPrivilege 2820 wmic.exe Token: SeLoadDriverPrivilege 2820 wmic.exe Token: SeSystemProfilePrivilege 2820 wmic.exe Token: SeSystemtimePrivilege 2820 wmic.exe Token: SeProfSingleProcessPrivilege 2820 wmic.exe Token: SeIncBasePriorityPrivilege 2820 wmic.exe Token: SeCreatePagefilePrivilege 2820 wmic.exe Token: SeBackupPrivilege 2820 wmic.exe Token: SeRestorePrivilege 2820 wmic.exe Token: SeShutdownPrivilege 2820 wmic.exe Token: SeDebugPrivilege 2820 wmic.exe Token: SeSystemEnvironmentPrivilege 2820 wmic.exe Token: SeRemoteShutdownPrivilege 2820 wmic.exe Token: SeUndockPrivilege 2820 wmic.exe Token: SeManageVolumePrivilege 2820 wmic.exe Token: 33 2820 wmic.exe Token: 34 2820 wmic.exe Token: 35 2820 wmic.exe Token: SeIncreaseQuotaPrivilege 2820 wmic.exe Token: SeSecurityPrivilege 2820 wmic.exe Token: SeTakeOwnershipPrivilege 2820 wmic.exe Token: SeLoadDriverPrivilege 2820 wmic.exe Token: SeSystemProfilePrivilege 2820 wmic.exe Token: SeSystemtimePrivilege 2820 wmic.exe Token: SeProfSingleProcessPrivilege 2820 wmic.exe Token: SeIncBasePriorityPrivilege 2820 wmic.exe Token: SeCreatePagefilePrivilege 2820 wmic.exe Token: SeBackupPrivilege 2820 wmic.exe Token: SeRestorePrivilege 2820 wmic.exe Token: SeShutdownPrivilege 2820 wmic.exe Token: SeDebugPrivilege 2820 wmic.exe Token: SeSystemEnvironmentPrivilege 2820 wmic.exe Token: SeRemoteShutdownPrivilege 2820 wmic.exe Token: SeUndockPrivilege 2820 wmic.exe Token: SeManageVolumePrivilege 2820 wmic.exe Token: 33 2820 wmic.exe Token: 34 2820 wmic.exe Token: 35 2820 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2820 2220 Umbral.bin.exe 31 PID 2220 wrote to memory of 2820 2220 Umbral.bin.exe 31 PID 2220 wrote to memory of 2820 2220 Umbral.bin.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbral.bin.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A142.250.179.227
-
Remote address:142.250.179.227:443RequestGET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Fri, 18 Oct 2024 16:37:42 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 5
Access-Control-Allow-Origin: *
X-Ttl: 58
X-Rl: 43
-
752 B 4.7kB 9 9
HTTP Request
GET https://gstatic.com/generate_204HTTP Response
204 -
264 B 266 B 4 2
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200