umbral | b8976bb4f059c9886d2dc60a5dfb3be07cf88326b2638cfab82c7187f00df39e

Analysis

max time kernel
3s
max time network
10s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
18-10-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

231KB
MD5

82a3b8db52f0c9fa3a8cea6bf73c7ead
SHA1

a386e95563f337c95bb612fd1bcae63da5079aad
SHA256

b8976bb4f059c9886d2dc60a5dfb3be07cf88326b2638cfab82c7187f00df39e
SHA512

21330c77c7cdd0e9f73d7d383e447804a9e60904a672e3dbb839f160d4f765a85d1f0baf7b162f34c75fe509516391565b8af2d5d0212ffb7cb16cb026aef450
SSDEEP

6144:KloZM+7EBw/S6NtFnEPfCJxTzTfpaGJCJoGrruODO8emmm0B:0oZmYS6NZLTzTfpaGJCJoGrruOts

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2536-1-0x000001C79AFB0000-0x000001C79AFF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	test.exe
Token: SeIncreaseQuotaPrivilege	4468	wmic.exe
Token: SeSecurityPrivilege	4468	wmic.exe
Token: SeTakeOwnershipPrivilege	4468	wmic.exe
Token: SeLoadDriverPrivilege	4468	wmic.exe
Token: SeSystemProfilePrivilege	4468	wmic.exe
Token: SeSystemtimePrivilege	4468	wmic.exe
Token: SeProfSingleProcessPrivilege	4468	wmic.exe
Token: SeIncBasePriorityPrivilege	4468	wmic.exe
Token: SeCreatePagefilePrivilege	4468	wmic.exe
Token: SeBackupPrivilege	4468	wmic.exe
Token: SeRestorePrivilege	4468	wmic.exe
Token: SeShutdownPrivilege	4468	wmic.exe
Token: SeDebugPrivilege	4468	wmic.exe
Token: SeSystemEnvironmentPrivilege	4468	wmic.exe
Token: SeRemoteShutdownPrivilege	4468	wmic.exe
Token: SeUndockPrivilege	4468	wmic.exe
Token: SeManageVolumePrivilege	4468	wmic.exe
Token: 33	4468	wmic.exe
Token: 34	4468	wmic.exe
Token: 35	4468	wmic.exe
Token: 36	4468	wmic.exe
Token: SeIncreaseQuotaPrivilege	4468	wmic.exe
Token: SeSecurityPrivilege	4468	wmic.exe
Token: SeTakeOwnershipPrivilege	4468	wmic.exe
Token: SeLoadDriverPrivilege	4468	wmic.exe
Token: SeSystemProfilePrivilege	4468	wmic.exe
Token: SeSystemtimePrivilege	4468	wmic.exe
Token: SeProfSingleProcessPrivilege	4468	wmic.exe
Token: SeIncBasePriorityPrivilege	4468	wmic.exe
Token: SeCreatePagefilePrivilege	4468	wmic.exe
Token: SeBackupPrivilege	4468	wmic.exe
Token: SeRestorePrivilege	4468	wmic.exe
Token: SeShutdownPrivilege	4468	wmic.exe
Token: SeDebugPrivilege	4468	wmic.exe
Token: SeSystemEnvironmentPrivilege	4468	wmic.exe
Token: SeRemoteShutdownPrivilege	4468	wmic.exe
Token: SeUndockPrivilege	4468	wmic.exe
Token: SeManageVolumePrivilege	4468	wmic.exe
Token: 33	4468	wmic.exe
Token: 34	4468	wmic.exe
Token: 35	4468	wmic.exe
Token: 36	4468	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 4468	2536	test.exe	71
PID 2536 wrote to memory of 4468	2536	test.exe	71

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-0-0x00007FF925653000-0x00007FF925654000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x000001C79AFB0000-0x000001C79AFF0000-memory.dmp

Filesize
256KB

Download
memory/2536-2-0x00007FF925650000-0x00007FF92603C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-4-0x00007FF925650000-0x00007FF92603C000-memory.dmp

Filesize
9.9MB

Download