umbral | d36f3b379bcafb2f206a5dc18297c0c0fa0fa6afb44f7640da54cd809051b24c

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmclient.exe
Size

227KB
MD5

2ff5eea0426612b967301396523c9835
SHA1

af092e6d35d0c0c09d07102fb7e4416459b3d056
SHA256

d36f3b379bcafb2f206a5dc18297c0c0fa0fa6afb44f7640da54cd809051b24c
SHA512

d442d98abd61aa7f551e3309028e303c4390ab54bb94149d8bf0022b7faab1d70e40c66875f8d997e2203964dc8213084d50b108e088af5b433dce2c225f7a3c
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD46NdMiAfbokxUyzzqZYw8e1m9Qi:ooZtL+EP86NdMiAfbokxUyzzqfWJ

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2736-1-0x0000000000120000-0x0000000000160000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

cmclient.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2736	cmclient.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmclient.exe

description	pid	process	target process
PID 2736 wrote to memory of 2564	2736	cmclient.exe	wmic.exe
PID 2736 wrote to memory of 2564	2736	cmclient.exe	wmic.exe
PID 2736 wrote to memory of 2564	2736	cmclient.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\cmclient.exe
"C:\Users\Admin\AppData\Local\Temp\cmclient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2736-1-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2736-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-3-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download