umbral | d36f3b379bcafb2f206a5dc18297c0c0fa0fa6afb44f7640da54cd809051b24c

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmclient.exe
Size

227KB
MD5

2ff5eea0426612b967301396523c9835
SHA1

af092e6d35d0c0c09d07102fb7e4416459b3d056
SHA256

d36f3b379bcafb2f206a5dc18297c0c0fa0fa6afb44f7640da54cd809051b24c
SHA512

d442d98abd61aa7f551e3309028e303c4390ab54bb94149d8bf0022b7faab1d70e40c66875f8d997e2203964dc8213084d50b108e088af5b433dce2c225f7a3c
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD46NdMiAfbokxUyzzqZYw8e1m9Qi:ooZtL+EP86NdMiAfbokxUyzzqfWJ

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1384-1-0x00000229902A0000-0x00000229902E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	cmclient.exe
Token: SeIncreaseQuotaPrivilege	2912	wmic.exe
Token: SeSecurityPrivilege	2912	wmic.exe
Token: SeTakeOwnershipPrivilege	2912	wmic.exe
Token: SeLoadDriverPrivilege	2912	wmic.exe
Token: SeSystemProfilePrivilege	2912	wmic.exe
Token: SeSystemtimePrivilege	2912	wmic.exe
Token: SeProfSingleProcessPrivilege	2912	wmic.exe
Token: SeIncBasePriorityPrivilege	2912	wmic.exe
Token: SeCreatePagefilePrivilege	2912	wmic.exe
Token: SeBackupPrivilege	2912	wmic.exe
Token: SeRestorePrivilege	2912	wmic.exe
Token: SeShutdownPrivilege	2912	wmic.exe
Token: SeDebugPrivilege	2912	wmic.exe
Token: SeSystemEnvironmentPrivilege	2912	wmic.exe
Token: SeRemoteShutdownPrivilege	2912	wmic.exe
Token: SeUndockPrivilege	2912	wmic.exe
Token: SeManageVolumePrivilege	2912	wmic.exe
Token: 33	2912	wmic.exe
Token: 34	2912	wmic.exe
Token: 35	2912	wmic.exe
Token: 36	2912	wmic.exe
Token: SeIncreaseQuotaPrivilege	2912	wmic.exe
Token: SeSecurityPrivilege	2912	wmic.exe
Token: SeTakeOwnershipPrivilege	2912	wmic.exe
Token: SeLoadDriverPrivilege	2912	wmic.exe
Token: SeSystemProfilePrivilege	2912	wmic.exe
Token: SeSystemtimePrivilege	2912	wmic.exe
Token: SeProfSingleProcessPrivilege	2912	wmic.exe
Token: SeIncBasePriorityPrivilege	2912	wmic.exe
Token: SeCreatePagefilePrivilege	2912	wmic.exe
Token: SeBackupPrivilege	2912	wmic.exe
Token: SeRestorePrivilege	2912	wmic.exe
Token: SeShutdownPrivilege	2912	wmic.exe
Token: SeDebugPrivilege	2912	wmic.exe
Token: SeSystemEnvironmentPrivilege	2912	wmic.exe
Token: SeRemoteShutdownPrivilege	2912	wmic.exe
Token: SeUndockPrivilege	2912	wmic.exe
Token: SeManageVolumePrivilege	2912	wmic.exe
Token: 33	2912	wmic.exe
Token: 34	2912	wmic.exe
Token: 35	2912	wmic.exe
Token: 36	2912	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2912	1384	cmclient.exe	84
PID 1384 wrote to memory of 2912	1384	cmclient.exe	84

C:\Users\Admin\AppData\Local\Temp\cmclient.exe
"C:\Users\Admin\AppData\Local\Temp\cmclient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-0-0x00007FFDC0AB3000-0x00007FFDC0AB5000-memory.dmp

Filesize
8KB

Download
memory/1384-1-0x00000229902A0000-0x00000229902E0000-memory.dmp

Filesize
256KB

Download
memory/1384-2-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/1384-4-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download