umbral | d36f3b379bcafb2f206a5dc18297c0c0fa0fa6afb44f7640da54cd809051b24c

Resubmissions

21-10-2024 16:05

241021-tjgkhaydmc 10

21-10-2024 15:55

241021-tc1d2azhlm 10

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmclient.exe
Size

227KB
MD5

2ff5eea0426612b967301396523c9835
SHA1

af092e6d35d0c0c09d07102fb7e4416459b3d056
SHA256

d36f3b379bcafb2f206a5dc18297c0c0fa0fa6afb44f7640da54cd809051b24c
SHA512

d442d98abd61aa7f551e3309028e303c4390ab54bb94149d8bf0022b7faab1d70e40c66875f8d997e2203964dc8213084d50b108e088af5b433dce2c225f7a3c
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD46NdMiAfbokxUyzzqZYw8e1m9Qi:ooZtL+EP86NdMiAfbokxUyzzqfWJ

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1272-1-0x0000000000120000-0x0000000000160000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

cmclient.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1272	cmclient.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmclient.exe

description	pid	process	target process
PID 1272 wrote to memory of 2916	1272	cmclient.exe	wmic.exe
PID 1272 wrote to memory of 2916	1272	cmclient.exe	wmic.exe
PID 1272 wrote to memory of 2916	1272	cmclient.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\cmclient.exe
"C:\Users\Admin\AppData\Local\Temp\cmclient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1272-1-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1272-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1272-3-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download