umbral | b575e722311556b67bc4f2ff77470063e5453e8f9952ddcd33afec9bdefc3902

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neverlose.exe
Size

231KB
MD5

2a9d5da0bb69d53e1b68178bc63e9390
SHA1

b1170f7ca36ea613188a272dc8ff8720a586de3a
SHA256

b575e722311556b67bc4f2ff77470063e5453e8f9952ddcd33afec9bdefc3902
SHA512

372288f96c8d39cba9529e7c44ce4b083eddf50dc3c3317b7b97c02d07018cdc2e0913da3e8309d548f80d68c95b9dd65e4febd4d7ca3b4d6a8df3360cf6aca3
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD4ZvHYe5xypXKYZd8ZC6lY8e1mGi:joZtL+EP8pHYe5xypXKYZd8dk2

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3064-1-0x00000278421C0000-0x0000027842200000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

Neverlose.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3064	Neverlose.exe
Token: SeIncreaseQuotaPrivilege	1548	wmic.exe
Token: SeSecurityPrivilege	1548	wmic.exe
Token: SeTakeOwnershipPrivilege	1548	wmic.exe
Token: SeLoadDriverPrivilege	1548	wmic.exe
Token: SeSystemProfilePrivilege	1548	wmic.exe
Token: SeSystemtimePrivilege	1548	wmic.exe
Token: SeProfSingleProcessPrivilege	1548	wmic.exe
Token: SeIncBasePriorityPrivilege	1548	wmic.exe
Token: SeCreatePagefilePrivilege	1548	wmic.exe
Token: SeBackupPrivilege	1548	wmic.exe
Token: SeRestorePrivilege	1548	wmic.exe
Token: SeShutdownPrivilege	1548	wmic.exe
Token: SeDebugPrivilege	1548	wmic.exe
Token: SeSystemEnvironmentPrivilege	1548	wmic.exe
Token: SeRemoteShutdownPrivilege	1548	wmic.exe
Token: SeUndockPrivilege	1548	wmic.exe
Token: SeManageVolumePrivilege	1548	wmic.exe
Token: 33	1548	wmic.exe
Token: 34	1548	wmic.exe
Token: 35	1548	wmic.exe
Token: 36	1548	wmic.exe
Token: SeIncreaseQuotaPrivilege	1548	wmic.exe
Token: SeSecurityPrivilege	1548	wmic.exe
Token: SeTakeOwnershipPrivilege	1548	wmic.exe
Token: SeLoadDriverPrivilege	1548	wmic.exe
Token: SeSystemProfilePrivilege	1548	wmic.exe
Token: SeSystemtimePrivilege	1548	wmic.exe
Token: SeProfSingleProcessPrivilege	1548	wmic.exe
Token: SeIncBasePriorityPrivilege	1548	wmic.exe
Token: SeCreatePagefilePrivilege	1548	wmic.exe
Token: SeBackupPrivilege	1548	wmic.exe
Token: SeRestorePrivilege	1548	wmic.exe
Token: SeShutdownPrivilege	1548	wmic.exe
Token: SeDebugPrivilege	1548	wmic.exe
Token: SeSystemEnvironmentPrivilege	1548	wmic.exe
Token: SeRemoteShutdownPrivilege	1548	wmic.exe
Token: SeUndockPrivilege	1548	wmic.exe
Token: SeManageVolumePrivilege	1548	wmic.exe
Token: 33	1548	wmic.exe
Token: 34	1548	wmic.exe
Token: 35	1548	wmic.exe
Token: 36	1548	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Neverlose.exe

description	pid	process	target process
PID 3064 wrote to memory of 1548	3064	Neverlose.exe	wmic.exe
PID 3064 wrote to memory of 1548	3064	Neverlose.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Neverlose.exe
"C:\Users\Admin\AppData\Local\Temp\Neverlose.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-0-0x00007FFB668C3000-0x00007FFB668C5000-memory.dmp

Filesize
8KB

Download
memory/3064-1-0x00000278421C0000-0x0000027842200000-memory.dmp

Filesize
256KB

Download
memory/3064-2-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download
memory/3064-4-0x00007FFB668C0000-0x00007FFB67381000-memory.dmp

Filesize
10.8MB

Download