umbral | 3e6c300b61fc97ddc3577f37aba155b7ca1023dc5206a2f763216d4bcc613973

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sash_crack.exe
Size

229KB
MD5

b4194015c260caf700eb8fa8b68bd715
SHA1

fbba3ddf29726fdc112771d7d31e39ada64dbd47
SHA256

3e6c300b61fc97ddc3577f37aba155b7ca1023dc5206a2f763216d4bcc613973
SHA512

7a561d4282b9460cbc5947512c5d1ae0fdc886fa8f6752d3daa6a9f3d829e2984373cdfb66853bd424b161bde05b6f6ba704c52a422f9afb21b9b32c9d5497e5
SSDEEP

6144:tloZM+rIkd8g+EtXHkv/iD4/c2DmHdmOhPU9va6v/Rb8e1m4/i:voZtL+EP8/c2DmHdmOhPU9va6vBrq

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-1-0x0000000000970000-0x00000000009B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

Sash_crack.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2132	Sash_crack.exe
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe
Token: SeDebugPrivilege	3036	wmic.exe
Token: SeSystemEnvironmentPrivilege	3036	wmic.exe
Token: SeRemoteShutdownPrivilege	3036	wmic.exe
Token: SeUndockPrivilege	3036	wmic.exe
Token: SeManageVolumePrivilege	3036	wmic.exe
Token: 33	3036	wmic.exe
Token: 34	3036	wmic.exe
Token: 35	3036	wmic.exe
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe
Token: SeDebugPrivilege	3036	wmic.exe
Token: SeSystemEnvironmentPrivilege	3036	wmic.exe
Token: SeRemoteShutdownPrivilege	3036	wmic.exe
Token: SeUndockPrivilege	3036	wmic.exe
Token: SeManageVolumePrivilege	3036	wmic.exe
Token: 33	3036	wmic.exe
Token: 34	3036	wmic.exe
Token: 35	3036	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Sash_crack.exe

description	pid	process	target process
PID 2132 wrote to memory of 3036	2132	Sash_crack.exe	wmic.exe
PID 2132 wrote to memory of 3036	2132	Sash_crack.exe	wmic.exe
PID 2132 wrote to memory of 3036	2132	Sash_crack.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Sash_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Sash_crack.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000000970000-0x00000000009B0000-memory.dmp

Filesize
256KB

Download
memory/2132-2-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-3-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download