umbral | 6f806a1b18c89c3a482ccfb2b525eae695e9ad7c533b4c503aa1c7f3c29fc71b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CODEMCFA.exe
Size

231KB
MD5

9503a8b58a6162341186e7376beed76f
SHA1

1076edc775b7a770b4908ff8a961d6db50489ca0
SHA256

149e3d957ea166e513bfdf2152403b27e75ae5fe110bae79b2104fdab6f8f6b3
SHA512

f2f19b80e2d369c49d9dcc25fda842c28b31baca6f78528c2074591251a947e55978173ffc72f341fbb0959219470080ad59f2f7868661d903494a308e3a1f96
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD48xntPlO2ZTc1niinND1b8e1mXKDi:joZtL+EP88xntPlO2ZTc1niinNZI5

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral4/memory/4924-1-0x0000027255A60000-0x0000027255AA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	CODEMCFA.exe
Token: SeIncreaseQuotaPrivilege	1696	wmic.exe
Token: SeSecurityPrivilege	1696	wmic.exe
Token: SeTakeOwnershipPrivilege	1696	wmic.exe
Token: SeLoadDriverPrivilege	1696	wmic.exe
Token: SeSystemProfilePrivilege	1696	wmic.exe
Token: SeSystemtimePrivilege	1696	wmic.exe
Token: SeProfSingleProcessPrivilege	1696	wmic.exe
Token: SeIncBasePriorityPrivilege	1696	wmic.exe
Token: SeCreatePagefilePrivilege	1696	wmic.exe
Token: SeBackupPrivilege	1696	wmic.exe
Token: SeRestorePrivilege	1696	wmic.exe
Token: SeShutdownPrivilege	1696	wmic.exe
Token: SeDebugPrivilege	1696	wmic.exe
Token: SeSystemEnvironmentPrivilege	1696	wmic.exe
Token: SeRemoteShutdownPrivilege	1696	wmic.exe
Token: SeUndockPrivilege	1696	wmic.exe
Token: SeManageVolumePrivilege	1696	wmic.exe
Token: 33	1696	wmic.exe
Token: 34	1696	wmic.exe
Token: 35	1696	wmic.exe
Token: 36	1696	wmic.exe
Token: SeIncreaseQuotaPrivilege	1696	wmic.exe
Token: SeSecurityPrivilege	1696	wmic.exe
Token: SeTakeOwnershipPrivilege	1696	wmic.exe
Token: SeLoadDriverPrivilege	1696	wmic.exe
Token: SeSystemProfilePrivilege	1696	wmic.exe
Token: SeSystemtimePrivilege	1696	wmic.exe
Token: SeProfSingleProcessPrivilege	1696	wmic.exe
Token: SeIncBasePriorityPrivilege	1696	wmic.exe
Token: SeCreatePagefilePrivilege	1696	wmic.exe
Token: SeBackupPrivilege	1696	wmic.exe
Token: SeRestorePrivilege	1696	wmic.exe
Token: SeShutdownPrivilege	1696	wmic.exe
Token: SeDebugPrivilege	1696	wmic.exe
Token: SeSystemEnvironmentPrivilege	1696	wmic.exe
Token: SeRemoteShutdownPrivilege	1696	wmic.exe
Token: SeUndockPrivilege	1696	wmic.exe
Token: SeManageVolumePrivilege	1696	wmic.exe
Token: 33	1696	wmic.exe
Token: 34	1696	wmic.exe
Token: 35	1696	wmic.exe
Token: 36	1696	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1696	4924	CODEMCFA.exe	84
PID 4924 wrote to memory of 1696	4924	CODEMCFA.exe	84

C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe
"C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4924-0-0x00007FFB8A063000-0x00007FFB8A065000-memory.dmp

Filesize
8KB

Download
memory/4924-1-0x0000027255A60000-0x0000027255AA0000-memory.dmp

Filesize
256KB

Download
memory/4924-2-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/4924-4-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download