umbral | 6f806a1b18c89c3a482ccfb2b525eae695e9ad7c533b4c503aa1c7f3c29fc71b

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CODEMCFA.exe
Size

231KB
MD5

9503a8b58a6162341186e7376beed76f
SHA1

1076edc775b7a770b4908ff8a961d6db50489ca0
SHA256

149e3d957ea166e513bfdf2152403b27e75ae5fe110bae79b2104fdab6f8f6b3
SHA512

f2f19b80e2d369c49d9dcc25fda842c28b31baca6f78528c2074591251a947e55978173ffc72f341fbb0959219470080ad59f2f7868661d903494a308e3a1f96
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD48xntPlO2ZTc1niinND1b8e1mXKDi:joZtL+EP88xntPlO2ZTc1niinNZI5

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2876-1-0x0000000001180000-0x00000000011C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

CODEMCFA.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2876	CODEMCFA.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

CODEMCFA.exe

description	pid	process	target process
PID 2876 wrote to memory of 2796	2876	CODEMCFA.exe	wmic.exe
PID 2876 wrote to memory of 2796	2876	CODEMCFA.exe	wmic.exe
PID 2876 wrote to memory of 2796	2876	CODEMCFA.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe
"C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000001180000-0x00000000011C0000-memory.dmp

Filesize
256KB

Download
memory/2876-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download