umbral | 6f806a1b18c89c3a482ccfb2b525eae695e9ad7c533b4c503aa1c7f3c29fc71b

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CODEMCFA.exe
Size

231KB
MD5

9503a8b58a6162341186e7376beed76f
SHA1

1076edc775b7a770b4908ff8a961d6db50489ca0
SHA256

149e3d957ea166e513bfdf2152403b27e75ae5fe110bae79b2104fdab6f8f6b3
SHA512

f2f19b80e2d369c49d9dcc25fda842c28b31baca6f78528c2074591251a947e55978173ffc72f341fbb0959219470080ad59f2f7868661d903494a308e3a1f96
SSDEEP

6144:RloZM+rIkd8g+EtXHkv/iD48xntPlO2ZTc1niinND1b8e1mXKDi:joZtL+EP88xntPlO2ZTc1niinNZI5

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1172-1-0x000001BEFE9A0000-0x000001BEFE9E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

flow	ioc
8	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

CODEMCFA.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1172	CODEMCFA.exe
Token: SeIncreaseQuotaPrivilege	100	wmic.exe
Token: SeSecurityPrivilege	100	wmic.exe
Token: SeTakeOwnershipPrivilege	100	wmic.exe
Token: SeLoadDriverPrivilege	100	wmic.exe
Token: SeSystemProfilePrivilege	100	wmic.exe
Token: SeSystemtimePrivilege	100	wmic.exe
Token: SeProfSingleProcessPrivilege	100	wmic.exe
Token: SeIncBasePriorityPrivilege	100	wmic.exe
Token: SeCreatePagefilePrivilege	100	wmic.exe
Token: SeBackupPrivilege	100	wmic.exe
Token: SeRestorePrivilege	100	wmic.exe
Token: SeShutdownPrivilege	100	wmic.exe
Token: SeDebugPrivilege	100	wmic.exe
Token: SeSystemEnvironmentPrivilege	100	wmic.exe
Token: SeRemoteShutdownPrivilege	100	wmic.exe
Token: SeUndockPrivilege	100	wmic.exe
Token: SeManageVolumePrivilege	100	wmic.exe
Token: 33	100	wmic.exe
Token: 34	100	wmic.exe
Token: 35	100	wmic.exe
Token: 36	100	wmic.exe
Token: SeIncreaseQuotaPrivilege	100	wmic.exe
Token: SeSecurityPrivilege	100	wmic.exe
Token: SeTakeOwnershipPrivilege	100	wmic.exe
Token: SeLoadDriverPrivilege	100	wmic.exe
Token: SeSystemProfilePrivilege	100	wmic.exe
Token: SeSystemtimePrivilege	100	wmic.exe
Token: SeProfSingleProcessPrivilege	100	wmic.exe
Token: SeIncBasePriorityPrivilege	100	wmic.exe
Token: SeCreatePagefilePrivilege	100	wmic.exe
Token: SeBackupPrivilege	100	wmic.exe
Token: SeRestorePrivilege	100	wmic.exe
Token: SeShutdownPrivilege	100	wmic.exe
Token: SeDebugPrivilege	100	wmic.exe
Token: SeSystemEnvironmentPrivilege	100	wmic.exe
Token: SeRemoteShutdownPrivilege	100	wmic.exe
Token: SeUndockPrivilege	100	wmic.exe
Token: SeManageVolumePrivilege	100	wmic.exe
Token: 33	100	wmic.exe
Token: 34	100	wmic.exe
Token: 35	100	wmic.exe
Token: 36	100	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

CODEMCFA.exe

description pid process target process

PID 1172 wrote to memory of 100 1172 CODEMCFA.exe wmic.exe
PID 1172 wrote to memory of 100 1172 CODEMCFA.exe wmic.exe

description	pid	process	target process
PID 1172 wrote to memory of 100	1172	CODEMCFA.exe	wmic.exe
PID 1172 wrote to memory of 100	1172	CODEMCFA.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe
"C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-0-0x00007FFD55873000-0x00007FFD55875000-memory.dmp

Filesize
8KB

Download
memory/1172-1-0x000001BEFE9A0000-0x000001BEFE9E0000-memory.dmp

Filesize
256KB

Download
memory/1172-2-0x00007FFD55870000-0x00007FFD56331000-memory.dmp

Filesize
10.8MB

Download
memory/1172-4-0x00007FFD55870000-0x00007FFD56331000-memory.dmp

Filesize
10.8MB

Download