umbral | 365f462f95da9ec8d143ca51af88aeb8c9037de86586650288804ae10cc99b27

Analysis

max time kernel
1s
max time network
2s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-10-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DominantExecutor.exe
Size

235KB
MD5

cd020f630a72c41f0cac05594e2531a8
SHA1

5b50eaf7e1a05898b7b83a6e7be6cb828006345a
SHA256

365f462f95da9ec8d143ca51af88aeb8c9037de86586650288804ae10cc99b27
SHA512

617876e1fd81f9e41c78cd2ea905bf6ff7b985dc123dba98a031c69172bf8ceb947a7d73495f2cecdbba6c1bb55354b72bcf1446158adcb8ddf045f456ba8174
SSDEEP

6144:rloZM+rIkd8g+EtXHkv/iD4uA4LbhS6F6AxDeeb9X0b8e1mMx7i:poZtL+EP8uA4LbhS6F6AxDeeb+7xW

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1556-1-0x000002BDF0EE0000-0x000002BDF0F20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	DominantExecutor.exe
Token: SeIncreaseQuotaPrivilege	2640	wmic.exe
Token: SeSecurityPrivilege	2640	wmic.exe
Token: SeTakeOwnershipPrivilege	2640	wmic.exe
Token: SeLoadDriverPrivilege	2640	wmic.exe
Token: SeSystemProfilePrivilege	2640	wmic.exe
Token: SeSystemtimePrivilege	2640	wmic.exe
Token: SeProfSingleProcessPrivilege	2640	wmic.exe
Token: SeIncBasePriorityPrivilege	2640	wmic.exe
Token: SeCreatePagefilePrivilege	2640	wmic.exe
Token: SeBackupPrivilege	2640	wmic.exe
Token: SeRestorePrivilege	2640	wmic.exe
Token: SeShutdownPrivilege	2640	wmic.exe
Token: SeDebugPrivilege	2640	wmic.exe
Token: SeSystemEnvironmentPrivilege	2640	wmic.exe
Token: SeRemoteShutdownPrivilege	2640	wmic.exe
Token: SeUndockPrivilege	2640	wmic.exe
Token: SeManageVolumePrivilege	2640	wmic.exe
Token: 33	2640	wmic.exe
Token: 34	2640	wmic.exe
Token: 35	2640	wmic.exe
Token: 36	2640	wmic.exe
Token: SeIncreaseQuotaPrivilege	2640	wmic.exe
Token: SeSecurityPrivilege	2640	wmic.exe
Token: SeTakeOwnershipPrivilege	2640	wmic.exe
Token: SeLoadDriverPrivilege	2640	wmic.exe
Token: SeSystemProfilePrivilege	2640	wmic.exe
Token: SeSystemtimePrivilege	2640	wmic.exe
Token: SeProfSingleProcessPrivilege	2640	wmic.exe
Token: SeIncBasePriorityPrivilege	2640	wmic.exe
Token: SeCreatePagefilePrivilege	2640	wmic.exe
Token: SeBackupPrivilege	2640	wmic.exe
Token: SeRestorePrivilege	2640	wmic.exe
Token: SeShutdownPrivilege	2640	wmic.exe
Token: SeDebugPrivilege	2640	wmic.exe
Token: SeSystemEnvironmentPrivilege	2640	wmic.exe
Token: SeRemoteShutdownPrivilege	2640	wmic.exe
Token: SeUndockPrivilege	2640	wmic.exe
Token: SeManageVolumePrivilege	2640	wmic.exe
Token: 33	2640	wmic.exe
Token: 34	2640	wmic.exe
Token: 35	2640	wmic.exe
Token: 36	2640	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2640	1556	DominantExecutor.exe	80
PID 1556 wrote to memory of 2640	1556	DominantExecutor.exe	80

C:\Users\Admin\AppData\Local\Temp\DominantExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\DominantExecutor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-0-0x00007FFA0F2B3000-0x00007FFA0F2B5000-memory.dmp

Filesize
8KB

Download
memory/1556-1-0x000002BDF0EE0000-0x000002BDF0F20000-memory.dmp

Filesize
256KB

Download
memory/1556-2-0x00007FFA0F2B0000-0x00007FFA0FD72000-memory.dmp

Filesize
10.8MB

Download
memory/1556-4-0x00007FFA0F2B0000-0x00007FFA0FD72000-memory.dmp

Filesize
10.8MB

Download