umbral | a78dcf241ef32561d3ae030149169f37085ba754e7f148a21e8f22951b028a73

Analysis

max time kernel
1s
max time network
5s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-10-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DominantExecutor (1).exe
Size

231KB
MD5

16171d12f35e11115cedc4284f86958b
SHA1

e17c29c6b4b3f54f6d6cedf556f5b110b1965479
SHA256

a78dcf241ef32561d3ae030149169f37085ba754e7f148a21e8f22951b028a73
SHA512

975f5e6a099536f9f13720f85a41b519d730ef814409c6d45614bbaba6a5b06e0ee996d7a8dbf1c5b066b59bae2836ecf7a22bc303df7f0cb21f1c06e527735d
SSDEEP

6144:8loZM+rIkd8g+EtXHkv/iD40kijGELnsvd42X3WYx8b8e1muSi:aoZtL+EP80kijGELnsvd42X3WYitH

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1488-1-0x000002064CA50000-0x000002064CA90000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

DominantExecutor (1).exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1488	DominantExecutor (1).exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: 36	1764	wmic.exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: 36	1764	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

DominantExecutor (1).exe

description	pid	process	target process
PID 1488 wrote to memory of 1764	1488	DominantExecutor (1).exe	wmic.exe
PID 1488 wrote to memory of 1764	1488	DominantExecutor (1).exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\DominantExecutor (1).exe
"C:\Users\Admin\AppData\Local\Temp\DominantExecutor (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-0-0x00007FFAB8833000-0x00007FFAB8835000-memory.dmp

Filesize
8KB

Download
memory/1488-1-0x000002064CA50000-0x000002064CA90000-memory.dmp

Filesize
256KB

Download
memory/1488-2-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-4-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

Filesize
10.8MB

Download