umbral | 5258c5c9535c48eb0f8a5b4ddc3f4deb8d001230e88d9cab5e25201eaececb60

Analysis

max time kernel
3s
max time network
7s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DominantExecutor.exe
Size

235KB
MD5

ebc311b832b0270e6e821f172455b932
SHA1

e8eda44e191962d8f0c1baeb7ac544e67f916df2
SHA256

5258c5c9535c48eb0f8a5b4ddc3f4deb8d001230e88d9cab5e25201eaececb60
SHA512

8a007d4ec12ed739f1ae3ca2faa1c744df7d4418ceeb06b7adf88bcd094a9cfd0b9b26aa75872630e6d41bc8b9b240938591abb58ba8c8904fb098c2bec2df0f
SSDEEP

6144:rloZM+rIkd8g+EtXHkv/iD48gIsywvrYJhkijD65Wb8e1mmi:poZtL+EP88gIsywvrYJhkijD6Qk

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1616-1-0x0000000000B10000-0x0000000000B50000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	DominantExecutor.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe
Token: SeRestorePrivilege	2552	wmic.exe
Token: SeShutdownPrivilege	2552	wmic.exe
Token: SeDebugPrivilege	2552	wmic.exe
Token: SeSystemEnvironmentPrivilege	2552	wmic.exe
Token: SeRemoteShutdownPrivilege	2552	wmic.exe
Token: SeUndockPrivilege	2552	wmic.exe
Token: SeManageVolumePrivilege	2552	wmic.exe
Token: 33	2552	wmic.exe
Token: 34	2552	wmic.exe
Token: 35	2552	wmic.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe
Token: SeRestorePrivilege	2552	wmic.exe
Token: SeShutdownPrivilege	2552	wmic.exe
Token: SeDebugPrivilege	2552	wmic.exe
Token: SeSystemEnvironmentPrivilege	2552	wmic.exe
Token: SeRemoteShutdownPrivilege	2552	wmic.exe
Token: SeUndockPrivilege	2552	wmic.exe
Token: SeManageVolumePrivilege	2552	wmic.exe
Token: 33	2552	wmic.exe
Token: 34	2552	wmic.exe
Token: 35	2552	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2552	1616	DominantExecutor.exe	31
PID 1616 wrote to memory of 2552	1616	DominantExecutor.exe	31
PID 1616 wrote to memory of 2552	1616	DominantExecutor.exe	31

C:\Users\Admin\AppData\Local\Temp\DominantExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\DominantExecutor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-0-0x000007FEF6533000-0x000007FEF6534000-memory.dmp

Filesize
4KB

Download
memory/1616-1-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/1616-2-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/1616-3-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download