umbral | 045414a6d58dcf47b3fb79c35cf892f7bc8e013b56ebc492ffb7e216fee84c0d

Analysis

max time kernel
134s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bedrock Client Injector.exe
Size

263KB
MD5

94e490af0574861f68fd0df23b1105aa
SHA1

47702a4a5ae6d39faa769599ef0e49daa6d5a6f6
SHA256

045414a6d58dcf47b3fb79c35cf892f7bc8e013b56ebc492ffb7e216fee84c0d
SHA512

ce84c060e82854cfb77d2ae573f9003b9f648995dc4a130c04a6fc9f9b772e4e04a43a3fe5ef30861c6726c095b15c0e3e48a6c06916d2268fa87dd18687a294
SSDEEP

6144:mloZMLrIkd8g+EtXHkv/iD4dzaww+A9J8e1mOiTlReeAt84I:QoZ0L+EP8dzawwNUT3tAW

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4984-1-0x000002DBCAD00000-0x000002DBCAD48000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	Bedrock Client Injector.exe
Token: SeIncreaseQuotaPrivilege	3244	wmic.exe
Token: SeSecurityPrivilege	3244	wmic.exe
Token: SeTakeOwnershipPrivilege	3244	wmic.exe
Token: SeLoadDriverPrivilege	3244	wmic.exe
Token: SeSystemProfilePrivilege	3244	wmic.exe
Token: SeSystemtimePrivilege	3244	wmic.exe
Token: SeProfSingleProcessPrivilege	3244	wmic.exe
Token: SeIncBasePriorityPrivilege	3244	wmic.exe
Token: SeCreatePagefilePrivilege	3244	wmic.exe
Token: SeBackupPrivilege	3244	wmic.exe
Token: SeRestorePrivilege	3244	wmic.exe
Token: SeShutdownPrivilege	3244	wmic.exe
Token: SeDebugPrivilege	3244	wmic.exe
Token: SeSystemEnvironmentPrivilege	3244	wmic.exe
Token: SeRemoteShutdownPrivilege	3244	wmic.exe
Token: SeUndockPrivilege	3244	wmic.exe
Token: SeManageVolumePrivilege	3244	wmic.exe
Token: 33	3244	wmic.exe
Token: 34	3244	wmic.exe
Token: 35	3244	wmic.exe
Token: 36	3244	wmic.exe
Token: SeIncreaseQuotaPrivilege	3244	wmic.exe
Token: SeSecurityPrivilege	3244	wmic.exe
Token: SeTakeOwnershipPrivilege	3244	wmic.exe
Token: SeLoadDriverPrivilege	3244	wmic.exe
Token: SeSystemProfilePrivilege	3244	wmic.exe
Token: SeSystemtimePrivilege	3244	wmic.exe
Token: SeProfSingleProcessPrivilege	3244	wmic.exe
Token: SeIncBasePriorityPrivilege	3244	wmic.exe
Token: SeCreatePagefilePrivilege	3244	wmic.exe
Token: SeBackupPrivilege	3244	wmic.exe
Token: SeRestorePrivilege	3244	wmic.exe
Token: SeShutdownPrivilege	3244	wmic.exe
Token: SeDebugPrivilege	3244	wmic.exe
Token: SeSystemEnvironmentPrivilege	3244	wmic.exe
Token: SeRemoteShutdownPrivilege	3244	wmic.exe
Token: SeUndockPrivilege	3244	wmic.exe
Token: SeManageVolumePrivilege	3244	wmic.exe
Token: 33	3244	wmic.exe
Token: 34	3244	wmic.exe
Token: 35	3244	wmic.exe
Token: 36	3244	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 3244	4984	Bedrock Client Injector.exe	85
PID 4984 wrote to memory of 3244	4984	Bedrock Client Injector.exe	85

C:\Users\Admin\AppData\Local\Temp\Bedrock Client Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Bedrock Client Injector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4984-0-0x00007FFAEEA33000-0x00007FFAEEA35000-memory.dmp

Filesize
8KB

Download
memory/4984-1-0x000002DBCAD00000-0x000002DBCAD48000-memory.dmp

Filesize
288KB

Download
memory/4984-2-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-4-0x000002DBE5170000-0x000002DBE5272000-memory.dmp

Filesize
1.0MB

Download
memory/4984-5-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

Filesize
10.8MB

Download