umbral | 93ce8e3689636df1bf9f269f4e96f0e30f3f7c5848778ad12f82275fd4061f85

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hypnox TB V1.2.exe
Size

239KB
MD5

f998146f650224b7a945c998246c79ca
SHA1

9ab4507aaf84093985febac2d5a28a1f0e00b52e
SHA256

93ce8e3689636df1bf9f269f4e96f0e30f3f7c5848778ad12f82275fd4061f85
SHA512

50a885cf13d60a59b25c3d9a8110feb5ba67b5f2b028b6abe5efac38b27c2ad5be9dd0f345379763b1b034458cebffd63ee4ce33c5a416b6662f004acf4a8224
SSDEEP

6144:rloZMLrIkd8g+EtXHkv/iD4pdeTKInDASZMK7bCQ0b8e1muYZi:poZ0L+EP8pdeTKInDASZMK7bCFjx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2520-1-0x0000000001180000-0x00000000011C2000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

Hypnox TB V1.2.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2520	Hypnox TB V1.2.exe
Token: SeIncreaseQuotaPrivilege	2124	wmic.exe
Token: SeSecurityPrivilege	2124	wmic.exe
Token: SeTakeOwnershipPrivilege	2124	wmic.exe
Token: SeLoadDriverPrivilege	2124	wmic.exe
Token: SeSystemProfilePrivilege	2124	wmic.exe
Token: SeSystemtimePrivilege	2124	wmic.exe
Token: SeProfSingleProcessPrivilege	2124	wmic.exe
Token: SeIncBasePriorityPrivilege	2124	wmic.exe
Token: SeCreatePagefilePrivilege	2124	wmic.exe
Token: SeBackupPrivilege	2124	wmic.exe
Token: SeRestorePrivilege	2124	wmic.exe
Token: SeShutdownPrivilege	2124	wmic.exe
Token: SeDebugPrivilege	2124	wmic.exe
Token: SeSystemEnvironmentPrivilege	2124	wmic.exe
Token: SeRemoteShutdownPrivilege	2124	wmic.exe
Token: SeUndockPrivilege	2124	wmic.exe
Token: SeManageVolumePrivilege	2124	wmic.exe
Token: 33	2124	wmic.exe
Token: 34	2124	wmic.exe
Token: 35	2124	wmic.exe
Token: SeIncreaseQuotaPrivilege	2124	wmic.exe
Token: SeSecurityPrivilege	2124	wmic.exe
Token: SeTakeOwnershipPrivilege	2124	wmic.exe
Token: SeLoadDriverPrivilege	2124	wmic.exe
Token: SeSystemProfilePrivilege	2124	wmic.exe
Token: SeSystemtimePrivilege	2124	wmic.exe
Token: SeProfSingleProcessPrivilege	2124	wmic.exe
Token: SeIncBasePriorityPrivilege	2124	wmic.exe
Token: SeCreatePagefilePrivilege	2124	wmic.exe
Token: SeBackupPrivilege	2124	wmic.exe
Token: SeRestorePrivilege	2124	wmic.exe
Token: SeShutdownPrivilege	2124	wmic.exe
Token: SeDebugPrivilege	2124	wmic.exe
Token: SeSystemEnvironmentPrivilege	2124	wmic.exe
Token: SeRemoteShutdownPrivilege	2124	wmic.exe
Token: SeUndockPrivilege	2124	wmic.exe
Token: SeManageVolumePrivilege	2124	wmic.exe
Token: 33	2124	wmic.exe
Token: 34	2124	wmic.exe
Token: 35	2124	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Hypnox TB V1.2.exe

description	pid	process	target process
PID 2520 wrote to memory of 2124	2520	Hypnox TB V1.2.exe	wmic.exe
PID 2520 wrote to memory of 2124	2520	Hypnox TB V1.2.exe	wmic.exe
PID 2520 wrote to memory of 2124	2520	Hypnox TB V1.2.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Hypnox TB V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Hypnox TB V1.2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2520-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000001180000-0x00000000011C2000-memory.dmp

Filesize
264KB

Download
memory/2520-2-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-3-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download