umbral | 94357a5e0e0d52490a07fffd0a8940f7ffdf25acb16602d83120fc99722f88eb

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000a000000012248-8.exe
Size

232KB
MD5

4867d27de23cded5f2229c322bf6f3fe
SHA1

04cd16ac5d6a2f5b7bc1db8cdefd128d0f6c2fe1
SHA256

94357a5e0e0d52490a07fffd0a8940f7ffdf25acb16602d83120fc99722f88eb
SHA512

b7ced6d7a420c55813388755d765a015cb65c6393cdeffaff4be6cb7c00845434161a3282ce7d316800da42766d9c309487dc2e96b74340f47b20032632f8909
SSDEEP

6144:iloZM7rIkd8g+EtXHkv/iD4j9TBMS1Nm3zus9x4yqb8e1mBi:soZ0L+EP8j9TBMS1Nm3zus9x4FL

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1416-1-0x00000000000C0000-0x0000000000100000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

0x000a000000012248-8.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1416	0x000a000000012248-8.exe
Token: SeIncreaseQuotaPrivilege	2960	wmic.exe
Token: SeSecurityPrivilege	2960	wmic.exe
Token: SeTakeOwnershipPrivilege	2960	wmic.exe
Token: SeLoadDriverPrivilege	2960	wmic.exe
Token: SeSystemProfilePrivilege	2960	wmic.exe
Token: SeSystemtimePrivilege	2960	wmic.exe
Token: SeProfSingleProcessPrivilege	2960	wmic.exe
Token: SeIncBasePriorityPrivilege	2960	wmic.exe
Token: SeCreatePagefilePrivilege	2960	wmic.exe
Token: SeBackupPrivilege	2960	wmic.exe
Token: SeRestorePrivilege	2960	wmic.exe
Token: SeShutdownPrivilege	2960	wmic.exe
Token: SeDebugPrivilege	2960	wmic.exe
Token: SeSystemEnvironmentPrivilege	2960	wmic.exe
Token: SeRemoteShutdownPrivilege	2960	wmic.exe
Token: SeUndockPrivilege	2960	wmic.exe
Token: SeManageVolumePrivilege	2960	wmic.exe
Token: 33	2960	wmic.exe
Token: 34	2960	wmic.exe
Token: 35	2960	wmic.exe
Token: SeIncreaseQuotaPrivilege	2960	wmic.exe
Token: SeSecurityPrivilege	2960	wmic.exe
Token: SeTakeOwnershipPrivilege	2960	wmic.exe
Token: SeLoadDriverPrivilege	2960	wmic.exe
Token: SeSystemProfilePrivilege	2960	wmic.exe
Token: SeSystemtimePrivilege	2960	wmic.exe
Token: SeProfSingleProcessPrivilege	2960	wmic.exe
Token: SeIncBasePriorityPrivilege	2960	wmic.exe
Token: SeCreatePagefilePrivilege	2960	wmic.exe
Token: SeBackupPrivilege	2960	wmic.exe
Token: SeRestorePrivilege	2960	wmic.exe
Token: SeShutdownPrivilege	2960	wmic.exe
Token: SeDebugPrivilege	2960	wmic.exe
Token: SeSystemEnvironmentPrivilege	2960	wmic.exe
Token: SeRemoteShutdownPrivilege	2960	wmic.exe
Token: SeUndockPrivilege	2960	wmic.exe
Token: SeManageVolumePrivilege	2960	wmic.exe
Token: 33	2960	wmic.exe
Token: 34	2960	wmic.exe
Token: 35	2960	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0x000a000000012248-8.exe

description	pid	process	target process
PID 1416 wrote to memory of 2960	1416	0x000a000000012248-8.exe	wmic.exe
PID 1416 wrote to memory of 2960	1416	0x000a000000012248-8.exe	wmic.exe
PID 1416 wrote to memory of 2960	1416	0x000a000000012248-8.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\0x000a000000012248-8.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a000000012248-8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/1416-1-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/1416-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-3-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download