umbral | 9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Big clean script (1).exe
Size

230KB
MD5

b23d20593d9176d95302568243f60052
SHA1

fef1aa01b7a41a8255d71309c7c5badf48a7a907
SHA256

9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9
SHA512

13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2624-1-0x0000000000080000-0x00000000000C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	Big clean script (1).exe
Token: SeIncreaseQuotaPrivilege	2096	wmic.exe
Token: SeSecurityPrivilege	2096	wmic.exe
Token: SeTakeOwnershipPrivilege	2096	wmic.exe
Token: SeLoadDriverPrivilege	2096	wmic.exe
Token: SeSystemProfilePrivilege	2096	wmic.exe
Token: SeSystemtimePrivilege	2096	wmic.exe
Token: SeProfSingleProcessPrivilege	2096	wmic.exe
Token: SeIncBasePriorityPrivilege	2096	wmic.exe
Token: SeCreatePagefilePrivilege	2096	wmic.exe
Token: SeBackupPrivilege	2096	wmic.exe
Token: SeRestorePrivilege	2096	wmic.exe
Token: SeShutdownPrivilege	2096	wmic.exe
Token: SeDebugPrivilege	2096	wmic.exe
Token: SeSystemEnvironmentPrivilege	2096	wmic.exe
Token: SeRemoteShutdownPrivilege	2096	wmic.exe
Token: SeUndockPrivilege	2096	wmic.exe
Token: SeManageVolumePrivilege	2096	wmic.exe
Token: 33	2096	wmic.exe
Token: 34	2096	wmic.exe
Token: 35	2096	wmic.exe
Token: SeIncreaseQuotaPrivilege	2096	wmic.exe
Token: SeSecurityPrivilege	2096	wmic.exe
Token: SeTakeOwnershipPrivilege	2096	wmic.exe
Token: SeLoadDriverPrivilege	2096	wmic.exe
Token: SeSystemProfilePrivilege	2096	wmic.exe
Token: SeSystemtimePrivilege	2096	wmic.exe
Token: SeProfSingleProcessPrivilege	2096	wmic.exe
Token: SeIncBasePriorityPrivilege	2096	wmic.exe
Token: SeCreatePagefilePrivilege	2096	wmic.exe
Token: SeBackupPrivilege	2096	wmic.exe
Token: SeRestorePrivilege	2096	wmic.exe
Token: SeShutdownPrivilege	2096	wmic.exe
Token: SeDebugPrivilege	2096	wmic.exe
Token: SeSystemEnvironmentPrivilege	2096	wmic.exe
Token: SeRemoteShutdownPrivilege	2096	wmic.exe
Token: SeUndockPrivilege	2096	wmic.exe
Token: SeManageVolumePrivilege	2096	wmic.exe
Token: 33	2096	wmic.exe
Token: 34	2096	wmic.exe
Token: 35	2096	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2096	2624	Big clean script (1).exe	30
PID 2624 wrote to memory of 2096	2624	Big clean script (1).exe	30
PID 2624 wrote to memory of 2096	2624	Big clean script (1).exe	30

C:\Users\Admin\AppData\Local\Temp\Big clean script (1).exe
"C:\Users\Admin\AppData\Local\Temp\Big clean script (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2624-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2624-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-3-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download