umbral | 4ad4d37a29ba252afce7fc4d0fd2f034ed1ec34b07e835189f0deeac96427c03

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan/NursultanCrack.exe
Size

328KB
MD5

4f7415acf4f5a898dd0ea6e7924137e2
SHA1

13f5917af6bbf1f1f98633ac18532d8a43c2d92e
SHA256

c182f999bccd715dd8dfd60b2c212ceaec08bad843ee95ecef3abf6230b7a447
SHA512

eb903b09428f8ef8ba349a507a73627875096a4952ed768c640752b6bf1019a0ea1ca88246928055ba8591666de4dbfbf58bab65fc12e7544d013e13e838feb9
SSDEEP

6144:iloZM+rIkd8g+EtXHkv/iD4CzaYSx6PTg8e1mHisxBt25:soZtL+EP8CzaYSj9sxBt

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2572-1-0x0000000000D80000-0x0000000000DD8000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

NursultanCrack.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2572	NursultanCrack.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NursultanCrack.exe

description	pid	process	target process
PID 2572 wrote to memory of 2964	2572	NursultanCrack.exe	wmic.exe
PID 2572 wrote to memory of 2964	2572	NursultanCrack.exe	wmic.exe
PID 2572 wrote to memory of 2964	2572	NursultanCrack.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Nursultan\NursultanCrack.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan\NursultanCrack.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2572-1-0x0000000000D80000-0x0000000000DD8000-memory.dmp

Filesize
352KB

Download
memory/2572-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-3-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download