umbral | 4ad4d37a29ba252afce7fc4d0fd2f034ed1ec34b07e835189f0deeac96427c03

Analysis

max time kernel
30s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan/NursultanCrack.exe
Size

328KB
MD5

4f7415acf4f5a898dd0ea6e7924137e2
SHA1

13f5917af6bbf1f1f98633ac18532d8a43c2d92e
SHA256

c182f999bccd715dd8dfd60b2c212ceaec08bad843ee95ecef3abf6230b7a447
SHA512

eb903b09428f8ef8ba349a507a73627875096a4952ed768c640752b6bf1019a0ea1ca88246928055ba8591666de4dbfbf58bab65fc12e7544d013e13e838feb9
SSDEEP

6144:iloZM+rIkd8g+EtXHkv/iD4CzaYSx6PTg8e1mHisxBt25:soZtL+EP8CzaYSj9sxBt

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4956-1-0x00000243D3A60000-0x00000243D3AB8000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	NursultanCrack.exe
Token: SeIncreaseQuotaPrivilege	920	wmic.exe
Token: SeSecurityPrivilege	920	wmic.exe
Token: SeTakeOwnershipPrivilege	920	wmic.exe
Token: SeLoadDriverPrivilege	920	wmic.exe
Token: SeSystemProfilePrivilege	920	wmic.exe
Token: SeSystemtimePrivilege	920	wmic.exe
Token: SeProfSingleProcessPrivilege	920	wmic.exe
Token: SeIncBasePriorityPrivilege	920	wmic.exe
Token: SeCreatePagefilePrivilege	920	wmic.exe
Token: SeBackupPrivilege	920	wmic.exe
Token: SeRestorePrivilege	920	wmic.exe
Token: SeShutdownPrivilege	920	wmic.exe
Token: SeDebugPrivilege	920	wmic.exe
Token: SeSystemEnvironmentPrivilege	920	wmic.exe
Token: SeRemoteShutdownPrivilege	920	wmic.exe
Token: SeUndockPrivilege	920	wmic.exe
Token: SeManageVolumePrivilege	920	wmic.exe
Token: 33	920	wmic.exe
Token: 34	920	wmic.exe
Token: 35	920	wmic.exe
Token: 36	920	wmic.exe
Token: SeIncreaseQuotaPrivilege	920	wmic.exe
Token: SeSecurityPrivilege	920	wmic.exe
Token: SeTakeOwnershipPrivilege	920	wmic.exe
Token: SeLoadDriverPrivilege	920	wmic.exe
Token: SeSystemProfilePrivilege	920	wmic.exe
Token: SeSystemtimePrivilege	920	wmic.exe
Token: SeProfSingleProcessPrivilege	920	wmic.exe
Token: SeIncBasePriorityPrivilege	920	wmic.exe
Token: SeCreatePagefilePrivilege	920	wmic.exe
Token: SeBackupPrivilege	920	wmic.exe
Token: SeRestorePrivilege	920	wmic.exe
Token: SeShutdownPrivilege	920	wmic.exe
Token: SeDebugPrivilege	920	wmic.exe
Token: SeSystemEnvironmentPrivilege	920	wmic.exe
Token: SeRemoteShutdownPrivilege	920	wmic.exe
Token: SeUndockPrivilege	920	wmic.exe
Token: SeManageVolumePrivilege	920	wmic.exe
Token: 33	920	wmic.exe
Token: 34	920	wmic.exe
Token: 35	920	wmic.exe
Token: 36	920	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 920	4956	NursultanCrack.exe	83
PID 4956 wrote to memory of 920	4956	NursultanCrack.exe	83

C:\Users\Admin\AppData\Local\Temp\Nursultan\NursultanCrack.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan\NursultanCrack.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4956-0-0x00007FFDBCE03000-0x00007FFDBCE05000-memory.dmp

Filesize
8KB

Download
memory/4956-1-0x00000243D3A60000-0x00000243D3AB8000-memory.dmp

Filesize
352KB

Download
memory/4956-2-0x00007FFDBCE00000-0x00007FFDBD8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-4-0x00007FFDBCE00000-0x00007FFDBD8C1000-memory.dmp

Filesize
10.8MB

Download