umbral | 54eafd742f090b4beb346283bf9568451918a7123573f24a5df5730fe14d356f

Analysis

max time kernel
69s
max time network
71s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-11-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaa.exe
Size

229KB
MD5

0b7b5b3a185a737bc8fde7fba7bb9e32
SHA1

1031e26d6884fcc411a69332f897d9f2e1cb9bd8
SHA256

54eafd742f090b4beb346283bf9568451918a7123573f24a5df5730fe14d356f
SHA512

180678c18eb374fa69526baa48cc317bb55873f2380254c97ad97b6137f4e9dfb2214a26b04c2a3588068e979b8f2d142330b77ea5cba1a743e5450eeff3fa21
SSDEEP

6144:9loZM+rIkd8g+EtXHkv/iD4kl0h+8D/0wVA+Pv+AEb8e1mGi:foZtL+EP8kl0h+8D/0wVA+Pv+dM

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2272-1-0x000002A4649E0000-0x000002A464A20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	wmic.exe
3100	wmic.exe
3100	wmic.exe
3100	wmic.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	aaa.exe
Token: SeIncreaseQuotaPrivilege	3100	wmic.exe
Token: SeSecurityPrivilege	3100	wmic.exe
Token: SeTakeOwnershipPrivilege	3100	wmic.exe
Token: SeLoadDriverPrivilege	3100	wmic.exe
Token: SeSystemProfilePrivilege	3100	wmic.exe
Token: SeSystemtimePrivilege	3100	wmic.exe
Token: SeProfSingleProcessPrivilege	3100	wmic.exe
Token: SeIncBasePriorityPrivilege	3100	wmic.exe
Token: SeCreatePagefilePrivilege	3100	wmic.exe
Token: SeBackupPrivilege	3100	wmic.exe
Token: SeRestorePrivilege	3100	wmic.exe
Token: SeShutdownPrivilege	3100	wmic.exe
Token: SeDebugPrivilege	3100	wmic.exe
Token: SeSystemEnvironmentPrivilege	3100	wmic.exe
Token: SeRemoteShutdownPrivilege	3100	wmic.exe
Token: SeUndockPrivilege	3100	wmic.exe
Token: SeManageVolumePrivilege	3100	wmic.exe
Token: 33	3100	wmic.exe
Token: 34	3100	wmic.exe
Token: 35	3100	wmic.exe
Token: 36	3100	wmic.exe
Token: SeIncreaseQuotaPrivilege	3100	wmic.exe
Token: SeSecurityPrivilege	3100	wmic.exe
Token: SeTakeOwnershipPrivilege	3100	wmic.exe
Token: SeLoadDriverPrivilege	3100	wmic.exe
Token: SeSystemProfilePrivilege	3100	wmic.exe
Token: SeSystemtimePrivilege	3100	wmic.exe
Token: SeProfSingleProcessPrivilege	3100	wmic.exe
Token: SeIncBasePriorityPrivilege	3100	wmic.exe
Token: SeCreatePagefilePrivilege	3100	wmic.exe
Token: SeBackupPrivilege	3100	wmic.exe
Token: SeRestorePrivilege	3100	wmic.exe
Token: SeShutdownPrivilege	3100	wmic.exe
Token: SeDebugPrivilege	3100	wmic.exe
Token: SeSystemEnvironmentPrivilege	3100	wmic.exe
Token: SeRemoteShutdownPrivilege	3100	wmic.exe
Token: SeUndockPrivilege	3100	wmic.exe
Token: SeManageVolumePrivilege	3100	wmic.exe
Token: 33	3100	wmic.exe
Token: 34	3100	wmic.exe
Token: 35	3100	wmic.exe
Token: 36	3100	wmic.exe
Token: SeDebugPrivilege	4788	taskmgr.exe
Token: SeSystemProfilePrivilege	4788	taskmgr.exe
Token: SeCreateGlobalPrivilege	4788	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe
4788	taskmgr.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3100	2272	aaa.exe	83
PID 2272 wrote to memory of 3100	2272	aaa.exe	83

C:\Users\Admin\AppData\Local\Temp\aaa.exe
"C:\Users\Admin\AppData\Local\Temp\aaa.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4788

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2272-0-0x00007FFC09333000-0x00007FFC09335000-memory.dmp

Filesize
8KB

Download
memory/2272-1-0x000002A4649E0000-0x000002A464A20000-memory.dmp

Filesize
256KB

Download
memory/2272-2-0x00007FFC09330000-0x00007FFC09DF2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-4-0x00007FFC09330000-0x00007FFC09DF2000-memory.dmp

Filesize
10.8MB

Download
memory/4788-7-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-5-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-6-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-15-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-17-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-16-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-14-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-13-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-12-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download
memory/4788-11-0x0000015FD8C30000-0x0000015FD8C31000-memory.dmp

Filesize
4KB

Download