umbral | c4a0a90225c2162a183793c92f52583c38282aca2152eb104bef96cf746392db

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

M298Q_CheatFn.exe
Size

227KB
MD5

16a6afb6f4060183c3409a6a6ae432c5
SHA1

1e033fd7f71d2a0a384c2a71303729810368ce4a
SHA256

c4a0a90225c2162a183793c92f52583c38282aca2152eb104bef96cf746392db
SHA512

403ca621ec00eacdb1bdf380bc001d2bb50d25a7e90c5729968f591dc82da6d37a09e8bd50c75656c3392ac6df017fc0ad94994db8c724e3d07ceb6147ae4110
SSDEEP

6144:eloZM+rIkd8g+EtXHkv/iD4ibLtL4+ZRSW3q459cFeb8e1m8i:IoZtL+EP8ibLtL4+ZRSW3q459cMG

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2900-1-0x0000000000FD0000-0x0000000001010000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	M298Q_CheatFn.exe
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe
Token: SeSystemProfilePrivilege	2348	wmic.exe
Token: SeSystemtimePrivilege	2348	wmic.exe
Token: SeProfSingleProcessPrivilege	2348	wmic.exe
Token: SeIncBasePriorityPrivilege	2348	wmic.exe
Token: SeCreatePagefilePrivilege	2348	wmic.exe
Token: SeBackupPrivilege	2348	wmic.exe
Token: SeRestorePrivilege	2348	wmic.exe
Token: SeShutdownPrivilege	2348	wmic.exe
Token: SeDebugPrivilege	2348	wmic.exe
Token: SeSystemEnvironmentPrivilege	2348	wmic.exe
Token: SeRemoteShutdownPrivilege	2348	wmic.exe
Token: SeUndockPrivilege	2348	wmic.exe
Token: SeManageVolumePrivilege	2348	wmic.exe
Token: 33	2348	wmic.exe
Token: 34	2348	wmic.exe
Token: 35	2348	wmic.exe
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe
Token: SeSystemProfilePrivilege	2348	wmic.exe
Token: SeSystemtimePrivilege	2348	wmic.exe
Token: SeProfSingleProcessPrivilege	2348	wmic.exe
Token: SeIncBasePriorityPrivilege	2348	wmic.exe
Token: SeCreatePagefilePrivilege	2348	wmic.exe
Token: SeBackupPrivilege	2348	wmic.exe
Token: SeRestorePrivilege	2348	wmic.exe
Token: SeShutdownPrivilege	2348	wmic.exe
Token: SeDebugPrivilege	2348	wmic.exe
Token: SeSystemEnvironmentPrivilege	2348	wmic.exe
Token: SeRemoteShutdownPrivilege	2348	wmic.exe
Token: SeUndockPrivilege	2348	wmic.exe
Token: SeManageVolumePrivilege	2348	wmic.exe
Token: 33	2348	wmic.exe
Token: 34	2348	wmic.exe
Token: 35	2348	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2348	2900	M298Q_CheatFn.exe	28
PID 2900 wrote to memory of 2348	2900	M298Q_CheatFn.exe	28
PID 2900 wrote to memory of 2348	2900	M298Q_CheatFn.exe	28

C:\Users\Admin\AppData\Local\Temp\M298Q_CheatFn.exe
"C:\Users\Admin\AppData\Local\Temp\M298Q_CheatFn.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000000FD0000-0x0000000001010000-memory.dmp

Filesize
256KB

Download
memory/2900-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2900-3-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download