umbral | b76766976849bada142b6825d45e1a0b4054dc948a990f7fa8cd8291c1731ba4

Analysis

max time kernel
146s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
13-11-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EacBypassGLOBAL.exe
Size

312KB
MD5

312f3cb6ec13f32fa7e70ca7717fdfe4
SHA1

6324c2bb52adcf190dcdf41acd426599751da68f
SHA256

b76766976849bada142b6825d45e1a0b4054dc948a990f7fa8cd8291c1731ba4
SHA512

bc3ba54a285b1d714b86e558d6e65fd2e9a1c87b7977cf4345451148fbabfbd9563d732237ee26bb06471b8c39b25bbdd64deed19c87e646fb116c3080374a1c
SSDEEP

6144:1loZM+rIkd8g+EtXHkv/iD4ndCljpaC9mop7mGzdwb8e1mXiM6hd39hikTH1:XoZtL+EP8ndCljpaC9mop7mGzS9L3z

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4592-1-0x000002477C9C0000-0x000002477CA14000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	EacBypassGLOBAL.exe
Token: SeIncreaseQuotaPrivilege	2900	wmic.exe
Token: SeSecurityPrivilege	2900	wmic.exe
Token: SeTakeOwnershipPrivilege	2900	wmic.exe
Token: SeLoadDriverPrivilege	2900	wmic.exe
Token: SeSystemProfilePrivilege	2900	wmic.exe
Token: SeSystemtimePrivilege	2900	wmic.exe
Token: SeProfSingleProcessPrivilege	2900	wmic.exe
Token: SeIncBasePriorityPrivilege	2900	wmic.exe
Token: SeCreatePagefilePrivilege	2900	wmic.exe
Token: SeBackupPrivilege	2900	wmic.exe
Token: SeRestorePrivilege	2900	wmic.exe
Token: SeShutdownPrivilege	2900	wmic.exe
Token: SeDebugPrivilege	2900	wmic.exe
Token: SeSystemEnvironmentPrivilege	2900	wmic.exe
Token: SeRemoteShutdownPrivilege	2900	wmic.exe
Token: SeUndockPrivilege	2900	wmic.exe
Token: SeManageVolumePrivilege	2900	wmic.exe
Token: 33	2900	wmic.exe
Token: 34	2900	wmic.exe
Token: 35	2900	wmic.exe
Token: 36	2900	wmic.exe
Token: SeIncreaseQuotaPrivilege	2900	wmic.exe
Token: SeSecurityPrivilege	2900	wmic.exe
Token: SeTakeOwnershipPrivilege	2900	wmic.exe
Token: SeLoadDriverPrivilege	2900	wmic.exe
Token: SeSystemProfilePrivilege	2900	wmic.exe
Token: SeSystemtimePrivilege	2900	wmic.exe
Token: SeProfSingleProcessPrivilege	2900	wmic.exe
Token: SeIncBasePriorityPrivilege	2900	wmic.exe
Token: SeCreatePagefilePrivilege	2900	wmic.exe
Token: SeBackupPrivilege	2900	wmic.exe
Token: SeRestorePrivilege	2900	wmic.exe
Token: SeShutdownPrivilege	2900	wmic.exe
Token: SeDebugPrivilege	2900	wmic.exe
Token: SeSystemEnvironmentPrivilege	2900	wmic.exe
Token: SeRemoteShutdownPrivilege	2900	wmic.exe
Token: SeUndockPrivilege	2900	wmic.exe
Token: SeManageVolumePrivilege	2900	wmic.exe
Token: 33	2900	wmic.exe
Token: 34	2900	wmic.exe
Token: 35	2900	wmic.exe
Token: 36	2900	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 2900	4592	EacBypassGLOBAL.exe	80
PID 4592 wrote to memory of 2900	4592	EacBypassGLOBAL.exe	80

C:\Users\Admin\AppData\Local\Temp\EacBypassGLOBAL.exe
"C:\Users\Admin\AppData\Local\Temp\EacBypassGLOBAL.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4592-1-0x000002477C9C0000-0x000002477CA14000-memory.dmp

Filesize
336KB

Download
memory/4592-0-0x00007FF878853000-0x00007FF878855000-memory.dmp

Filesize
8KB

Download
memory/4592-2-0x00007FF878850000-0x00007FF879312000-memory.dmp

Filesize
10.8MB

Download
memory/4592-4-0x00007FF878850000-0x00007FF879312000-memory.dmp

Filesize
10.8MB

Download