Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 08:28
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Umbral.exe
-
Size
230KB
-
MD5
cd32fdd05be451dcebaa04ed226b417d
-
SHA1
2ee53c0439df3d1d490df3ae4ae392d1b3bdde4f
-
SHA256
f255a381ef85b1da243ce96a36362bf08fe313ff0666e58e40430bbbd365e3f3
-
SHA512
b76af4ff2da8a31dda4b8d32b5eec349862f1b1c75d8806f4dbbbe46e7de899162cd5f79d857766fb934b8ad56f1e9b6e836cba78d1e9f0374d0fc97568e65e4
-
SSDEEP
6144:1loZM+rIkd8g+EtXHkv/iD4IbGlW0b3cwNImHHm4ib8e1mbi:XoZtL+EP8IbGlW0b3cwNImHHm/R
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/3544-1-0x000002082E9F0000-0x000002082EA30000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3544 Umbral.exe Token: SeIncreaseQuotaPrivilege 4212 wmic.exe Token: SeSecurityPrivilege 4212 wmic.exe Token: SeTakeOwnershipPrivilege 4212 wmic.exe Token: SeLoadDriverPrivilege 4212 wmic.exe Token: SeSystemProfilePrivilege 4212 wmic.exe Token: SeSystemtimePrivilege 4212 wmic.exe Token: SeProfSingleProcessPrivilege 4212 wmic.exe Token: SeIncBasePriorityPrivilege 4212 wmic.exe Token: SeCreatePagefilePrivilege 4212 wmic.exe Token: SeBackupPrivilege 4212 wmic.exe Token: SeRestorePrivilege 4212 wmic.exe Token: SeShutdownPrivilege 4212 wmic.exe Token: SeDebugPrivilege 4212 wmic.exe Token: SeSystemEnvironmentPrivilege 4212 wmic.exe Token: SeRemoteShutdownPrivilege 4212 wmic.exe Token: SeUndockPrivilege 4212 wmic.exe Token: SeManageVolumePrivilege 4212 wmic.exe Token: 33 4212 wmic.exe Token: 34 4212 wmic.exe Token: 35 4212 wmic.exe Token: 36 4212 wmic.exe Token: SeIncreaseQuotaPrivilege 4212 wmic.exe Token: SeSecurityPrivilege 4212 wmic.exe Token: SeTakeOwnershipPrivilege 4212 wmic.exe Token: SeLoadDriverPrivilege 4212 wmic.exe Token: SeSystemProfilePrivilege 4212 wmic.exe Token: SeSystemtimePrivilege 4212 wmic.exe Token: SeProfSingleProcessPrivilege 4212 wmic.exe Token: SeIncBasePriorityPrivilege 4212 wmic.exe Token: SeCreatePagefilePrivilege 4212 wmic.exe Token: SeBackupPrivilege 4212 wmic.exe Token: SeRestorePrivilege 4212 wmic.exe Token: SeShutdownPrivilege 4212 wmic.exe Token: SeDebugPrivilege 4212 wmic.exe Token: SeSystemEnvironmentPrivilege 4212 wmic.exe Token: SeRemoteShutdownPrivilege 4212 wmic.exe Token: SeUndockPrivilege 4212 wmic.exe Token: SeManageVolumePrivilege 4212 wmic.exe Token: 33 4212 wmic.exe Token: 34 4212 wmic.exe Token: 35 4212 wmic.exe Token: 36 4212 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3544 wrote to memory of 4212 3544 Umbral.exe 85 PID 3544 wrote to memory of 4212 3544 Umbral.exe 85