umbral | 82bc9d17630c105e0eaa115acbb28fdd6264cf4e5da15329311817d38b9bbb09

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-02-2025 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wow22.exe
Size

227KB
MD5

b3ef176d54158b25baa27e2c091f1f0e
SHA1

dc425834e0f35d66bce485ead25a00be5644ff5c
SHA256

82bc9d17630c105e0eaa115acbb28fdd6264cf4e5da15329311817d38b9bbb09
SHA512

23f0bf14e5154a4c7a92905aea1fc5eb29d9a9aad76644f7bcba8fefdcf7936dec7cbf0bb63127a407313534b64689c7ffaba8585e7e8ede4a246633c5b1fa98
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD4o/3V6YXzQgp8aLLy8Db8e1mVi:ooZtL+EP8o/3V6YXzQgp8aLLyij

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1596-1-0x0000000000CB0000-0x0000000000CF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	wow22.exe
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe
Token: SeSystemProfilePrivilege	2776	wmic.exe
Token: SeSystemtimePrivilege	2776	wmic.exe
Token: SeProfSingleProcessPrivilege	2776	wmic.exe
Token: SeIncBasePriorityPrivilege	2776	wmic.exe
Token: SeCreatePagefilePrivilege	2776	wmic.exe
Token: SeBackupPrivilege	2776	wmic.exe
Token: SeRestorePrivilege	2776	wmic.exe
Token: SeShutdownPrivilege	2776	wmic.exe
Token: SeDebugPrivilege	2776	wmic.exe
Token: SeSystemEnvironmentPrivilege	2776	wmic.exe
Token: SeRemoteShutdownPrivilege	2776	wmic.exe
Token: SeUndockPrivilege	2776	wmic.exe
Token: SeManageVolumePrivilege	2776	wmic.exe
Token: 33	2776	wmic.exe
Token: 34	2776	wmic.exe
Token: 35	2776	wmic.exe
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe
Token: SeSystemProfilePrivilege	2776	wmic.exe
Token: SeSystemtimePrivilege	2776	wmic.exe
Token: SeProfSingleProcessPrivilege	2776	wmic.exe
Token: SeIncBasePriorityPrivilege	2776	wmic.exe
Token: SeCreatePagefilePrivilege	2776	wmic.exe
Token: SeBackupPrivilege	2776	wmic.exe
Token: SeRestorePrivilege	2776	wmic.exe
Token: SeShutdownPrivilege	2776	wmic.exe
Token: SeDebugPrivilege	2776	wmic.exe
Token: SeSystemEnvironmentPrivilege	2776	wmic.exe
Token: SeRemoteShutdownPrivilege	2776	wmic.exe
Token: SeUndockPrivilege	2776	wmic.exe
Token: SeManageVolumePrivilege	2776	wmic.exe
Token: 33	2776	wmic.exe
Token: 34	2776	wmic.exe
Token: 35	2776	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2776	1596	wow22.exe	30
PID 1596 wrote to memory of 2776	1596	wow22.exe	30
PID 1596 wrote to memory of 2776	1596	wow22.exe	30

C:\Users\Admin\AppData\Local\Temp\wow22.exe
"C:\Users\Admin\AppData\Local\Temp\wow22.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/1596-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/1596-3-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download