umbral | 82bc9d17630c105e0eaa115acbb28fdd6264cf4e5da15329311817d38b9bbb09

Analysis

max time kernel
135s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wow22.exe
Size

227KB
MD5

b3ef176d54158b25baa27e2c091f1f0e
SHA1

dc425834e0f35d66bce485ead25a00be5644ff5c
SHA256

82bc9d17630c105e0eaa115acbb28fdd6264cf4e5da15329311817d38b9bbb09
SHA512

23f0bf14e5154a4c7a92905aea1fc5eb29d9a9aad76644f7bcba8fefdcf7936dec7cbf0bb63127a407313534b64689c7ffaba8585e7e8ede4a246633c5b1fa98
SSDEEP

6144:+loZM+rIkd8g+EtXHkv/iD4o/3V6YXzQgp8aLLy8Db8e1mVi:ooZtL+EP8o/3V6YXzQgp8aLLyij

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1432-1-0x000001EE36A80000-0x000001EE36AC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	wow22.exe
Token: SeIncreaseQuotaPrivilege	2000	wmic.exe
Token: SeSecurityPrivilege	2000	wmic.exe
Token: SeTakeOwnershipPrivilege	2000	wmic.exe
Token: SeLoadDriverPrivilege	2000	wmic.exe
Token: SeSystemProfilePrivilege	2000	wmic.exe
Token: SeSystemtimePrivilege	2000	wmic.exe
Token: SeProfSingleProcessPrivilege	2000	wmic.exe
Token: SeIncBasePriorityPrivilege	2000	wmic.exe
Token: SeCreatePagefilePrivilege	2000	wmic.exe
Token: SeBackupPrivilege	2000	wmic.exe
Token: SeRestorePrivilege	2000	wmic.exe
Token: SeShutdownPrivilege	2000	wmic.exe
Token: SeDebugPrivilege	2000	wmic.exe
Token: SeSystemEnvironmentPrivilege	2000	wmic.exe
Token: SeRemoteShutdownPrivilege	2000	wmic.exe
Token: SeUndockPrivilege	2000	wmic.exe
Token: SeManageVolumePrivilege	2000	wmic.exe
Token: 33	2000	wmic.exe
Token: 34	2000	wmic.exe
Token: 35	2000	wmic.exe
Token: 36	2000	wmic.exe
Token: SeIncreaseQuotaPrivilege	2000	wmic.exe
Token: SeSecurityPrivilege	2000	wmic.exe
Token: SeTakeOwnershipPrivilege	2000	wmic.exe
Token: SeLoadDriverPrivilege	2000	wmic.exe
Token: SeSystemProfilePrivilege	2000	wmic.exe
Token: SeSystemtimePrivilege	2000	wmic.exe
Token: SeProfSingleProcessPrivilege	2000	wmic.exe
Token: SeIncBasePriorityPrivilege	2000	wmic.exe
Token: SeCreatePagefilePrivilege	2000	wmic.exe
Token: SeBackupPrivilege	2000	wmic.exe
Token: SeRestorePrivilege	2000	wmic.exe
Token: SeShutdownPrivilege	2000	wmic.exe
Token: SeDebugPrivilege	2000	wmic.exe
Token: SeSystemEnvironmentPrivilege	2000	wmic.exe
Token: SeRemoteShutdownPrivilege	2000	wmic.exe
Token: SeUndockPrivilege	2000	wmic.exe
Token: SeManageVolumePrivilege	2000	wmic.exe
Token: 33	2000	wmic.exe
Token: 34	2000	wmic.exe
Token: 35	2000	wmic.exe
Token: 36	2000	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2000	1432	wow22.exe	88
PID 1432 wrote to memory of 2000	1432	wow22.exe	88

C:\Users\Admin\AppData\Local\Temp\wow22.exe
"C:\Users\Admin\AppData\Local\Temp\wow22.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-1-0x000001EE36A80000-0x000001EE36AC0000-memory.dmp

Filesize
256KB

Download
memory/1432-0-0x00007FF9BCEA3000-0x00007FF9BCEA5000-memory.dmp

Filesize
8KB

Download
memory/1432-2-0x00007FF9BCEA0000-0x00007FF9BD961000-memory.dmp

Filesize
10.8MB

Download
memory/1432-4-0x00007FF9BCEA0000-0x00007FF9BD961000-memory.dmp

Filesize
10.8MB

Download