umbral | add6234329d65ae878b6112d7d63d6641b842d28c0fa2fa5fbbb09a1b835bc0c

Analysis

max time kernel
132s
max time network
135s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe
Size

231KB
MD5

2f4ccda2d6d63cb86b7364cc8e5c95ec
SHA1

12a830b8ae0530d7db30b6e50b0593c30625bdfd
SHA256

21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a
SHA512

0b6c799dd8e6b9c0ce84266de52492a3f705a15888720415fe479e3b03deadcde88b2fdd7c56320dea703d7eb5358edaa1fa5fb23f3ce09de296befc4966946f
SSDEEP

6144:xloZM+rIkd8g+EtXHkv/iD4NVyQdLocD0abtIExXdb8e1mvoDi:DoZtL+EP8NVyQdLocD0abtIExtIoO

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2716-1-0x0000000000980000-0x00000000009C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe
Token: SeIncreaseQuotaPrivilege	2016	wmic.exe
Token: SeSecurityPrivilege	2016	wmic.exe
Token: SeTakeOwnershipPrivilege	2016	wmic.exe
Token: SeLoadDriverPrivilege	2016	wmic.exe
Token: SeSystemProfilePrivilege	2016	wmic.exe
Token: SeSystemtimePrivilege	2016	wmic.exe
Token: SeProfSingleProcessPrivilege	2016	wmic.exe
Token: SeIncBasePriorityPrivilege	2016	wmic.exe
Token: SeCreatePagefilePrivilege	2016	wmic.exe
Token: SeBackupPrivilege	2016	wmic.exe
Token: SeRestorePrivilege	2016	wmic.exe
Token: SeShutdownPrivilege	2016	wmic.exe
Token: SeDebugPrivilege	2016	wmic.exe
Token: SeSystemEnvironmentPrivilege	2016	wmic.exe
Token: SeRemoteShutdownPrivilege	2016	wmic.exe
Token: SeUndockPrivilege	2016	wmic.exe
Token: SeManageVolumePrivilege	2016	wmic.exe
Token: 33	2016	wmic.exe
Token: 34	2016	wmic.exe
Token: 35	2016	wmic.exe
Token: SeIncreaseQuotaPrivilege	2016	wmic.exe
Token: SeSecurityPrivilege	2016	wmic.exe
Token: SeTakeOwnershipPrivilege	2016	wmic.exe
Token: SeLoadDriverPrivilege	2016	wmic.exe
Token: SeSystemProfilePrivilege	2016	wmic.exe
Token: SeSystemtimePrivilege	2016	wmic.exe
Token: SeProfSingleProcessPrivilege	2016	wmic.exe
Token: SeIncBasePriorityPrivilege	2016	wmic.exe
Token: SeCreatePagefilePrivilege	2016	wmic.exe
Token: SeBackupPrivilege	2016	wmic.exe
Token: SeRestorePrivilege	2016	wmic.exe
Token: SeShutdownPrivilege	2016	wmic.exe
Token: SeDebugPrivilege	2016	wmic.exe
Token: SeSystemEnvironmentPrivilege	2016	wmic.exe
Token: SeRemoteShutdownPrivilege	2016	wmic.exe
Token: SeUndockPrivilege	2016	wmic.exe
Token: SeManageVolumePrivilege	2016	wmic.exe
Token: 33	2016	wmic.exe
Token: 34	2016	wmic.exe
Token: 35	2016	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2016	2716	21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe	31
PID 2716 wrote to memory of 2016	2716	21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe	31
PID 2716 wrote to memory of 2016	2716	21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe	31

C:\Users\Admin\AppData\Local\Temp\21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe
"C:\Users\Admin\AppData\Local\Temp\21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2716-0-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2716-2-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-3-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmp

Filesize
4KB

Download
memory/2716-4-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-5-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Filesize
9.9MB

Download