umbral | 525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe
Size

229KB
MD5

c43fa6e8e418363f5b9bd2bac94e03ac
SHA1

4e557326d845f150c37e71d23f2e816942f6f53c
SHA256

6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867
SHA512

1535626a7d98e33546f04623c7a405ded146a273422934d47c15f6862dc988212776b27270cf25434704dbf31a22dea5049e0b735b1861645e54510aa1f103ac
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4qCslEKtFucr20VJgqAb8e1mND8i:noZtL+EP8qCslEKtFucr20VJgDYx

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral9/memory/2428-1-0x0000000000140000-0x0000000000180000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2588	2428	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe	30
PID 2428 wrote to memory of 2588	2428	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe	30
PID 2428 wrote to memory of 2588	2428	6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe	30

C:\Users\Admin\AppData\Local\Temp\6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe
"C:\Users\Admin\AppData\Local\Temp\6bcf96280909b8139cf7fb517241d0b12c45f7fa2f1681cb7bc9caac33ef5867.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000000140000-0x0000000000180000-memory.dmp

Filesize
256KB

Download
memory/2428-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2428-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download