umbral | 894a461e0d709023ba6ec45f748b38a79ae12cf398702244ef2ffa93dd644133

Analysis

max time kernel
103s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad3df12348dcf9b2bd4c1b1f7cba937.exe
Size

227KB
MD5

aad3df12348dcf9b2bd4c1b1f7cba937
SHA1

98e781980a89d77cfbd266e98de28c3a88c04b66
SHA256

bada765d60e5c646ce6286023fb474c9136c4d31c33f2d1efb08b831c08e29c9
SHA512

5636ed03df0561b9e769e3e0191ff9344e56c28a14007c734fea9f53d739b18ce3dbd3261e6b505dbd235871273fa7cabe5b6d798e5eed6361f0e5a5209a9dc7
SSDEEP

6144:+loZMrrIkd8g+EtXHkv/iD4J1nsPlO2ZEc1niinz+b8e1mpii:ooZUL+EP8J1nsPlO2ZEc1niinWs3

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000022BF0D90000-0x0000022BF0DD0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	aad3df12348dcf9b2bd4c1b1f7cba937.exe
Token: SeIncreaseQuotaPrivilege	5064	wmic.exe
Token: SeSecurityPrivilege	5064	wmic.exe
Token: SeTakeOwnershipPrivilege	5064	wmic.exe
Token: SeLoadDriverPrivilege	5064	wmic.exe
Token: SeSystemProfilePrivilege	5064	wmic.exe
Token: SeSystemtimePrivilege	5064	wmic.exe
Token: SeProfSingleProcessPrivilege	5064	wmic.exe
Token: SeIncBasePriorityPrivilege	5064	wmic.exe
Token: SeCreatePagefilePrivilege	5064	wmic.exe
Token: SeBackupPrivilege	5064	wmic.exe
Token: SeRestorePrivilege	5064	wmic.exe
Token: SeShutdownPrivilege	5064	wmic.exe
Token: SeDebugPrivilege	5064	wmic.exe
Token: SeSystemEnvironmentPrivilege	5064	wmic.exe
Token: SeRemoteShutdownPrivilege	5064	wmic.exe
Token: SeUndockPrivilege	5064	wmic.exe
Token: SeManageVolumePrivilege	5064	wmic.exe
Token: 33	5064	wmic.exe
Token: 34	5064	wmic.exe
Token: 35	5064	wmic.exe
Token: 36	5064	wmic.exe
Token: SeIncreaseQuotaPrivilege	5064	wmic.exe
Token: SeSecurityPrivilege	5064	wmic.exe
Token: SeTakeOwnershipPrivilege	5064	wmic.exe
Token: SeLoadDriverPrivilege	5064	wmic.exe
Token: SeSystemProfilePrivilege	5064	wmic.exe
Token: SeSystemtimePrivilege	5064	wmic.exe
Token: SeProfSingleProcessPrivilege	5064	wmic.exe
Token: SeIncBasePriorityPrivilege	5064	wmic.exe
Token: SeCreatePagefilePrivilege	5064	wmic.exe
Token: SeBackupPrivilege	5064	wmic.exe
Token: SeRestorePrivilege	5064	wmic.exe
Token: SeShutdownPrivilege	5064	wmic.exe
Token: SeDebugPrivilege	5064	wmic.exe
Token: SeSystemEnvironmentPrivilege	5064	wmic.exe
Token: SeRemoteShutdownPrivilege	5064	wmic.exe
Token: SeUndockPrivilege	5064	wmic.exe
Token: SeManageVolumePrivilege	5064	wmic.exe
Token: 33	5064	wmic.exe
Token: 34	5064	wmic.exe
Token: 35	5064	wmic.exe
Token: 36	5064	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 5064	2920	aad3df12348dcf9b2bd4c1b1f7cba937.exe	88
PID 2920 wrote to memory of 5064	2920	aad3df12348dcf9b2bd4c1b1f7cba937.exe	88

C:\Users\Admin\AppData\Local\Temp\aad3df12348dcf9b2bd4c1b1f7cba937.exe
"C:\Users\Admin\AppData\Local\Temp\aad3df12348dcf9b2bd4c1b1f7cba937.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2920-0-0x00007FF82A073000-0x00007FF82A075000-memory.dmp

Filesize
8KB

Download
memory/2920-1-0x0000022BF0D90000-0x0000022BF0DD0000-memory.dmp

Filesize
256KB

Download
memory/2920-2-0x00007FF82A070000-0x00007FF82AB31000-memory.dmp

Filesize
10.8MB

Download
memory/2920-4-0x00007FF82A070000-0x00007FF82AB31000-memory.dmp

Filesize
10.8MB

Download