Overview
overview
10Static
static
10cyber vortex 3.rar
windows7-x64
3cyber vortex 3.rar
windows10-2004-x64
3EasyExploits.dll
windows7-x64
1EasyExploits.dll
windows10-2004-x64
1FastColore...ox.dll
windows7-x64
1FastColore...ox.dll
windows10-2004-x64
1Scripts/read me.txt
windows7-x64
1Scripts/read me.txt
windows10-2004-x64
1cyber vortex 3.exe
windows7-x64
10cyber vortex 3.exe
windows10-2004-x64
10Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 09:08
Behavioral task
behavioral1
Sample
cyber vortex 3.rar
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
cyber vortex 3.rar
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
EasyExploits.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
EasyExploits.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
FastColoredTextBox.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
FastColoredTextBox.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Scripts/read me.txt
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
Scripts/read me.txt
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
cyber vortex 3.exe
Resource
win7-20230220-en
windows7-x64
General
-
Target
cyber vortex 3.exe
-
Size
354KB
-
MD5
287300575c7a8a060ccefd90cbb38126
-
SHA1
24f9dea714fc4183c1c2f4b31ef4a3d7efb43990
-
SHA256
2699c8c42d65dae5b9566d98db700275c0ffd9eb2b6ac0372f89467d865c9b40
-
SHA512
661f8dc6d57339e324afaec9f89891ebbaca1aae8d886745deadf8e54890dc70bc5e7393d051881c0f09eabc92f2eecfddb46d452d35b76e670eb92bf8d6c6e2
-
SSDEEP
6144:hloZM+rIkd8g+EtXHkv/iD4MR291XN2eRtENfKK/DWb8e1meizo3E/:ToZtL+EP8k291XN2eRtENfKK/Oszo3E/
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral10/memory/1656-133-0x000001F507C30000-0x000001F507C8E000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1656 cyber vortex 3.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: 36 2500 wmic.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: 36 2500 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2500 1656 cyber vortex 3.exe 84 PID 1656 wrote to memory of 2500 1656 cyber vortex 3.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\cyber vortex 3.exe"C:\Users\Admin\AppData\Local\Temp\cyber vortex 3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4176