Overview
overview
10Static
static
10cyber vortex 3.rar
windows7-x64
3cyber vortex 3.rar
windows10-2004-x64
3EasyExploits.dll
windows7-x64
1EasyExploits.dll
windows10-2004-x64
1FastColore...ox.dll
windows7-x64
1FastColore...ox.dll
windows10-2004-x64
1Scripts/read me.txt
windows7-x64
1Scripts/read me.txt
windows10-2004-x64
1cyber vortex 3.exe
windows7-x64
10cyber vortex 3.exe
windows10-2004-x64
10Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2023 09:08
Behavioral task
behavioral1
Sample
cyber vortex 3.rar
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
cyber vortex 3.rar
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
EasyExploits.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
EasyExploits.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
FastColoredTextBox.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
FastColoredTextBox.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Scripts/read me.txt
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
Scripts/read me.txt
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
cyber vortex 3.exe
Resource
win7-20230220-en
windows7-x64
General
-
Target
cyber vortex 3.exe
-
Size
354KB
-
MD5
287300575c7a8a060ccefd90cbb38126
-
SHA1
24f9dea714fc4183c1c2f4b31ef4a3d7efb43990
-
SHA256
2699c8c42d65dae5b9566d98db700275c0ffd9eb2b6ac0372f89467d865c9b40
-
SHA512
661f8dc6d57339e324afaec9f89891ebbaca1aae8d886745deadf8e54890dc70bc5e7393d051881c0f09eabc92f2eecfddb46d452d35b76e670eb92bf8d6c6e2
-
SSDEEP
6144:hloZM+rIkd8g+EtXHkv/iD4MR291XN2eRtENfKK/DWb8e1meizo3E/:ToZtL+EP8k291XN2eRtENfKK/Oszo3E/
Malware Config
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral9/memory/1396-54-0x0000000001350000-0x00000000013AE000-memory.dmp family_umbral behavioral9/memory/1396-55-0x000000001B400000-0x000000001B480000-memory.dmp family_umbral behavioral9/memory/1396-56-0x000000001B400000-0x000000001B480000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1396 cyber vortex 3.exe Token: SeIncreaseQuotaPrivilege 1716 wmic.exe Token: SeSecurityPrivilege 1716 wmic.exe Token: SeTakeOwnershipPrivilege 1716 wmic.exe Token: SeLoadDriverPrivilege 1716 wmic.exe Token: SeSystemProfilePrivilege 1716 wmic.exe Token: SeSystemtimePrivilege 1716 wmic.exe Token: SeProfSingleProcessPrivilege 1716 wmic.exe Token: SeIncBasePriorityPrivilege 1716 wmic.exe Token: SeCreatePagefilePrivilege 1716 wmic.exe Token: SeBackupPrivilege 1716 wmic.exe Token: SeRestorePrivilege 1716 wmic.exe Token: SeShutdownPrivilege 1716 wmic.exe Token: SeDebugPrivilege 1716 wmic.exe Token: SeSystemEnvironmentPrivilege 1716 wmic.exe Token: SeRemoteShutdownPrivilege 1716 wmic.exe Token: SeUndockPrivilege 1716 wmic.exe Token: SeManageVolumePrivilege 1716 wmic.exe Token: 33 1716 wmic.exe Token: 34 1716 wmic.exe Token: 35 1716 wmic.exe Token: SeIncreaseQuotaPrivilege 1716 wmic.exe Token: SeSecurityPrivilege 1716 wmic.exe Token: SeTakeOwnershipPrivilege 1716 wmic.exe Token: SeLoadDriverPrivilege 1716 wmic.exe Token: SeSystemProfilePrivilege 1716 wmic.exe Token: SeSystemtimePrivilege 1716 wmic.exe Token: SeProfSingleProcessPrivilege 1716 wmic.exe Token: SeIncBasePriorityPrivilege 1716 wmic.exe Token: SeCreatePagefilePrivilege 1716 wmic.exe Token: SeBackupPrivilege 1716 wmic.exe Token: SeRestorePrivilege 1716 wmic.exe Token: SeShutdownPrivilege 1716 wmic.exe Token: SeDebugPrivilege 1716 wmic.exe Token: SeSystemEnvironmentPrivilege 1716 wmic.exe Token: SeRemoteShutdownPrivilege 1716 wmic.exe Token: SeUndockPrivilege 1716 wmic.exe Token: SeManageVolumePrivilege 1716 wmic.exe Token: 33 1716 wmic.exe Token: 34 1716 wmic.exe Token: 35 1716 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1396 wrote to memory of 1716 1396 cyber vortex 3.exe 28 PID 1396 wrote to memory of 1716 1396 cyber vortex 3.exe 28 PID 1396 wrote to memory of 1716 1396 cyber vortex 3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\cyber vortex 3.exe"C:\Users\Admin\AppData\Local\Temp\cyber vortex 3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-