Analysis
-
max time kernel
68s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
09-07-2023 11:25
Behavioral task
behavioral1
Sample
ImperialStealerexeexeexee.exe
Resource
win7-20230703-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ImperialStealerexeexeexee.exe
-
Size
287KB
-
MD5
f0a434e6a2826a3bb563c59dfe720a94
-
SHA1
46899f6dda27a9ddc7f0849f999a7d7851f6960c
-
SHA256
0082170e2185d53ec008632a7e8d10b6ff831c063dd2fbf23b6a888f21e6da29
-
SHA512
14fd13968cbc005764e43bfc62056c953a3c61c94f90888b9a3c26d3c0b1b8645335e7c950ad05787bd75423c5a2d310baf08dc41ed6aef99f773cab76f694e4
-
SSDEEP
6144:+loZM+rIkd8g+EtXHkv/iD4U8OK/w2xpaqPyAxVk1Eb8e1mwi:ooZtL+EP8U8OK/w2xpaqPyAxVkOG
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/2332-54-0x0000000000350000-0x000000000039E000-memory.dmp family_umbral behavioral1/memory/2332-55-0x000000001A840000-0x000000001A8C0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2332 ImperialStealerexeexeexee.exe Token: SeIncreaseQuotaPrivilege 1360 wmic.exe Token: SeSecurityPrivilege 1360 wmic.exe Token: SeTakeOwnershipPrivilege 1360 wmic.exe Token: SeLoadDriverPrivilege 1360 wmic.exe Token: SeSystemProfilePrivilege 1360 wmic.exe Token: SeSystemtimePrivilege 1360 wmic.exe Token: SeProfSingleProcessPrivilege 1360 wmic.exe Token: SeIncBasePriorityPrivilege 1360 wmic.exe Token: SeCreatePagefilePrivilege 1360 wmic.exe Token: SeBackupPrivilege 1360 wmic.exe Token: SeRestorePrivilege 1360 wmic.exe Token: SeShutdownPrivilege 1360 wmic.exe Token: SeDebugPrivilege 1360 wmic.exe Token: SeSystemEnvironmentPrivilege 1360 wmic.exe Token: SeRemoteShutdownPrivilege 1360 wmic.exe Token: SeUndockPrivilege 1360 wmic.exe Token: SeManageVolumePrivilege 1360 wmic.exe Token: 33 1360 wmic.exe Token: 34 1360 wmic.exe Token: 35 1360 wmic.exe Token: SeIncreaseQuotaPrivilege 1360 wmic.exe Token: SeSecurityPrivilege 1360 wmic.exe Token: SeTakeOwnershipPrivilege 1360 wmic.exe Token: SeLoadDriverPrivilege 1360 wmic.exe Token: SeSystemProfilePrivilege 1360 wmic.exe Token: SeSystemtimePrivilege 1360 wmic.exe Token: SeProfSingleProcessPrivilege 1360 wmic.exe Token: SeIncBasePriorityPrivilege 1360 wmic.exe Token: SeCreatePagefilePrivilege 1360 wmic.exe Token: SeBackupPrivilege 1360 wmic.exe Token: SeRestorePrivilege 1360 wmic.exe Token: SeShutdownPrivilege 1360 wmic.exe Token: SeDebugPrivilege 1360 wmic.exe Token: SeSystemEnvironmentPrivilege 1360 wmic.exe Token: SeRemoteShutdownPrivilege 1360 wmic.exe Token: SeUndockPrivilege 1360 wmic.exe Token: SeManageVolumePrivilege 1360 wmic.exe Token: 33 1360 wmic.exe Token: 34 1360 wmic.exe Token: 35 1360 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2332 wrote to memory of 1360 2332 ImperialStealerexeexeexee.exe 28 PID 2332 wrote to memory of 1360 2332 ImperialStealerexeexeexee.exe 28 PID 2332 wrote to memory of 1360 2332 ImperialStealerexeexeexee.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImperialStealerexeexeexee.exe"C:\Users\Admin\AppData\Local\Temp\ImperialStealerexeexeexee.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360
-