Analysis
-
max time kernel
39s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2023 16:28
Behavioral task
behavioral1
Sample
Ice.exe
Resource
win7-20230712-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Ice.exe
-
Size
228KB
-
MD5
5f25397473870629f943edcc0b137281
-
SHA1
368474f6392f0547bc02b138fe199a7b005d0122
-
SHA256
03dbbb05e1588d2303720a4edfb8cb0c6dfef922b85ed66d43b67cde6bc68c3e
-
SHA512
de326d719bb44fade2693afbdf79b8f89a38f4405eadf087bf75a049af27195cda9b8b2b1bae0c254d7202f3f2539217201389135b5255584e16ecb8eb6af1e7
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4v2AsbhS6FiAxDeebdyb8e1m/i:joZtL+EP8v2AsbhS6FiAxDeeb4h
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/3960-133-0x000001AB0B5E0000-0x000001AB0B620000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3960 Ice.exe Token: SeIncreaseQuotaPrivilege 5084 wmic.exe Token: SeSecurityPrivilege 5084 wmic.exe Token: SeTakeOwnershipPrivilege 5084 wmic.exe Token: SeLoadDriverPrivilege 5084 wmic.exe Token: SeSystemProfilePrivilege 5084 wmic.exe Token: SeSystemtimePrivilege 5084 wmic.exe Token: SeProfSingleProcessPrivilege 5084 wmic.exe Token: SeIncBasePriorityPrivilege 5084 wmic.exe Token: SeCreatePagefilePrivilege 5084 wmic.exe Token: SeBackupPrivilege 5084 wmic.exe Token: SeRestorePrivilege 5084 wmic.exe Token: SeShutdownPrivilege 5084 wmic.exe Token: SeDebugPrivilege 5084 wmic.exe Token: SeSystemEnvironmentPrivilege 5084 wmic.exe Token: SeRemoteShutdownPrivilege 5084 wmic.exe Token: SeUndockPrivilege 5084 wmic.exe Token: SeManageVolumePrivilege 5084 wmic.exe Token: 33 5084 wmic.exe Token: 34 5084 wmic.exe Token: 35 5084 wmic.exe Token: 36 5084 wmic.exe Token: SeIncreaseQuotaPrivilege 5084 wmic.exe Token: SeSecurityPrivilege 5084 wmic.exe Token: SeTakeOwnershipPrivilege 5084 wmic.exe Token: SeLoadDriverPrivilege 5084 wmic.exe Token: SeSystemProfilePrivilege 5084 wmic.exe Token: SeSystemtimePrivilege 5084 wmic.exe Token: SeProfSingleProcessPrivilege 5084 wmic.exe Token: SeIncBasePriorityPrivilege 5084 wmic.exe Token: SeCreatePagefilePrivilege 5084 wmic.exe Token: SeBackupPrivilege 5084 wmic.exe Token: SeRestorePrivilege 5084 wmic.exe Token: SeShutdownPrivilege 5084 wmic.exe Token: SeDebugPrivilege 5084 wmic.exe Token: SeSystemEnvironmentPrivilege 5084 wmic.exe Token: SeRemoteShutdownPrivilege 5084 wmic.exe Token: SeUndockPrivilege 5084 wmic.exe Token: SeManageVolumePrivilege 5084 wmic.exe Token: 33 5084 wmic.exe Token: 34 5084 wmic.exe Token: 35 5084 wmic.exe Token: 36 5084 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3960 wrote to memory of 5084 3960 Ice.exe 88 PID 3960 wrote to memory of 5084 3960 Ice.exe 88