Analysis
-
max time kernel
104s -
max time network
107s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
05-08-2023 05:22
General
-
Target
GameVersion0.1MadeWithPythonScripting.exe
-
Size
227KB
-
MD5
60754abc141764d2d4bb47b1f262d25d
-
SHA1
a49b1c53da9a5ea994030d2df3bbe891bdeb18f7
-
SHA256
828845b77c6001c19d3226ff5d6eaf1eb9d24ae2e7140b90e034799fe1f409b2
-
SHA512
2ce42d8fd1b3eb59a815e4f815b72608ba17564d1ce5bb17ff3639f5acde2333ad7c044df0293f924e9d67850373df3a4bffa73afb366d2f927a0abbe0815a6d
-
SSDEEP
6144:MloZM+rIkd8g+EtXHkv/iD4JZpPhv0IHJ2PxM4drbb8e1mji:KoZtL+EP8JZpPhv0IHJ2PxM4dDN
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2132-118-0x0000026139BD0000-0x0000026139C10000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2132 GameVersion0.1MadeWithPythonScripting.exe Token: SeIncreaseQuotaPrivilege 1940 wmic.exe Token: SeSecurityPrivilege 1940 wmic.exe Token: SeTakeOwnershipPrivilege 1940 wmic.exe Token: SeLoadDriverPrivilege 1940 wmic.exe Token: SeSystemProfilePrivilege 1940 wmic.exe Token: SeSystemtimePrivilege 1940 wmic.exe Token: SeProfSingleProcessPrivilege 1940 wmic.exe Token: SeIncBasePriorityPrivilege 1940 wmic.exe Token: SeCreatePagefilePrivilege 1940 wmic.exe Token: SeBackupPrivilege 1940 wmic.exe Token: SeRestorePrivilege 1940 wmic.exe Token: SeShutdownPrivilege 1940 wmic.exe Token: SeDebugPrivilege 1940 wmic.exe Token: SeSystemEnvironmentPrivilege 1940 wmic.exe Token: SeRemoteShutdownPrivilege 1940 wmic.exe Token: SeUndockPrivilege 1940 wmic.exe Token: SeManageVolumePrivilege 1940 wmic.exe Token: 33 1940 wmic.exe Token: 34 1940 wmic.exe Token: 35 1940 wmic.exe Token: 36 1940 wmic.exe Token: SeIncreaseQuotaPrivilege 1940 wmic.exe Token: SeSecurityPrivilege 1940 wmic.exe Token: SeTakeOwnershipPrivilege 1940 wmic.exe Token: SeLoadDriverPrivilege 1940 wmic.exe Token: SeSystemProfilePrivilege 1940 wmic.exe Token: SeSystemtimePrivilege 1940 wmic.exe Token: SeProfSingleProcessPrivilege 1940 wmic.exe Token: SeIncBasePriorityPrivilege 1940 wmic.exe Token: SeCreatePagefilePrivilege 1940 wmic.exe Token: SeBackupPrivilege 1940 wmic.exe Token: SeRestorePrivilege 1940 wmic.exe Token: SeShutdownPrivilege 1940 wmic.exe Token: SeDebugPrivilege 1940 wmic.exe Token: SeSystemEnvironmentPrivilege 1940 wmic.exe Token: SeRemoteShutdownPrivilege 1940 wmic.exe Token: SeUndockPrivilege 1940 wmic.exe Token: SeManageVolumePrivilege 1940 wmic.exe Token: 33 1940 wmic.exe Token: 34 1940 wmic.exe Token: 35 1940 wmic.exe Token: 36 1940 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1940 2132 GameVersion0.1MadeWithPythonScripting.exe 69 PID 2132 wrote to memory of 1940 2132 GameVersion0.1MadeWithPythonScripting.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\GameVersion0.1MadeWithPythonScripting.exe"C:\Users\Admin\AppData\Local\Temp\GameVersion0.1MadeWithPythonScripting.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5056