Analysis
-
max time kernel
72s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2023 15:15
General
-
Target
rbxfpsunlocker.exe
-
Size
234KB
-
MD5
18b7413ddfaa6df7f7405f642c10a287
-
SHA1
e64389a600d859dd07e0fdb2df12a7d9b4d09581
-
SHA256
84b074f1eaf50dab59347bf6122b411dbeb5c4952ffe30776cf1a88881e45436
-
SHA512
94c78d9bb0b2044675885eb02ee698c6215d90d4dce3fea1ed350977b712c5b9315f596260d9752855d8c9cdbd531bea9999311bc9527158347aebbf367864f9
-
SSDEEP
6144:DloZMLrIkd8g+EtXHkv/iD4YyO2un9GuBQ0dP6aPZ/b8e1mIRtVi:hoZ0L+EP8YyO2un9GuBQ0dP6aP1tf8
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2296-0-0x00000160247B0000-0x00000160247F0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2296 rbxfpsunlocker.exe Token: SeIncreaseQuotaPrivilege 460 wmic.exe Token: SeSecurityPrivilege 460 wmic.exe Token: SeTakeOwnershipPrivilege 460 wmic.exe Token: SeLoadDriverPrivilege 460 wmic.exe Token: SeSystemProfilePrivilege 460 wmic.exe Token: SeSystemtimePrivilege 460 wmic.exe Token: SeProfSingleProcessPrivilege 460 wmic.exe Token: SeIncBasePriorityPrivilege 460 wmic.exe Token: SeCreatePagefilePrivilege 460 wmic.exe Token: SeBackupPrivilege 460 wmic.exe Token: SeRestorePrivilege 460 wmic.exe Token: SeShutdownPrivilege 460 wmic.exe Token: SeDebugPrivilege 460 wmic.exe Token: SeSystemEnvironmentPrivilege 460 wmic.exe Token: SeRemoteShutdownPrivilege 460 wmic.exe Token: SeUndockPrivilege 460 wmic.exe Token: SeManageVolumePrivilege 460 wmic.exe Token: 33 460 wmic.exe Token: 34 460 wmic.exe Token: 35 460 wmic.exe Token: 36 460 wmic.exe Token: SeIncreaseQuotaPrivilege 460 wmic.exe Token: SeSecurityPrivilege 460 wmic.exe Token: SeTakeOwnershipPrivilege 460 wmic.exe Token: SeLoadDriverPrivilege 460 wmic.exe Token: SeSystemProfilePrivilege 460 wmic.exe Token: SeSystemtimePrivilege 460 wmic.exe Token: SeProfSingleProcessPrivilege 460 wmic.exe Token: SeIncBasePriorityPrivilege 460 wmic.exe Token: SeCreatePagefilePrivilege 460 wmic.exe Token: SeBackupPrivilege 460 wmic.exe Token: SeRestorePrivilege 460 wmic.exe Token: SeShutdownPrivilege 460 wmic.exe Token: SeDebugPrivilege 460 wmic.exe Token: SeSystemEnvironmentPrivilege 460 wmic.exe Token: SeRemoteShutdownPrivilege 460 wmic.exe Token: SeUndockPrivilege 460 wmic.exe Token: SeManageVolumePrivilege 460 wmic.exe Token: 33 460 wmic.exe Token: 34 460 wmic.exe Token: 35 460 wmic.exe Token: 36 460 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2296 wrote to memory of 460 2296 rbxfpsunlocker.exe 85 PID 2296 wrote to memory of 460 2296 rbxfpsunlocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:460
-