Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 15:27
Behavioral task
behavioral1
Sample
NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
General
-
Target
NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe
-
Size
293KB
-
MD5
02ca3b79c12ed28ec6eb5410b20c5df0
-
SHA1
3a97a86b041e37414072174d7b6707a0f52f2ff5
-
SHA256
d8a3a182fcd2773594f2055d1f54c7e558510d6a0a372ff7f721d360425aef90
-
SHA512
5fb4a458e2e30fdf86d8d0d73a88a38d757771bf5331c3cba83bf49ada625513d9bf8bd72131211eeb652d08cc206a79660a676036586650ceaa9629f02ef40f
-
SSDEEP
6144:GloZM+rIkd8g+EtXHkv/iD44FuHhv0IHB2PxM4d90b8e1mXi:woZtL+EP84FuHhv0IHB2PxM4deJ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2896-0-0x0000000000FA0000-0x0000000000FF0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2896 NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe Token: SeIncreaseQuotaPrivilege 2644 wmic.exe Token: SeSecurityPrivilege 2644 wmic.exe Token: SeTakeOwnershipPrivilege 2644 wmic.exe Token: SeLoadDriverPrivilege 2644 wmic.exe Token: SeSystemProfilePrivilege 2644 wmic.exe Token: SeSystemtimePrivilege 2644 wmic.exe Token: SeProfSingleProcessPrivilege 2644 wmic.exe Token: SeIncBasePriorityPrivilege 2644 wmic.exe Token: SeCreatePagefilePrivilege 2644 wmic.exe Token: SeBackupPrivilege 2644 wmic.exe Token: SeRestorePrivilege 2644 wmic.exe Token: SeShutdownPrivilege 2644 wmic.exe Token: SeDebugPrivilege 2644 wmic.exe Token: SeSystemEnvironmentPrivilege 2644 wmic.exe Token: SeRemoteShutdownPrivilege 2644 wmic.exe Token: SeUndockPrivilege 2644 wmic.exe Token: SeManageVolumePrivilege 2644 wmic.exe Token: 33 2644 wmic.exe Token: 34 2644 wmic.exe Token: 35 2644 wmic.exe Token: SeIncreaseQuotaPrivilege 2644 wmic.exe Token: SeSecurityPrivilege 2644 wmic.exe Token: SeTakeOwnershipPrivilege 2644 wmic.exe Token: SeLoadDriverPrivilege 2644 wmic.exe Token: SeSystemProfilePrivilege 2644 wmic.exe Token: SeSystemtimePrivilege 2644 wmic.exe Token: SeProfSingleProcessPrivilege 2644 wmic.exe Token: SeIncBasePriorityPrivilege 2644 wmic.exe Token: SeCreatePagefilePrivilege 2644 wmic.exe Token: SeBackupPrivilege 2644 wmic.exe Token: SeRestorePrivilege 2644 wmic.exe Token: SeShutdownPrivilege 2644 wmic.exe Token: SeDebugPrivilege 2644 wmic.exe Token: SeSystemEnvironmentPrivilege 2644 wmic.exe Token: SeRemoteShutdownPrivilege 2644 wmic.exe Token: SeUndockPrivilege 2644 wmic.exe Token: SeManageVolumePrivilege 2644 wmic.exe Token: 33 2644 wmic.exe Token: 34 2644 wmic.exe Token: 35 2644 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2644 2896 NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe 29 PID 2896 wrote to memory of 2644 2896 NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe 29 PID 2896 wrote to memory of 2644 2896 NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.02ca3b79c12ed28ec6eb5410b20c5df0_JC.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-