Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16-10-2023 05:42
Behavioral task
behavioral1
Sample
Stealer.exe
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Stealer.exe
-
Size
229KB
-
MD5
9d111f599bfe2042d86271055504b779
-
SHA1
979fb5839449b4d68eca7efcff1f0459bec67f92
-
SHA256
e6cc46237ceba579e5594cfbab67ea20f8e486a4a4cd54c06d018a3adbc62c39
-
SHA512
548688111015f77422f2c7d37537c5cfbb640e00da5a38584c5b6f3b9720a73009f5b7e865e7153c9519db0bdcf1e0b9662737fa9503c2c5029044fe3e814458
-
SSDEEP
6144:lloZMzrIkd8g+EtXHkv/iD4CmHYtxdI8e1mT+i:noZcL+EP8LIxEIz
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/924-1-0x00000000001F0000-0x0000000000230000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 924 Stealer.exe Token: SeIncreaseQuotaPrivilege 2616 wmic.exe Token: SeSecurityPrivilege 2616 wmic.exe Token: SeTakeOwnershipPrivilege 2616 wmic.exe Token: SeLoadDriverPrivilege 2616 wmic.exe Token: SeSystemProfilePrivilege 2616 wmic.exe Token: SeSystemtimePrivilege 2616 wmic.exe Token: SeProfSingleProcessPrivilege 2616 wmic.exe Token: SeIncBasePriorityPrivilege 2616 wmic.exe Token: SeCreatePagefilePrivilege 2616 wmic.exe Token: SeBackupPrivilege 2616 wmic.exe Token: SeRestorePrivilege 2616 wmic.exe Token: SeShutdownPrivilege 2616 wmic.exe Token: SeDebugPrivilege 2616 wmic.exe Token: SeSystemEnvironmentPrivilege 2616 wmic.exe Token: SeRemoteShutdownPrivilege 2616 wmic.exe Token: SeUndockPrivilege 2616 wmic.exe Token: SeManageVolumePrivilege 2616 wmic.exe Token: 33 2616 wmic.exe Token: 34 2616 wmic.exe Token: 35 2616 wmic.exe Token: SeIncreaseQuotaPrivilege 2616 wmic.exe Token: SeSecurityPrivilege 2616 wmic.exe Token: SeTakeOwnershipPrivilege 2616 wmic.exe Token: SeLoadDriverPrivilege 2616 wmic.exe Token: SeSystemProfilePrivilege 2616 wmic.exe Token: SeSystemtimePrivilege 2616 wmic.exe Token: SeProfSingleProcessPrivilege 2616 wmic.exe Token: SeIncBasePriorityPrivilege 2616 wmic.exe Token: SeCreatePagefilePrivilege 2616 wmic.exe Token: SeBackupPrivilege 2616 wmic.exe Token: SeRestorePrivilege 2616 wmic.exe Token: SeShutdownPrivilege 2616 wmic.exe Token: SeDebugPrivilege 2616 wmic.exe Token: SeSystemEnvironmentPrivilege 2616 wmic.exe Token: SeRemoteShutdownPrivilege 2616 wmic.exe Token: SeUndockPrivilege 2616 wmic.exe Token: SeManageVolumePrivilege 2616 wmic.exe Token: 33 2616 wmic.exe Token: 34 2616 wmic.exe Token: 35 2616 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 924 wrote to memory of 2616 924 Stealer.exe 30 PID 924 wrote to memory of 2616 924 Stealer.exe 30 PID 924 wrote to memory of 2616 924 Stealer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealer.exe"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-