Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
27-11-2023 10:14
Behavioral task
behavioral1
Sample
Zul Private.exe
Resource
win7-20231025-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Zul Private.exe
-
Size
230KB
-
MD5
a47cffac2602038b4cfc070f8a05243a
-
SHA1
4111453f445d10ef516e98a000cc84845658dabe
-
SHA256
29456c78a229429c66b4ce8997c9bb6593ad9b4e8928e094eb25caf4a7ee0e40
-
SHA512
e390d7c96e2b5b2cad52b80c276787cb37d7ca3a171868037c1f1ef9e58177baa9e07f8866e0a95560ee9e0af0a38ba218f9feeaf1f19d77915f9e5c08d4070d
-
SSDEEP
6144:1loZM+rIkd8g+EtXHkv/iD4tT1FzQEbqCzFQMpxbztjFK8e1mOvi:XoZtL+EP8tT1FzQEbqCzFQMpVpjy0
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1764-0-0x0000000000FD0000-0x0000000001010000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1764 Zul Private.exe Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe Token: SeSystemProfilePrivilege 2784 wmic.exe Token: SeSystemtimePrivilege 2784 wmic.exe Token: SeProfSingleProcessPrivilege 2784 wmic.exe Token: SeIncBasePriorityPrivilege 2784 wmic.exe Token: SeCreatePagefilePrivilege 2784 wmic.exe Token: SeBackupPrivilege 2784 wmic.exe Token: SeRestorePrivilege 2784 wmic.exe Token: SeShutdownPrivilege 2784 wmic.exe Token: SeDebugPrivilege 2784 wmic.exe Token: SeSystemEnvironmentPrivilege 2784 wmic.exe Token: SeRemoteShutdownPrivilege 2784 wmic.exe Token: SeUndockPrivilege 2784 wmic.exe Token: SeManageVolumePrivilege 2784 wmic.exe Token: 33 2784 wmic.exe Token: 34 2784 wmic.exe Token: 35 2784 wmic.exe Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe Token: SeSystemProfilePrivilege 2784 wmic.exe Token: SeSystemtimePrivilege 2784 wmic.exe Token: SeProfSingleProcessPrivilege 2784 wmic.exe Token: SeIncBasePriorityPrivilege 2784 wmic.exe Token: SeCreatePagefilePrivilege 2784 wmic.exe Token: SeBackupPrivilege 2784 wmic.exe Token: SeRestorePrivilege 2784 wmic.exe Token: SeShutdownPrivilege 2784 wmic.exe Token: SeDebugPrivilege 2784 wmic.exe Token: SeSystemEnvironmentPrivilege 2784 wmic.exe Token: SeRemoteShutdownPrivilege 2784 wmic.exe Token: SeUndockPrivilege 2784 wmic.exe Token: SeManageVolumePrivilege 2784 wmic.exe Token: 33 2784 wmic.exe Token: 34 2784 wmic.exe Token: 35 2784 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2784 1764 Zul Private.exe 28 PID 1764 wrote to memory of 2784 1764 Zul Private.exe 28 PID 1764 wrote to memory of 2784 1764 Zul Private.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zul Private.exe"C:\Users\Admin\AppData\Local\Temp\Zul Private.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-