Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-02-2024 09:20
Behavioral task
behavioral1
Sample
primordial loader cracked.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
primordial loader cracked.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
primordialV2.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
primordialV2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
primordial loader cracked.exe
-
Size
229KB
-
MD5
aade2822bd0471da2ed5a068a099fb1b
-
SHA1
39e9fbd333650353aff09f6f0f66a3d1d6dcdd14
-
SHA256
00201eadd8efe516d68a7b736bd3b66635ad9bd5c7ede630bd2a85edf2d3f97d
-
SHA512
0dbb3f78c8034330010bc02053b382489243a69a9a2d179f96b34715acf8b805c824e2efbf13ba870e570138a9aecb3e7696167cd9f264bc4bd750dd3da545dc
-
SSDEEP
6144:7loZM99EBt/SqctonEPfCqArWu/p3cw/3eHp0AVwpJ8e1muf8:ZoZvFSqcwvrWu/p3cw/3eHp0AVCVk
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2664-0-0x0000000000CD0000-0x0000000000D10000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2664 primordial loader cracked.exe Token: SeIncreaseQuotaPrivilege 2856 wmic.exe Token: SeSecurityPrivilege 2856 wmic.exe Token: SeTakeOwnershipPrivilege 2856 wmic.exe Token: SeLoadDriverPrivilege 2856 wmic.exe Token: SeSystemProfilePrivilege 2856 wmic.exe Token: SeSystemtimePrivilege 2856 wmic.exe Token: SeProfSingleProcessPrivilege 2856 wmic.exe Token: SeIncBasePriorityPrivilege 2856 wmic.exe Token: SeCreatePagefilePrivilege 2856 wmic.exe Token: SeBackupPrivilege 2856 wmic.exe Token: SeRestorePrivilege 2856 wmic.exe Token: SeShutdownPrivilege 2856 wmic.exe Token: SeDebugPrivilege 2856 wmic.exe Token: SeSystemEnvironmentPrivilege 2856 wmic.exe Token: SeRemoteShutdownPrivilege 2856 wmic.exe Token: SeUndockPrivilege 2856 wmic.exe Token: SeManageVolumePrivilege 2856 wmic.exe Token: 33 2856 wmic.exe Token: 34 2856 wmic.exe Token: 35 2856 wmic.exe Token: SeIncreaseQuotaPrivilege 2856 wmic.exe Token: SeSecurityPrivilege 2856 wmic.exe Token: SeTakeOwnershipPrivilege 2856 wmic.exe Token: SeLoadDriverPrivilege 2856 wmic.exe Token: SeSystemProfilePrivilege 2856 wmic.exe Token: SeSystemtimePrivilege 2856 wmic.exe Token: SeProfSingleProcessPrivilege 2856 wmic.exe Token: SeIncBasePriorityPrivilege 2856 wmic.exe Token: SeCreatePagefilePrivilege 2856 wmic.exe Token: SeBackupPrivilege 2856 wmic.exe Token: SeRestorePrivilege 2856 wmic.exe Token: SeShutdownPrivilege 2856 wmic.exe Token: SeDebugPrivilege 2856 wmic.exe Token: SeSystemEnvironmentPrivilege 2856 wmic.exe Token: SeRemoteShutdownPrivilege 2856 wmic.exe Token: SeUndockPrivilege 2856 wmic.exe Token: SeManageVolumePrivilege 2856 wmic.exe Token: 33 2856 wmic.exe Token: 34 2856 wmic.exe Token: 35 2856 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2856 2664 primordial loader cracked.exe 28 PID 2664 wrote to memory of 2856 2664 primordial loader cracked.exe 28 PID 2664 wrote to memory of 2856 2664 primordial loader cracked.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\primordial loader cracked.exe"C:\Users\Admin\AppData\Local\Temp\primordial loader cracked.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856
-