Analysis
-
max time kernel
316s -
max time network
872s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
19-02-2024 02:22
General
-
Target
test v1.exe
-
Size
229KB
-
MD5
9491d13ef37b614a019240bb60762411
-
SHA1
fe75d6c6ee160e37ae09114267352b685cbf5e79
-
SHA256
610c600188996a44227d64e1029ac0869dddc7fb24f2166fb17e9880351b7edc
-
SHA512
e1e2daf96439a1381d884a3ab7a5701de28592c0d846cce301f0f01eb8e30543057306ab0753208301dddb7f4a6577f7128ed516cfe721b653bda3652774f52f
-
SSDEEP
6144:tloZM3fsXtioRkts/cnnK6cMlhHpC8il92mDe8NhoMOb8e1mwi:voZ1tlRk83MlhHpC8il92mDe8Nho7C
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3200-0-0x0000027C0C2F0000-0x0000027C0C330000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3200 test v1.exe Token: SeIncreaseQuotaPrivilege 192 wmic.exe Token: SeSecurityPrivilege 192 wmic.exe Token: SeTakeOwnershipPrivilege 192 wmic.exe Token: SeLoadDriverPrivilege 192 wmic.exe Token: SeSystemProfilePrivilege 192 wmic.exe Token: SeSystemtimePrivilege 192 wmic.exe Token: SeProfSingleProcessPrivilege 192 wmic.exe Token: SeIncBasePriorityPrivilege 192 wmic.exe Token: SeCreatePagefilePrivilege 192 wmic.exe Token: SeBackupPrivilege 192 wmic.exe Token: SeRestorePrivilege 192 wmic.exe Token: SeShutdownPrivilege 192 wmic.exe Token: SeDebugPrivilege 192 wmic.exe Token: SeSystemEnvironmentPrivilege 192 wmic.exe Token: SeRemoteShutdownPrivilege 192 wmic.exe Token: SeUndockPrivilege 192 wmic.exe Token: SeManageVolumePrivilege 192 wmic.exe Token: 33 192 wmic.exe Token: 34 192 wmic.exe Token: 35 192 wmic.exe Token: 36 192 wmic.exe Token: SeIncreaseQuotaPrivilege 192 wmic.exe Token: SeSecurityPrivilege 192 wmic.exe Token: SeTakeOwnershipPrivilege 192 wmic.exe Token: SeLoadDriverPrivilege 192 wmic.exe Token: SeSystemProfilePrivilege 192 wmic.exe Token: SeSystemtimePrivilege 192 wmic.exe Token: SeProfSingleProcessPrivilege 192 wmic.exe Token: SeIncBasePriorityPrivilege 192 wmic.exe Token: SeCreatePagefilePrivilege 192 wmic.exe Token: SeBackupPrivilege 192 wmic.exe Token: SeRestorePrivilege 192 wmic.exe Token: SeShutdownPrivilege 192 wmic.exe Token: SeDebugPrivilege 192 wmic.exe Token: SeSystemEnvironmentPrivilege 192 wmic.exe Token: SeRemoteShutdownPrivilege 192 wmic.exe Token: SeUndockPrivilege 192 wmic.exe Token: SeManageVolumePrivilege 192 wmic.exe Token: 33 192 wmic.exe Token: 34 192 wmic.exe Token: 35 192 wmic.exe Token: 36 192 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3200 wrote to memory of 192 3200 test v1.exe 73 PID 3200 wrote to memory of 192 3200 test v1.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\test v1.exe"C:\Users\Admin\AppData\Local\Temp\test v1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3496