Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 22:36
Behavioral task
behavioral1
Sample
o8gMi.scr
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
o8gMi.scr
-
Size
229KB
-
MD5
e4e5629da7c768f605a4bd15456aaac1
-
SHA1
63d2852a27aa5edde1a7b20e56c382b82c70e5f4
-
SHA256
661514e62add3ef14dc1faaf11e1b23f543c3470304efaff4f2526723b884f82
-
SHA512
9216858e8578cea59ed76ef295358cb0882f1d484ea04260f62535756289318f734d23fe99c2c370f42f5fc6c76c589958cfcb04b34d19fb9a5a051ec35fc377
-
SSDEEP
6144:tloZM+rIkd8g+EtXHkv/iD4own0fVeGJOMFXSy3DNb8e1m2CxzHi:voZtL+EP8own0fVeGJOMFXSy35/AC
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/1984-0-0x00000259A6B00000-0x00000259A6B40000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1984 o8gMi.scr Token: SeIncreaseQuotaPrivilege 4636 wmic.exe Token: SeSecurityPrivilege 4636 wmic.exe Token: SeTakeOwnershipPrivilege 4636 wmic.exe Token: SeLoadDriverPrivilege 4636 wmic.exe Token: SeSystemProfilePrivilege 4636 wmic.exe Token: SeSystemtimePrivilege 4636 wmic.exe Token: SeProfSingleProcessPrivilege 4636 wmic.exe Token: SeIncBasePriorityPrivilege 4636 wmic.exe Token: SeCreatePagefilePrivilege 4636 wmic.exe Token: SeBackupPrivilege 4636 wmic.exe Token: SeRestorePrivilege 4636 wmic.exe Token: SeShutdownPrivilege 4636 wmic.exe Token: SeDebugPrivilege 4636 wmic.exe Token: SeSystemEnvironmentPrivilege 4636 wmic.exe Token: SeRemoteShutdownPrivilege 4636 wmic.exe Token: SeUndockPrivilege 4636 wmic.exe Token: SeManageVolumePrivilege 4636 wmic.exe Token: 33 4636 wmic.exe Token: 34 4636 wmic.exe Token: 35 4636 wmic.exe Token: 36 4636 wmic.exe Token: SeIncreaseQuotaPrivilege 4636 wmic.exe Token: SeSecurityPrivilege 4636 wmic.exe Token: SeTakeOwnershipPrivilege 4636 wmic.exe Token: SeLoadDriverPrivilege 4636 wmic.exe Token: SeSystemProfilePrivilege 4636 wmic.exe Token: SeSystemtimePrivilege 4636 wmic.exe Token: SeProfSingleProcessPrivilege 4636 wmic.exe Token: SeIncBasePriorityPrivilege 4636 wmic.exe Token: SeCreatePagefilePrivilege 4636 wmic.exe Token: SeBackupPrivilege 4636 wmic.exe Token: SeRestorePrivilege 4636 wmic.exe Token: SeShutdownPrivilege 4636 wmic.exe Token: SeDebugPrivilege 4636 wmic.exe Token: SeSystemEnvironmentPrivilege 4636 wmic.exe Token: SeRemoteShutdownPrivilege 4636 wmic.exe Token: SeUndockPrivilege 4636 wmic.exe Token: SeManageVolumePrivilege 4636 wmic.exe Token: 33 4636 wmic.exe Token: 34 4636 wmic.exe Token: 35 4636 wmic.exe Token: 36 4636 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1984 wrote to memory of 4636 1984 o8gMi.scr 92 PID 1984 wrote to memory of 4636 1984 o8gMi.scr 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\o8gMi.scr"C:\Users\Admin\AppData\Local\Temp\o8gMi.scr" /S1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-