Analysis
-
max time kernel
5s -
max time network
11s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-03-2024 01:01
Behavioral task
behavioral1
Sample
5af9c752ae4211a59d6ddc27be136764.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
5af9c752ae4211a59d6ddc27be136764.exe
-
Size
229KB
-
MD5
5af9c752ae4211a59d6ddc27be136764
-
SHA1
7404f795d31d758f28db333ffd124985e0cc9378
-
SHA256
bd0627eedef546c23e0dc70b63dbd6c144ac185a5e3710edce664f34cb87f249
-
SHA512
088cf9cb0afac0c074d1612413844f10974c6a7deba82054ee8455659b4cace67e1320d32f5a3a3c38e80268c5d07ffe4d52b5e6a9b0abd27dbd0450767c0eee
-
SSDEEP
3072:+61se+aFA9qpbi3cVM7hTSdm68UYLXDkpao8bE24SDT9OmxR8e1isvs+E6EiWt:p1se+uecVM7hTSdm683DPo8xr8e1Lx
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1720-0-0x00000000002F0000-0x0000000000330000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 1720 5af9c752ae4211a59d6ddc27be136764.exe Token: SeIncreaseQuotaPrivilege 2616 wmic.exe Token: SeSecurityPrivilege 2616 wmic.exe Token: SeTakeOwnershipPrivilege 2616 wmic.exe Token: SeLoadDriverPrivilege 2616 wmic.exe Token: SeSystemProfilePrivilege 2616 wmic.exe Token: SeSystemtimePrivilege 2616 wmic.exe Token: SeProfSingleProcessPrivilege 2616 wmic.exe Token: SeIncBasePriorityPrivilege 2616 wmic.exe Token: SeCreatePagefilePrivilege 2616 wmic.exe Token: SeBackupPrivilege 2616 wmic.exe Token: SeRestorePrivilege 2616 wmic.exe Token: SeShutdownPrivilege 2616 wmic.exe Token: SeDebugPrivilege 2616 wmic.exe Token: SeSystemEnvironmentPrivilege 2616 wmic.exe Token: SeRemoteShutdownPrivilege 2616 wmic.exe Token: SeUndockPrivilege 2616 wmic.exe Token: SeManageVolumePrivilege 2616 wmic.exe Token: 33 2616 wmic.exe Token: 34 2616 wmic.exe Token: 35 2616 wmic.exe Token: SeIncreaseQuotaPrivilege 2616 wmic.exe Token: SeSecurityPrivilege 2616 wmic.exe Token: SeTakeOwnershipPrivilege 2616 wmic.exe Token: SeLoadDriverPrivilege 2616 wmic.exe Token: SeSystemProfilePrivilege 2616 wmic.exe Token: SeSystemtimePrivilege 2616 wmic.exe Token: SeProfSingleProcessPrivilege 2616 wmic.exe Token: SeIncBasePriorityPrivilege 2616 wmic.exe Token: SeCreatePagefilePrivilege 2616 wmic.exe Token: SeBackupPrivilege 2616 wmic.exe Token: SeRestorePrivilege 2616 wmic.exe Token: SeShutdownPrivilege 2616 wmic.exe Token: SeDebugPrivilege 2616 wmic.exe Token: SeSystemEnvironmentPrivilege 2616 wmic.exe Token: SeRemoteShutdownPrivilege 2616 wmic.exe Token: SeUndockPrivilege 2616 wmic.exe Token: SeManageVolumePrivilege 2616 wmic.exe Token: 33 2616 wmic.exe Token: 34 2616 wmic.exe Token: 35 2616 wmic.exe Token: SeShutdownPrivilege 1720 5af9c752ae4211a59d6ddc27be136764.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2616 1720 5af9c752ae4211a59d6ddc27be136764.exe 28 PID 1720 wrote to memory of 2616 1720 5af9c752ae4211a59d6ddc27be136764.exe 28 PID 1720 wrote to memory of 2616 1720 5af9c752ae4211a59d6ddc27be136764.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af9c752ae4211a59d6ddc27be136764.exe"C:\Users\Admin\AppData\Local\Temp\5af9c752ae4211a59d6ddc27be136764.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-