Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-03-2024 03:10
Behavioral task
behavioral1
Sample
Free FlameWare.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Free FlameWare.exe
-
Size
229KB
-
MD5
f3f28f0bbc0b45c7d848225d435d78f5
-
SHA1
c027c49541eb65d32821239ac2bb156cb7723e99
-
SHA256
8ceda9174d2afc53f0fff20d03efbeb6a554d937e5e6cb3b064d8f3b8a48afdf
-
SHA512
500dc259f7e48db30b4b283eaca2d7732b8bc14c365c8005d3d096dfb49f1b01195eaa7924f8a10386d0bc0ec214e02ae511b3b1a66a0aa62e4cf15a84ad890c
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4UWWJ3tW+xGkt/qqfB68b8e1mxi:noZtL+EP8UWWJ3tW+xGkt/qqflT
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/2008-0-0x0000000000F10000-0x0000000000F50000-memory.dmp family_umbral behavioral1/memory/2008-2-0x000000001B140000-0x000000001B1C0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2008 Free FlameWare.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2624 2008 Free FlameWare.exe 30 PID 2008 wrote to memory of 2624 2008 Free FlameWare.exe 30 PID 2008 wrote to memory of 2624 2008 Free FlameWare.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Free FlameWare.exe"C:\Users\Admin\AppData\Local\Temp\Free FlameWare.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-