Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 06:38
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
injector.exe
-
Size
231KB
-
MD5
011dc48d3b07ca3ab0021bfbb2bd0544
-
SHA1
1a989adcd1a5385927e4c8ce564e7dafe156300a
-
SHA256
03f17e9278c35e4456f926a740d9590a140017b0173f8bc3b7eda7902bcc0e05
-
SHA512
83a337abe760652f45e1c16291191e2cefa4f681e084d67b8224e7f86c724fbf748c648e03ca1d8791db8b198d9f21e488b66500e4e2fea56a6806b8bb95a465
-
SSDEEP
6144:RloZM9rIkd8g+EtXHkv/iD4SxUVp3cw/FeHp0AV+Rb8e1mQVyi:joZmL+EP8SxUVp3cw/FeHp0AVa1Vn
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/1248-0-0x00000000001E0000-0x0000000000220000-memory.dmp family_umbral behavioral1/memory/1248-2-0x000000001B130000-0x000000001B1B0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1248 injector.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe Token: 35 3004 wmic.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe Token: 35 3004 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1248 wrote to memory of 3004 1248 injector.exe 28 PID 1248 wrote to memory of 3004 1248 injector.exe 28 PID 1248 wrote to memory of 3004 1248 injector.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-