Analysis
-
max time kernel
130s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
04-04-2024 06:38
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
injector.exe
-
Size
231KB
-
MD5
011dc48d3b07ca3ab0021bfbb2bd0544
-
SHA1
1a989adcd1a5385927e4c8ce564e7dafe156300a
-
SHA256
03f17e9278c35e4456f926a740d9590a140017b0173f8bc3b7eda7902bcc0e05
-
SHA512
83a337abe760652f45e1c16291191e2cefa4f681e084d67b8224e7f86c724fbf748c648e03ca1d8791db8b198d9f21e488b66500e4e2fea56a6806b8bb95a465
-
SSDEEP
6144:RloZM9rIkd8g+EtXHkv/iD4SxUVp3cw/FeHp0AV+Rb8e1mQVyi:joZmL+EP8SxUVp3cw/FeHp0AVa1Vn
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/3848-0-0x0000014BA42F0000-0x0000014BA4330000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3848 injector.exe Token: SeIncreaseQuotaPrivilege 3276 wmic.exe Token: SeSecurityPrivilege 3276 wmic.exe Token: SeTakeOwnershipPrivilege 3276 wmic.exe Token: SeLoadDriverPrivilege 3276 wmic.exe Token: SeSystemProfilePrivilege 3276 wmic.exe Token: SeSystemtimePrivilege 3276 wmic.exe Token: SeProfSingleProcessPrivilege 3276 wmic.exe Token: SeIncBasePriorityPrivilege 3276 wmic.exe Token: SeCreatePagefilePrivilege 3276 wmic.exe Token: SeBackupPrivilege 3276 wmic.exe Token: SeRestorePrivilege 3276 wmic.exe Token: SeShutdownPrivilege 3276 wmic.exe Token: SeDebugPrivilege 3276 wmic.exe Token: SeSystemEnvironmentPrivilege 3276 wmic.exe Token: SeRemoteShutdownPrivilege 3276 wmic.exe Token: SeUndockPrivilege 3276 wmic.exe Token: SeManageVolumePrivilege 3276 wmic.exe Token: 33 3276 wmic.exe Token: 34 3276 wmic.exe Token: 35 3276 wmic.exe Token: 36 3276 wmic.exe Token: SeIncreaseQuotaPrivilege 3276 wmic.exe Token: SeSecurityPrivilege 3276 wmic.exe Token: SeTakeOwnershipPrivilege 3276 wmic.exe Token: SeLoadDriverPrivilege 3276 wmic.exe Token: SeSystemProfilePrivilege 3276 wmic.exe Token: SeSystemtimePrivilege 3276 wmic.exe Token: SeProfSingleProcessPrivilege 3276 wmic.exe Token: SeIncBasePriorityPrivilege 3276 wmic.exe Token: SeCreatePagefilePrivilege 3276 wmic.exe Token: SeBackupPrivilege 3276 wmic.exe Token: SeRestorePrivilege 3276 wmic.exe Token: SeShutdownPrivilege 3276 wmic.exe Token: SeDebugPrivilege 3276 wmic.exe Token: SeSystemEnvironmentPrivilege 3276 wmic.exe Token: SeRemoteShutdownPrivilege 3276 wmic.exe Token: SeUndockPrivilege 3276 wmic.exe Token: SeManageVolumePrivilege 3276 wmic.exe Token: 33 3276 wmic.exe Token: 34 3276 wmic.exe Token: 35 3276 wmic.exe Token: 36 3276 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3848 wrote to memory of 3276 3848 injector.exe 73 PID 3848 wrote to memory of 3276 3848 injector.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276
-