Analysis
-
max time kernel
63s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 23:14
General
-
Target
mw3loader.exe
-
Size
229KB
-
MD5
a31efc937dcb33a570c243ef7be4423f
-
SHA1
ef838ad887d34664d97f9c0c6e7b728daac897a2
-
SHA256
801455f1721ad65f4d62e40d9d4d05f5a1b520e569b05a7e8daf1c7be86fac6d
-
SHA512
0d2552a3af17c9ec4dd17b895a28eeb9a99ec0af3d4826825f04a4358a137c12a45efe213919237c0ec0a80e284578d4eeef0e97b650a4b6b2930ba42ee7b611
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4XGI9ecjfUY1gevPe2jb8e1mnesi:noZtL+EP8XGI9ecjfUY1gevPewX
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/4012-0-0x000001531FD90000-0x000001531FDD0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4012 mw3loader.exe Token: SeIncreaseQuotaPrivilege 4796 wmic.exe Token: SeSecurityPrivilege 4796 wmic.exe Token: SeTakeOwnershipPrivilege 4796 wmic.exe Token: SeLoadDriverPrivilege 4796 wmic.exe Token: SeSystemProfilePrivilege 4796 wmic.exe Token: SeSystemtimePrivilege 4796 wmic.exe Token: SeProfSingleProcessPrivilege 4796 wmic.exe Token: SeIncBasePriorityPrivilege 4796 wmic.exe Token: SeCreatePagefilePrivilege 4796 wmic.exe Token: SeBackupPrivilege 4796 wmic.exe Token: SeRestorePrivilege 4796 wmic.exe Token: SeShutdownPrivilege 4796 wmic.exe Token: SeDebugPrivilege 4796 wmic.exe Token: SeSystemEnvironmentPrivilege 4796 wmic.exe Token: SeRemoteShutdownPrivilege 4796 wmic.exe Token: SeUndockPrivilege 4796 wmic.exe Token: SeManageVolumePrivilege 4796 wmic.exe Token: 33 4796 wmic.exe Token: 34 4796 wmic.exe Token: 35 4796 wmic.exe Token: 36 4796 wmic.exe Token: SeIncreaseQuotaPrivilege 4796 wmic.exe Token: SeSecurityPrivilege 4796 wmic.exe Token: SeTakeOwnershipPrivilege 4796 wmic.exe Token: SeLoadDriverPrivilege 4796 wmic.exe Token: SeSystemProfilePrivilege 4796 wmic.exe Token: SeSystemtimePrivilege 4796 wmic.exe Token: SeProfSingleProcessPrivilege 4796 wmic.exe Token: SeIncBasePriorityPrivilege 4796 wmic.exe Token: SeCreatePagefilePrivilege 4796 wmic.exe Token: SeBackupPrivilege 4796 wmic.exe Token: SeRestorePrivilege 4796 wmic.exe Token: SeShutdownPrivilege 4796 wmic.exe Token: SeDebugPrivilege 4796 wmic.exe Token: SeSystemEnvironmentPrivilege 4796 wmic.exe Token: SeRemoteShutdownPrivilege 4796 wmic.exe Token: SeUndockPrivilege 4796 wmic.exe Token: SeManageVolumePrivilege 4796 wmic.exe Token: 33 4796 wmic.exe Token: 34 4796 wmic.exe Token: 35 4796 wmic.exe Token: 36 4796 wmic.exe Token: SeDebugPrivilege 952 mw3loader.exe Token: SeIncreaseQuotaPrivilege 5072 wmic.exe Token: SeSecurityPrivilege 5072 wmic.exe Token: SeTakeOwnershipPrivilege 5072 wmic.exe Token: SeLoadDriverPrivilege 5072 wmic.exe Token: SeSystemProfilePrivilege 5072 wmic.exe Token: SeSystemtimePrivilege 5072 wmic.exe Token: SeProfSingleProcessPrivilege 5072 wmic.exe Token: SeIncBasePriorityPrivilege 5072 wmic.exe Token: SeCreatePagefilePrivilege 5072 wmic.exe Token: SeBackupPrivilege 5072 wmic.exe Token: SeRestorePrivilege 5072 wmic.exe Token: SeShutdownPrivilege 5072 wmic.exe Token: SeDebugPrivilege 5072 wmic.exe Token: SeSystemEnvironmentPrivilege 5072 wmic.exe Token: SeRemoteShutdownPrivilege 5072 wmic.exe Token: SeUndockPrivilege 5072 wmic.exe Token: SeManageVolumePrivilege 5072 wmic.exe Token: 33 5072 wmic.exe Token: 34 5072 wmic.exe Token: 35 5072 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4012 wrote to memory of 4796 4012 mw3loader.exe 87 PID 4012 wrote to memory of 4796 4012 mw3loader.exe 87 PID 952 wrote to memory of 5072 952 mw3loader.exe 107 PID 952 wrote to memory of 5072 952 mw3loader.exe 107 PID 1684 wrote to memory of 2088 1684 mw3loader.exe 110 PID 1684 wrote to memory of 2088 1684 mw3loader.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"C:\Users\Admin\AppData\Local\Temp\mw3loader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2088
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58094b248fe3231e48995c2be32aeb08c
SHA12fe06e000ebec919bf982d033c5d1219c1f916b6
SHA256136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc
SHA512bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f