Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-04-2024 16:52
Behavioral task
behavioral1
Sample
ClientBetaNew.exe
Resource
win7-20240319-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
ClientBetaNew.exe
Resource
win10-20240404-en
windows10-1703-x64
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
ClientBetaNew.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ClientBetaNew.exe
-
Size
229KB
-
MD5
e7fca17393a9f4cb9ccb2f65fc2bb214
-
SHA1
cef26fa30e3f68d85ab923beecc0cd0dbfa2a720
-
SHA256
499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978
-
SHA512
303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a
-
SSDEEP
6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1468 ClientBetaNew.exe Token: SeIncreaseQuotaPrivilege 3940 wmic.exe Token: SeSecurityPrivilege 3940 wmic.exe Token: SeTakeOwnershipPrivilege 3940 wmic.exe Token: SeLoadDriverPrivilege 3940 wmic.exe Token: SeSystemProfilePrivilege 3940 wmic.exe Token: SeSystemtimePrivilege 3940 wmic.exe Token: SeProfSingleProcessPrivilege 3940 wmic.exe Token: SeIncBasePriorityPrivilege 3940 wmic.exe Token: SeCreatePagefilePrivilege 3940 wmic.exe Token: SeBackupPrivilege 3940 wmic.exe Token: SeRestorePrivilege 3940 wmic.exe Token: SeShutdownPrivilege 3940 wmic.exe Token: SeDebugPrivilege 3940 wmic.exe Token: SeSystemEnvironmentPrivilege 3940 wmic.exe Token: SeRemoteShutdownPrivilege 3940 wmic.exe Token: SeUndockPrivilege 3940 wmic.exe Token: SeManageVolumePrivilege 3940 wmic.exe Token: 33 3940 wmic.exe Token: 34 3940 wmic.exe Token: 35 3940 wmic.exe Token: 36 3940 wmic.exe Token: SeIncreaseQuotaPrivilege 3940 wmic.exe Token: SeSecurityPrivilege 3940 wmic.exe Token: SeTakeOwnershipPrivilege 3940 wmic.exe Token: SeLoadDriverPrivilege 3940 wmic.exe Token: SeSystemProfilePrivilege 3940 wmic.exe Token: SeSystemtimePrivilege 3940 wmic.exe Token: SeProfSingleProcessPrivilege 3940 wmic.exe Token: SeIncBasePriorityPrivilege 3940 wmic.exe Token: SeCreatePagefilePrivilege 3940 wmic.exe Token: SeBackupPrivilege 3940 wmic.exe Token: SeRestorePrivilege 3940 wmic.exe Token: SeShutdownPrivilege 3940 wmic.exe Token: SeDebugPrivilege 3940 wmic.exe Token: SeSystemEnvironmentPrivilege 3940 wmic.exe Token: SeRemoteShutdownPrivilege 3940 wmic.exe Token: SeUndockPrivilege 3940 wmic.exe Token: SeManageVolumePrivilege 3940 wmic.exe Token: 33 3940 wmic.exe Token: 34 3940 wmic.exe Token: 35 3940 wmic.exe Token: 36 3940 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1468 wrote to memory of 3940 1468 ClientBetaNew.exe 72 PID 1468 wrote to memory of 3940 1468 ClientBetaNew.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940
-