Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-04-2024 16:52
Behavioral task
behavioral1
Sample
ClientBetaNew.exe
Resource
win7-20240319-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
ClientBetaNew.exe
Resource
win10-20240404-en
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
ClientBetaNew.exe
Resource
win10v2004-20240412-en
12 signatures
150 seconds
General
-
Target
ClientBetaNew.exe
-
Size
229KB
-
MD5
e7fca17393a9f4cb9ccb2f65fc2bb214
-
SHA1
cef26fa30e3f68d85ab923beecc0cd0dbfa2a720
-
SHA256
499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978
-
SHA512
303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a
-
SSDEEP
6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
ClientBetaNew.exewmic.exedescription pid process Token: SeDebugPrivilege 1468 ClientBetaNew.exe Token: SeIncreaseQuotaPrivilege 3940 wmic.exe Token: SeSecurityPrivilege 3940 wmic.exe Token: SeTakeOwnershipPrivilege 3940 wmic.exe Token: SeLoadDriverPrivilege 3940 wmic.exe Token: SeSystemProfilePrivilege 3940 wmic.exe Token: SeSystemtimePrivilege 3940 wmic.exe Token: SeProfSingleProcessPrivilege 3940 wmic.exe Token: SeIncBasePriorityPrivilege 3940 wmic.exe Token: SeCreatePagefilePrivilege 3940 wmic.exe Token: SeBackupPrivilege 3940 wmic.exe Token: SeRestorePrivilege 3940 wmic.exe Token: SeShutdownPrivilege 3940 wmic.exe Token: SeDebugPrivilege 3940 wmic.exe Token: SeSystemEnvironmentPrivilege 3940 wmic.exe Token: SeRemoteShutdownPrivilege 3940 wmic.exe Token: SeUndockPrivilege 3940 wmic.exe Token: SeManageVolumePrivilege 3940 wmic.exe Token: 33 3940 wmic.exe Token: 34 3940 wmic.exe Token: 35 3940 wmic.exe Token: 36 3940 wmic.exe Token: SeIncreaseQuotaPrivilege 3940 wmic.exe Token: SeSecurityPrivilege 3940 wmic.exe Token: SeTakeOwnershipPrivilege 3940 wmic.exe Token: SeLoadDriverPrivilege 3940 wmic.exe Token: SeSystemProfilePrivilege 3940 wmic.exe Token: SeSystemtimePrivilege 3940 wmic.exe Token: SeProfSingleProcessPrivilege 3940 wmic.exe Token: SeIncBasePriorityPrivilege 3940 wmic.exe Token: SeCreatePagefilePrivilege 3940 wmic.exe Token: SeBackupPrivilege 3940 wmic.exe Token: SeRestorePrivilege 3940 wmic.exe Token: SeShutdownPrivilege 3940 wmic.exe Token: SeDebugPrivilege 3940 wmic.exe Token: SeSystemEnvironmentPrivilege 3940 wmic.exe Token: SeRemoteShutdownPrivilege 3940 wmic.exe Token: SeUndockPrivilege 3940 wmic.exe Token: SeManageVolumePrivilege 3940 wmic.exe Token: 33 3940 wmic.exe Token: 34 3940 wmic.exe Token: 35 3940 wmic.exe Token: 36 3940 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ClientBetaNew.exedescription pid process target process PID 1468 wrote to memory of 3940 1468 ClientBetaNew.exe wmic.exe PID 1468 wrote to memory of 3940 1468 ClientBetaNew.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmpFilesize
256KB
-
memory/1468-1-0x00007FFFC0F50000-0x00007FFFC193C000-memory.dmpFilesize
9.9MB
-
memory/1468-2-0x0000024DF7BA0000-0x0000024DF7BB0000-memory.dmpFilesize
64KB
-
memory/1468-4-0x00007FFFC0F50000-0x00007FFFC193C000-memory.dmpFilesize
9.9MB