Analysis
-
max time kernel
26s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-04-2024 19:48
Behavioral task
behavioral1
Sample
NetflixCE.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
NetflixCE.exe
-
Size
228KB
-
MD5
07d06d04c3094604382fa3d66c6bc5de
-
SHA1
4ecde9567e8592f121bed011c12c920dc32f431b
-
SHA256
46d2d186cc16096c591ec5374de36c4d0c4fceb024f4f602e3c9d6df20a1a676
-
SHA512
f7c82984984ed922dafff7ea6e6ea70c1caca3d6e4e4539209a6974a5bb8cdb8e9bdb4cb2faaa01e9af8a5e24543ceddae49d569a5e1f59a3ce80e9326b09d50
-
SSDEEP
6144:+loZM+rIkd8g+EtXHkv/iD4G1x+cCFdWdj+ctBIYlb8e1mCc7i:ooZtL+EP8G1x+cCFdWdj+ctBI00W
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1612-0-0x0000000000BD0000-0x0000000000C10000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1612 NetflixCE.exe Token: SeIncreaseQuotaPrivilege 2676 wmic.exe Token: SeSecurityPrivilege 2676 wmic.exe Token: SeTakeOwnershipPrivilege 2676 wmic.exe Token: SeLoadDriverPrivilege 2676 wmic.exe Token: SeSystemProfilePrivilege 2676 wmic.exe Token: SeSystemtimePrivilege 2676 wmic.exe Token: SeProfSingleProcessPrivilege 2676 wmic.exe Token: SeIncBasePriorityPrivilege 2676 wmic.exe Token: SeCreatePagefilePrivilege 2676 wmic.exe Token: SeBackupPrivilege 2676 wmic.exe Token: SeRestorePrivilege 2676 wmic.exe Token: SeShutdownPrivilege 2676 wmic.exe Token: SeDebugPrivilege 2676 wmic.exe Token: SeSystemEnvironmentPrivilege 2676 wmic.exe Token: SeRemoteShutdownPrivilege 2676 wmic.exe Token: SeUndockPrivilege 2676 wmic.exe Token: SeManageVolumePrivilege 2676 wmic.exe Token: 33 2676 wmic.exe Token: 34 2676 wmic.exe Token: 35 2676 wmic.exe Token: SeIncreaseQuotaPrivilege 2676 wmic.exe Token: SeSecurityPrivilege 2676 wmic.exe Token: SeTakeOwnershipPrivilege 2676 wmic.exe Token: SeLoadDriverPrivilege 2676 wmic.exe Token: SeSystemProfilePrivilege 2676 wmic.exe Token: SeSystemtimePrivilege 2676 wmic.exe Token: SeProfSingleProcessPrivilege 2676 wmic.exe Token: SeIncBasePriorityPrivilege 2676 wmic.exe Token: SeCreatePagefilePrivilege 2676 wmic.exe Token: SeBackupPrivilege 2676 wmic.exe Token: SeRestorePrivilege 2676 wmic.exe Token: SeShutdownPrivilege 2676 wmic.exe Token: SeDebugPrivilege 2676 wmic.exe Token: SeSystemEnvironmentPrivilege 2676 wmic.exe Token: SeRemoteShutdownPrivilege 2676 wmic.exe Token: SeUndockPrivilege 2676 wmic.exe Token: SeManageVolumePrivilege 2676 wmic.exe Token: 33 2676 wmic.exe Token: 34 2676 wmic.exe Token: 35 2676 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2676 1612 NetflixCE.exe 28 PID 1612 wrote to memory of 2676 1612 NetflixCE.exe 28 PID 1612 wrote to memory of 2676 1612 NetflixCE.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NetflixCE.exe"C:\Users\Admin\AppData\Local\Temp\NetflixCE.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-