Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:30
Behavioral task
behavioral1
Sample
l0xmdpqk.ylw.bin.exe
Resource
win7-20240220-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
l0xmdpqk.ylw.bin.exe
Resource
win10-20240404-en
windows10-1703-x64
4 signatures
300 seconds
Behavioral task
behavioral3
Sample
l0xmdpqk.ylw.bin.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
4 signatures
300 seconds
General
-
Target
l0xmdpqk.ylw.bin.exe
-
Size
227KB
-
MD5
7f32dcbb00de079c31ff7895ae9c0560
-
SHA1
e80841a355b8dce9955b9bbba63f02a4ad31a836
-
SHA256
5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
-
SHA512
776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc
-
SSDEEP
6144:bloZM+9EB1/SqctonEPfCqAu0+prdmK13Up7a6rhgj8e1m5l:5oZQdSqcwvu0+prdmK13Up7a6rhQM
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/2316-0-0x00000000013C0000-0x0000000001400000-memory.dmp family_umbral behavioral1/memory/2316-2-0x000000001B260000-0x000000001B2E0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2316 l0xmdpqk.ylw.bin.exe Token: SeIncreaseQuotaPrivilege 2660 wmic.exe Token: SeSecurityPrivilege 2660 wmic.exe Token: SeTakeOwnershipPrivilege 2660 wmic.exe Token: SeLoadDriverPrivilege 2660 wmic.exe Token: SeSystemProfilePrivilege 2660 wmic.exe Token: SeSystemtimePrivilege 2660 wmic.exe Token: SeProfSingleProcessPrivilege 2660 wmic.exe Token: SeIncBasePriorityPrivilege 2660 wmic.exe Token: SeCreatePagefilePrivilege 2660 wmic.exe Token: SeBackupPrivilege 2660 wmic.exe Token: SeRestorePrivilege 2660 wmic.exe Token: SeShutdownPrivilege 2660 wmic.exe Token: SeDebugPrivilege 2660 wmic.exe Token: SeSystemEnvironmentPrivilege 2660 wmic.exe Token: SeRemoteShutdownPrivilege 2660 wmic.exe Token: SeUndockPrivilege 2660 wmic.exe Token: SeManageVolumePrivilege 2660 wmic.exe Token: 33 2660 wmic.exe Token: 34 2660 wmic.exe Token: 35 2660 wmic.exe Token: SeIncreaseQuotaPrivilege 2660 wmic.exe Token: SeSecurityPrivilege 2660 wmic.exe Token: SeTakeOwnershipPrivilege 2660 wmic.exe Token: SeLoadDriverPrivilege 2660 wmic.exe Token: SeSystemProfilePrivilege 2660 wmic.exe Token: SeSystemtimePrivilege 2660 wmic.exe Token: SeProfSingleProcessPrivilege 2660 wmic.exe Token: SeIncBasePriorityPrivilege 2660 wmic.exe Token: SeCreatePagefilePrivilege 2660 wmic.exe Token: SeBackupPrivilege 2660 wmic.exe Token: SeRestorePrivilege 2660 wmic.exe Token: SeShutdownPrivilege 2660 wmic.exe Token: SeDebugPrivilege 2660 wmic.exe Token: SeSystemEnvironmentPrivilege 2660 wmic.exe Token: SeRemoteShutdownPrivilege 2660 wmic.exe Token: SeUndockPrivilege 2660 wmic.exe Token: SeManageVolumePrivilege 2660 wmic.exe Token: 33 2660 wmic.exe Token: 34 2660 wmic.exe Token: 35 2660 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2660 2316 l0xmdpqk.ylw.bin.exe 28 PID 2316 wrote to memory of 2660 2316 l0xmdpqk.ylw.bin.exe 28 PID 2316 wrote to memory of 2660 2316 l0xmdpqk.ylw.bin.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\l0xmdpqk.ylw.bin.exe"C:\Users\Admin\AppData\Local\Temp\l0xmdpqk.ylw.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660
-