Analysis
-
max time kernel
14s -
max time network
26s -
platform
windows10-1703_x64 -
resource
win10-20240404-uk -
resource tags
arch:x64arch:x86image:win10-20240404-uklocale:uk-uaos:windows10-1703-x64systemwindows -
submitted
06-05-2024 18:45
General
-
Target
TOOLSNXCLXN.exe
-
Size
229KB
-
MD5
8628b9dd8871af6a292f3a6e08386eaf
-
SHA1
54424a37b205150d43b419eafb3d7bcb3dbf0f29
-
SHA256
1040523f9dac2fb0ff0b30e5996aea8a5c326e685bc3633e5ea14f443aba7919
-
SHA512
cc4633141e35c707d56299e161ec1de13adc8a42c4f6ef874e4b9a7b5f44e543113f58b3f19610bef227676bc00e4ad643e4cdf6e2a6f2f2f4323c65fec805d2
-
SSDEEP
6144:2loZMafOe1FzxtE8WdhQ3cbbxM8KDXqBVa07nIrvTuuupJ8eFJL4w:AoZnvzx3MbVM8KDXqBVa07nIrAJX
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/432-1-0x00000180BB030000-0x00000180BB070000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 432 TOOLSNXCLXN.exe Token: SeIncreaseQuotaPrivilege 1952 wmic.exe Token: SeSecurityPrivilege 1952 wmic.exe Token: SeTakeOwnershipPrivilege 1952 wmic.exe Token: SeLoadDriverPrivilege 1952 wmic.exe Token: SeSystemProfilePrivilege 1952 wmic.exe Token: SeSystemtimePrivilege 1952 wmic.exe Token: SeProfSingleProcessPrivilege 1952 wmic.exe Token: SeIncBasePriorityPrivilege 1952 wmic.exe Token: SeCreatePagefilePrivilege 1952 wmic.exe Token: SeBackupPrivilege 1952 wmic.exe Token: SeRestorePrivilege 1952 wmic.exe Token: SeShutdownPrivilege 1952 wmic.exe Token: SeDebugPrivilege 1952 wmic.exe Token: SeSystemEnvironmentPrivilege 1952 wmic.exe Token: SeRemoteShutdownPrivilege 1952 wmic.exe Token: SeUndockPrivilege 1952 wmic.exe Token: SeManageVolumePrivilege 1952 wmic.exe Token: 33 1952 wmic.exe Token: 34 1952 wmic.exe Token: 35 1952 wmic.exe Token: 36 1952 wmic.exe Token: SeIncreaseQuotaPrivilege 1952 wmic.exe Token: SeSecurityPrivilege 1952 wmic.exe Token: SeTakeOwnershipPrivilege 1952 wmic.exe Token: SeLoadDriverPrivilege 1952 wmic.exe Token: SeSystemProfilePrivilege 1952 wmic.exe Token: SeSystemtimePrivilege 1952 wmic.exe Token: SeProfSingleProcessPrivilege 1952 wmic.exe Token: SeIncBasePriorityPrivilege 1952 wmic.exe Token: SeCreatePagefilePrivilege 1952 wmic.exe Token: SeBackupPrivilege 1952 wmic.exe Token: SeRestorePrivilege 1952 wmic.exe Token: SeShutdownPrivilege 1952 wmic.exe Token: SeDebugPrivilege 1952 wmic.exe Token: SeSystemEnvironmentPrivilege 1952 wmic.exe Token: SeRemoteShutdownPrivilege 1952 wmic.exe Token: SeUndockPrivilege 1952 wmic.exe Token: SeManageVolumePrivilege 1952 wmic.exe Token: 33 1952 wmic.exe Token: 34 1952 wmic.exe Token: 35 1952 wmic.exe Token: 36 1952 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 432 wrote to memory of 1952 432 TOOLSNXCLXN.exe 70 PID 432 wrote to memory of 1952 432 TOOLSNXCLXN.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\TOOLSNXCLXN.exe"C:\Users\Admin\AppData\Local\Temp\TOOLSNXCLXN.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-