Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 17:37
Behavioral task
behavioral1
Sample
628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe
-
Size
232KB
-
MD5
afbe250f9d941daf1fc895e29d0b2821
-
SHA1
9aeaa55efa56702a0c2694ff2de3a5c6df7b03ac
-
SHA256
628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6
-
SHA512
177ddc51032af306d32c0826efddfa3be5e68621b440be764fba7ad37fd982fb58d7e902e4eb258fe50bbd236f82457e45e7d12a885c78314b304e72fb0f2c94
-
SSDEEP
6144:tloZMDXU9Zx0kt8X0/PSCsMpwpf3tW+x5R0STTKN0b8e1mKISi:voZnf0kkPQwpf3tW+x5R0STTKm2
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2172-1-0x00000000013A0000-0x00000000013E0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2172 628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2624 2172 628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe 28 PID 2172 wrote to memory of 2624 2172 628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe 28 PID 2172 wrote to memory of 2624 2172 628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe"C:\Users\Admin\AppData\Local\Temp\628d7cd6016b226c4e5e5252b29dc89e42d30ffebfb489e36857079aad591ce6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-