Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 11:21
Behavioral task
behavioral1
Sample
ProjectExstracter.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ProjectExstracter.exe
-
Size
235KB
-
MD5
32099bdcf2a8c75821bc048193d3b1f5
-
SHA1
3a28da976bdb4f301dc94afcd0cf2ed60e0c0065
-
SHA256
25c02277f2a8d87c337a7ed145b3aebe37df66811b7fa9f158dfb09af777fd19
-
SHA512
e13e0c78cff7e9603c2cee4c720d5680c3ddbd0a21303dcd67733c06f284f7657cdfd10544e6cab470f4d92129a5e8c98684cb518b204ffcfba439249bcaa18c
-
SSDEEP
6144:TloZM+rIkd8g+EtXHkv/iD4agl0LxCqVYQhTuOLKDb8e1moiLiP:RoZtL+EP8agl0LxCqVYQhTuOLM3J
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2932-1-0x00000000013D0000-0x0000000001410000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2932 ProjectExstracter.exe Token: SeIncreaseQuotaPrivilege 3068 wmic.exe Token: SeSecurityPrivilege 3068 wmic.exe Token: SeTakeOwnershipPrivilege 3068 wmic.exe Token: SeLoadDriverPrivilege 3068 wmic.exe Token: SeSystemProfilePrivilege 3068 wmic.exe Token: SeSystemtimePrivilege 3068 wmic.exe Token: SeProfSingleProcessPrivilege 3068 wmic.exe Token: SeIncBasePriorityPrivilege 3068 wmic.exe Token: SeCreatePagefilePrivilege 3068 wmic.exe Token: SeBackupPrivilege 3068 wmic.exe Token: SeRestorePrivilege 3068 wmic.exe Token: SeShutdownPrivilege 3068 wmic.exe Token: SeDebugPrivilege 3068 wmic.exe Token: SeSystemEnvironmentPrivilege 3068 wmic.exe Token: SeRemoteShutdownPrivilege 3068 wmic.exe Token: SeUndockPrivilege 3068 wmic.exe Token: SeManageVolumePrivilege 3068 wmic.exe Token: 33 3068 wmic.exe Token: 34 3068 wmic.exe Token: 35 3068 wmic.exe Token: SeIncreaseQuotaPrivilege 3068 wmic.exe Token: SeSecurityPrivilege 3068 wmic.exe Token: SeTakeOwnershipPrivilege 3068 wmic.exe Token: SeLoadDriverPrivilege 3068 wmic.exe Token: SeSystemProfilePrivilege 3068 wmic.exe Token: SeSystemtimePrivilege 3068 wmic.exe Token: SeProfSingleProcessPrivilege 3068 wmic.exe Token: SeIncBasePriorityPrivilege 3068 wmic.exe Token: SeCreatePagefilePrivilege 3068 wmic.exe Token: SeBackupPrivilege 3068 wmic.exe Token: SeRestorePrivilege 3068 wmic.exe Token: SeShutdownPrivilege 3068 wmic.exe Token: SeDebugPrivilege 3068 wmic.exe Token: SeSystemEnvironmentPrivilege 3068 wmic.exe Token: SeRemoteShutdownPrivilege 3068 wmic.exe Token: SeUndockPrivilege 3068 wmic.exe Token: SeManageVolumePrivilege 3068 wmic.exe Token: 33 3068 wmic.exe Token: 34 3068 wmic.exe Token: 35 3068 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3068 2932 ProjectExstracter.exe 28 PID 2932 wrote to memory of 3068 2932 ProjectExstracter.exe 28 PID 2932 wrote to memory of 3068 2932 ProjectExstracter.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProjectExstracter.exe"C:\Users\Admin\AppData\Local\Temp\ProjectExstracter.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068
-