Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 17:31
Behavioral task
behavioral1
Sample
xlucheats.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
xlucheats.exe
-
Size
231KB
-
MD5
118714b4be372564292805a6016487cf
-
SHA1
08e8bf51aa6f2815d8ef050c21912a079d62aaf7
-
SHA256
b9bc80f978004667f7061aca80b41361b8ed3bfc49a1c00845d8d89688625b53
-
SHA512
523436e0a966027c1e87f9036025f956b96a9e9ded6cdc1f9da9df77384b2c176e758f219834268e9d37f5a236eef551a2561889fc2db429f6e2e49124ade34e
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4GAOk8il92vDe8NhoFynb8e1mmFMi:DoZtL+EP8GAOk8il92vDe8NhoFInH
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1688-1-0x0000000001270000-0x00000000012B0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1688 xlucheats.exe Token: SeIncreaseQuotaPrivilege 2916 wmic.exe Token: SeSecurityPrivilege 2916 wmic.exe Token: SeTakeOwnershipPrivilege 2916 wmic.exe Token: SeLoadDriverPrivilege 2916 wmic.exe Token: SeSystemProfilePrivilege 2916 wmic.exe Token: SeSystemtimePrivilege 2916 wmic.exe Token: SeProfSingleProcessPrivilege 2916 wmic.exe Token: SeIncBasePriorityPrivilege 2916 wmic.exe Token: SeCreatePagefilePrivilege 2916 wmic.exe Token: SeBackupPrivilege 2916 wmic.exe Token: SeRestorePrivilege 2916 wmic.exe Token: SeShutdownPrivilege 2916 wmic.exe Token: SeDebugPrivilege 2916 wmic.exe Token: SeSystemEnvironmentPrivilege 2916 wmic.exe Token: SeRemoteShutdownPrivilege 2916 wmic.exe Token: SeUndockPrivilege 2916 wmic.exe Token: SeManageVolumePrivilege 2916 wmic.exe Token: 33 2916 wmic.exe Token: 34 2916 wmic.exe Token: 35 2916 wmic.exe Token: SeIncreaseQuotaPrivilege 2916 wmic.exe Token: SeSecurityPrivilege 2916 wmic.exe Token: SeTakeOwnershipPrivilege 2916 wmic.exe Token: SeLoadDriverPrivilege 2916 wmic.exe Token: SeSystemProfilePrivilege 2916 wmic.exe Token: SeSystemtimePrivilege 2916 wmic.exe Token: SeProfSingleProcessPrivilege 2916 wmic.exe Token: SeIncBasePriorityPrivilege 2916 wmic.exe Token: SeCreatePagefilePrivilege 2916 wmic.exe Token: SeBackupPrivilege 2916 wmic.exe Token: SeRestorePrivilege 2916 wmic.exe Token: SeShutdownPrivilege 2916 wmic.exe Token: SeDebugPrivilege 2916 wmic.exe Token: SeSystemEnvironmentPrivilege 2916 wmic.exe Token: SeRemoteShutdownPrivilege 2916 wmic.exe Token: SeUndockPrivilege 2916 wmic.exe Token: SeManageVolumePrivilege 2916 wmic.exe Token: 33 2916 wmic.exe Token: 34 2916 wmic.exe Token: 35 2916 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2916 1688 xlucheats.exe 28 PID 1688 wrote to memory of 2916 1688 xlucheats.exe 28 PID 1688 wrote to memory of 2916 1688 xlucheats.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\xlucheats.exe"C:\Users\Admin\AppData\Local\Temp\xlucheats.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-