Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:53
Behavioral task
behavioral1
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
LegacyPhasmo/start.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
LegacyPhasmo/start.exe
Resource
win10v2004-20240226-en
General
-
Target
LegacyPhasmo/LegacyPhasmo.exe
-
Size
495KB
-
MD5
85946e8adc17bed93bb80005f2caabe7
-
SHA1
b7941993fc3c58a9a42296b82e43f0988feb2ed9
-
SHA256
649683f80b00b62ba0979634a6935088637e8b12f91ef8260dfaafa4840d6555
-
SHA512
331cc3635905ff7673f545c7570cbaae1fa7a7b5637a610d1ce801929d67b527e88cb1e453aa4b1c402ea2565e0e5fa6729d822d38527a6bd8f8e84348c6e51c
-
SSDEEP
6144:vloZM+rIkd8g+EtXHkv/iD42LM3t74sziKrd4UB8Fb8e1mgi04OA:NoZtL+EP82LM3t74sziKrd4UBsa00
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2192-1-0x0000000000810000-0x0000000000892000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2192 LegacyPhasmo.exe Token: SeIncreaseQuotaPrivilege 3020 wmic.exe Token: SeSecurityPrivilege 3020 wmic.exe Token: SeTakeOwnershipPrivilege 3020 wmic.exe Token: SeLoadDriverPrivilege 3020 wmic.exe Token: SeSystemProfilePrivilege 3020 wmic.exe Token: SeSystemtimePrivilege 3020 wmic.exe Token: SeProfSingleProcessPrivilege 3020 wmic.exe Token: SeIncBasePriorityPrivilege 3020 wmic.exe Token: SeCreatePagefilePrivilege 3020 wmic.exe Token: SeBackupPrivilege 3020 wmic.exe Token: SeRestorePrivilege 3020 wmic.exe Token: SeShutdownPrivilege 3020 wmic.exe Token: SeDebugPrivilege 3020 wmic.exe Token: SeSystemEnvironmentPrivilege 3020 wmic.exe Token: SeRemoteShutdownPrivilege 3020 wmic.exe Token: SeUndockPrivilege 3020 wmic.exe Token: SeManageVolumePrivilege 3020 wmic.exe Token: 33 3020 wmic.exe Token: 34 3020 wmic.exe Token: 35 3020 wmic.exe Token: SeIncreaseQuotaPrivilege 3020 wmic.exe Token: SeSecurityPrivilege 3020 wmic.exe Token: SeTakeOwnershipPrivilege 3020 wmic.exe Token: SeLoadDriverPrivilege 3020 wmic.exe Token: SeSystemProfilePrivilege 3020 wmic.exe Token: SeSystemtimePrivilege 3020 wmic.exe Token: SeProfSingleProcessPrivilege 3020 wmic.exe Token: SeIncBasePriorityPrivilege 3020 wmic.exe Token: SeCreatePagefilePrivilege 3020 wmic.exe Token: SeBackupPrivilege 3020 wmic.exe Token: SeRestorePrivilege 3020 wmic.exe Token: SeShutdownPrivilege 3020 wmic.exe Token: SeDebugPrivilege 3020 wmic.exe Token: SeSystemEnvironmentPrivilege 3020 wmic.exe Token: SeRemoteShutdownPrivilege 3020 wmic.exe Token: SeUndockPrivilege 3020 wmic.exe Token: SeManageVolumePrivilege 3020 wmic.exe Token: 33 3020 wmic.exe Token: 34 3020 wmic.exe Token: 35 3020 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2192 wrote to memory of 3020 2192 LegacyPhasmo.exe 28 PID 2192 wrote to memory of 3020 2192 LegacyPhasmo.exe 28 PID 2192 wrote to memory of 3020 2192 LegacyPhasmo.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\LegacyPhasmo.exe"C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\LegacyPhasmo.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-