Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 07:04
Behavioral task
behavioral1
Sample
executor.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
executor.exe
-
Size
230KB
-
MD5
6d36622e437d5f0bbeb1e43ee49ffe35
-
SHA1
98751d0a048e319fec614ae26c1c78c86a048300
-
SHA256
7561ef67b210e8d30d71700ca0288c5d391adc968988db16eeac209b7cb5941e
-
SHA512
10f21503c75bded2ce97b260792581d7abf7f633d29cff93251957dad2fd184911160e1dbac19d7325703d0163a2b34e728be07de273dcbbbe87f41da6a1f13e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD40naJUBPUonXWvRsY9Mcb8e1mh5ui:noZtL+EP80naJUBPUonXWvRsY95OD
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2944-1-0x0000000000A80000-0x0000000000AC0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2944 executor.exe Token: SeIncreaseQuotaPrivilege 1632 wmic.exe Token: SeSecurityPrivilege 1632 wmic.exe Token: SeTakeOwnershipPrivilege 1632 wmic.exe Token: SeLoadDriverPrivilege 1632 wmic.exe Token: SeSystemProfilePrivilege 1632 wmic.exe Token: SeSystemtimePrivilege 1632 wmic.exe Token: SeProfSingleProcessPrivilege 1632 wmic.exe Token: SeIncBasePriorityPrivilege 1632 wmic.exe Token: SeCreatePagefilePrivilege 1632 wmic.exe Token: SeBackupPrivilege 1632 wmic.exe Token: SeRestorePrivilege 1632 wmic.exe Token: SeShutdownPrivilege 1632 wmic.exe Token: SeDebugPrivilege 1632 wmic.exe Token: SeSystemEnvironmentPrivilege 1632 wmic.exe Token: SeRemoteShutdownPrivilege 1632 wmic.exe Token: SeUndockPrivilege 1632 wmic.exe Token: SeManageVolumePrivilege 1632 wmic.exe Token: 33 1632 wmic.exe Token: 34 1632 wmic.exe Token: 35 1632 wmic.exe Token: SeIncreaseQuotaPrivilege 1632 wmic.exe Token: SeSecurityPrivilege 1632 wmic.exe Token: SeTakeOwnershipPrivilege 1632 wmic.exe Token: SeLoadDriverPrivilege 1632 wmic.exe Token: SeSystemProfilePrivilege 1632 wmic.exe Token: SeSystemtimePrivilege 1632 wmic.exe Token: SeProfSingleProcessPrivilege 1632 wmic.exe Token: SeIncBasePriorityPrivilege 1632 wmic.exe Token: SeCreatePagefilePrivilege 1632 wmic.exe Token: SeBackupPrivilege 1632 wmic.exe Token: SeRestorePrivilege 1632 wmic.exe Token: SeShutdownPrivilege 1632 wmic.exe Token: SeDebugPrivilege 1632 wmic.exe Token: SeSystemEnvironmentPrivilege 1632 wmic.exe Token: SeRemoteShutdownPrivilege 1632 wmic.exe Token: SeUndockPrivilege 1632 wmic.exe Token: SeManageVolumePrivilege 1632 wmic.exe Token: 33 1632 wmic.exe Token: 34 1632 wmic.exe Token: 35 1632 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2944 wrote to memory of 1632 2944 executor.exe 28 PID 2944 wrote to memory of 1632 2944 executor.exe 28 PID 2944 wrote to memory of 1632 2944 executor.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\executor.exe"C:\Users\Admin\AppData\Local\Temp\executor.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-