Analysis
-
max time kernel
21s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 17:34
Behavioral task
behavioral1
Sample
y.exe
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
y.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
y.exe
-
Size
224KB
-
MD5
4c335d3e3958413df7b9c81b7ac29100
-
SHA1
a43f7ae504164fd29a9bb7f88430efeb396ed69f
-
SHA256
7ba28499d2c1399eba708b00fdc97095f938d5755d148fbe5626ffa68b8e5385
-
SHA512
28008caa99955df01abf2d9756c204b0b4105659ea1150c32a54044f60b3ac7a1c0631530e6b6e3bdd377ecaa6aac4c7845691262d18979cc1f74709a13bfce2
-
SSDEEP
6144:floZM+rIkd8g+EtXHkv/iD4SQzYkK8eucHi:doZtL+EP8RR
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2184-1-0x00000000002D0000-0x000000000030E000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2184 y.exe Token: SeIncreaseQuotaPrivilege 2072 wmic.exe Token: SeSecurityPrivilege 2072 wmic.exe Token: SeTakeOwnershipPrivilege 2072 wmic.exe Token: SeLoadDriverPrivilege 2072 wmic.exe Token: SeSystemProfilePrivilege 2072 wmic.exe Token: SeSystemtimePrivilege 2072 wmic.exe Token: SeProfSingleProcessPrivilege 2072 wmic.exe Token: SeIncBasePriorityPrivilege 2072 wmic.exe Token: SeCreatePagefilePrivilege 2072 wmic.exe Token: SeBackupPrivilege 2072 wmic.exe Token: SeRestorePrivilege 2072 wmic.exe Token: SeShutdownPrivilege 2072 wmic.exe Token: SeDebugPrivilege 2072 wmic.exe Token: SeSystemEnvironmentPrivilege 2072 wmic.exe Token: SeRemoteShutdownPrivilege 2072 wmic.exe Token: SeUndockPrivilege 2072 wmic.exe Token: SeManageVolumePrivilege 2072 wmic.exe Token: 33 2072 wmic.exe Token: 34 2072 wmic.exe Token: 35 2072 wmic.exe Token: SeIncreaseQuotaPrivilege 2072 wmic.exe Token: SeSecurityPrivilege 2072 wmic.exe Token: SeTakeOwnershipPrivilege 2072 wmic.exe Token: SeLoadDriverPrivilege 2072 wmic.exe Token: SeSystemProfilePrivilege 2072 wmic.exe Token: SeSystemtimePrivilege 2072 wmic.exe Token: SeProfSingleProcessPrivilege 2072 wmic.exe Token: SeIncBasePriorityPrivilege 2072 wmic.exe Token: SeCreatePagefilePrivilege 2072 wmic.exe Token: SeBackupPrivilege 2072 wmic.exe Token: SeRestorePrivilege 2072 wmic.exe Token: SeShutdownPrivilege 2072 wmic.exe Token: SeDebugPrivilege 2072 wmic.exe Token: SeSystemEnvironmentPrivilege 2072 wmic.exe Token: SeRemoteShutdownPrivilege 2072 wmic.exe Token: SeUndockPrivilege 2072 wmic.exe Token: SeManageVolumePrivilege 2072 wmic.exe Token: 33 2072 wmic.exe Token: 34 2072 wmic.exe Token: 35 2072 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2072 2184 y.exe 30 PID 2184 wrote to memory of 2072 2184 y.exe 30 PID 2184 wrote to memory of 2072 2184 y.exe 30