Overview
overview
10Static
static
10Image Logg...up.bat
windows7-x64
10Image Logg...up.bat
windows10-2004-x64
10Image Logg...px.exe
windows7-x64
10Image Logg...px.exe
windows10-2004-x64
10Image Logg...in.exe
windows7-x64
7Image Logg...in.exe
windows10-2004-x64
7Image Logg...rt.bat
windows7-x64
10Image Logg...rt.bat
windows10-2004-x64
10Analysis
-
max time kernel
30s -
max time network
6s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 21:41
Behavioral task
behavioral1
Sample
Image Logger/Setup.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Image Logger/Setup.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Image Logger/Src/Files/upx.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
Image Logger/Src/Files/upx.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Image Logger/Src/main.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
Image Logger/Src/main.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Image Logger/Start.bat
Resource
win7-20240903-en
windows7-x64
General
-
Target
Image Logger/Src/Files/upx.exe
-
Size
231KB
-
MD5
88b64c5cad0453a14347d415f9d4f82b
-
SHA1
4a613e651418497885bf4861dc27fee379eee1b9
-
SHA256
f7f74aeaf94b242f73f0417796f4814c1a857eaa246ebcb7a667643d90af938e
-
SHA512
56775a3ce0c99998c0354a5d7485fbaf01e83f247412849abd2d81461decf0e9c4fa095d43e18be74fe7225df2b6cbbc2f98f4abf5611192ef66d83abee2d7d2
-
SSDEEP
6144:bloZM+rIkd8g+EtXHkv/iD4irHJzZqStHY5rWWDIPb8e1m4i:5oZtL+EP8irHJzZqStHY5rWWD2y
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral4/memory/440-1-0x0000017974CC0000-0x0000017974D00000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 440 upx.exe Token: SeIncreaseQuotaPrivilege 708 wmic.exe Token: SeSecurityPrivilege 708 wmic.exe Token: SeTakeOwnershipPrivilege 708 wmic.exe Token: SeLoadDriverPrivilege 708 wmic.exe Token: SeSystemProfilePrivilege 708 wmic.exe Token: SeSystemtimePrivilege 708 wmic.exe Token: SeProfSingleProcessPrivilege 708 wmic.exe Token: SeIncBasePriorityPrivilege 708 wmic.exe Token: SeCreatePagefilePrivilege 708 wmic.exe Token: SeBackupPrivilege 708 wmic.exe Token: SeRestorePrivilege 708 wmic.exe Token: SeShutdownPrivilege 708 wmic.exe Token: SeDebugPrivilege 708 wmic.exe Token: SeSystemEnvironmentPrivilege 708 wmic.exe Token: SeRemoteShutdownPrivilege 708 wmic.exe Token: SeUndockPrivilege 708 wmic.exe Token: SeManageVolumePrivilege 708 wmic.exe Token: 33 708 wmic.exe Token: 34 708 wmic.exe Token: 35 708 wmic.exe Token: 36 708 wmic.exe Token: SeIncreaseQuotaPrivilege 708 wmic.exe Token: SeSecurityPrivilege 708 wmic.exe Token: SeTakeOwnershipPrivilege 708 wmic.exe Token: SeLoadDriverPrivilege 708 wmic.exe Token: SeSystemProfilePrivilege 708 wmic.exe Token: SeSystemtimePrivilege 708 wmic.exe Token: SeProfSingleProcessPrivilege 708 wmic.exe Token: SeIncBasePriorityPrivilege 708 wmic.exe Token: SeCreatePagefilePrivilege 708 wmic.exe Token: SeBackupPrivilege 708 wmic.exe Token: SeRestorePrivilege 708 wmic.exe Token: SeShutdownPrivilege 708 wmic.exe Token: SeDebugPrivilege 708 wmic.exe Token: SeSystemEnvironmentPrivilege 708 wmic.exe Token: SeRemoteShutdownPrivilege 708 wmic.exe Token: SeUndockPrivilege 708 wmic.exe Token: SeManageVolumePrivilege 708 wmic.exe Token: 33 708 wmic.exe Token: 34 708 wmic.exe Token: 35 708 wmic.exe Token: 36 708 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 440 wrote to memory of 708 440 upx.exe 84 PID 440 wrote to memory of 708 440 upx.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image Logger\Src\Files\upx.exe"C:\Users\Admin\AppData\Local\Temp\Image Logger\Src\Files\upx.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:708
-