Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 20:08
Behavioral task
behavioral1
Sample
atomic.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
atomic.exe
-
Size
229KB
-
MD5
05f1e261fdb236fd899a48d71a5f33f1
-
SHA1
6a0399a6a8417616f5fd72e075712a54fbde4a6d
-
SHA256
15e734a6600467bdf53fb3e997151562f25797baa8e5688036240438a96ca1e1
-
SHA512
f637b0c54c8223a41961274cabe34e1d9b23e351e6f78658617785d53785e31ec33bdef700d7257ca9667420fafe6ec556d210fd5cf1f11d03b1b7443b923212
-
SSDEEP
6144:tloZMLrIkd8g+EtXHkv/iD4H4jwT5KyNo4ZL22jx9b8e1mrgi:voZ0L+EP8H4jwT5KyNo4ZL22jz2
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1988-1-0x0000000000AF0000-0x0000000000B30000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1988 atomic.exe Token: SeIncreaseQuotaPrivilege 2932 wmic.exe Token: SeSecurityPrivilege 2932 wmic.exe Token: SeTakeOwnershipPrivilege 2932 wmic.exe Token: SeLoadDriverPrivilege 2932 wmic.exe Token: SeSystemProfilePrivilege 2932 wmic.exe Token: SeSystemtimePrivilege 2932 wmic.exe Token: SeProfSingleProcessPrivilege 2932 wmic.exe Token: SeIncBasePriorityPrivilege 2932 wmic.exe Token: SeCreatePagefilePrivilege 2932 wmic.exe Token: SeBackupPrivilege 2932 wmic.exe Token: SeRestorePrivilege 2932 wmic.exe Token: SeShutdownPrivilege 2932 wmic.exe Token: SeDebugPrivilege 2932 wmic.exe Token: SeSystemEnvironmentPrivilege 2932 wmic.exe Token: SeRemoteShutdownPrivilege 2932 wmic.exe Token: SeUndockPrivilege 2932 wmic.exe Token: SeManageVolumePrivilege 2932 wmic.exe Token: 33 2932 wmic.exe Token: 34 2932 wmic.exe Token: 35 2932 wmic.exe Token: SeIncreaseQuotaPrivilege 2932 wmic.exe Token: SeSecurityPrivilege 2932 wmic.exe Token: SeTakeOwnershipPrivilege 2932 wmic.exe Token: SeLoadDriverPrivilege 2932 wmic.exe Token: SeSystemProfilePrivilege 2932 wmic.exe Token: SeSystemtimePrivilege 2932 wmic.exe Token: SeProfSingleProcessPrivilege 2932 wmic.exe Token: SeIncBasePriorityPrivilege 2932 wmic.exe Token: SeCreatePagefilePrivilege 2932 wmic.exe Token: SeBackupPrivilege 2932 wmic.exe Token: SeRestorePrivilege 2932 wmic.exe Token: SeShutdownPrivilege 2932 wmic.exe Token: SeDebugPrivilege 2932 wmic.exe Token: SeSystemEnvironmentPrivilege 2932 wmic.exe Token: SeRemoteShutdownPrivilege 2932 wmic.exe Token: SeUndockPrivilege 2932 wmic.exe Token: SeManageVolumePrivilege 2932 wmic.exe Token: 33 2932 wmic.exe Token: 34 2932 wmic.exe Token: 35 2932 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2932 1988 atomic.exe 30 PID 1988 wrote to memory of 2932 1988 atomic.exe 30 PID 1988 wrote to memory of 2932 1988 atomic.exe 30