Analysis
-
max time kernel
423s -
max time network
425s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2024 20:32
General
-
Target
Huy.exe
-
Size
230KB
-
MD5
107fbd66e307aec7540e2cd20a9bcb34
-
SHA1
3b9b1aaae9f92d76f3004797d61e00ab2e8827e7
-
SHA256
dd0f083b53019355be2e48e58bbe0c6fd98a180e2921f7709984d228cb6e467f
-
SHA512
754ad589254db37d7e4cc9d88edbeb7f65237932bd432e2d5f69bbe0eb194e4bec372db8e7b0dc5114498b02e8022261b6662a683961d7c391647dbaa0dcc2ae
-
SSDEEP
6144:1loZM+rIkd8g+EtXHkv/iD4wsTRdLocDXabtIExfG2b8e1mnn8i:XoZtL+EP8wsTRdLocDXabtIExBAV
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1760-1-0x000002B36E980000-0x000002B36E9C0000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1760 Huy.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: 36 1040 wmic.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: 36 1040 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1040 1760 Huy.exe 84 PID 1760 wrote to memory of 1040 1760 Huy.exe 84