Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 10:16
General
-
Target
BLUME RUST.exe
-
Size
227KB
-
MD5
de788e456ceac91e1dd1a2ed01d332cc
-
SHA1
d0a59e876e3781b70379127425612c9cb1a99436
-
SHA256
559a3d56b0318e3e66e68e92079a8fd4f04adb5c6c3899d06b4ad66cccc19cdd
-
SHA512
41daddd8548376e9c6f161c113c7a7721b2c683aa361dcfb4341906e45f78ec053242fb2a221b622e229c4967f04c04d7a4e3436cc4fddf2054db3e9907d2b6a
-
SSDEEP
6144:eloZM+rIkd8g+EtXHkv/iD4cwuciAfboNxUyzzqlUob8e1mKi:IoZtL+EP8cwuciAfboNxUyzzqVE
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1556-1-0x0000016E61020000-0x0000016E61060000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1556 BLUME RUST.exe Token: SeIncreaseQuotaPrivilege 1208 wmic.exe Token: SeSecurityPrivilege 1208 wmic.exe Token: SeTakeOwnershipPrivilege 1208 wmic.exe Token: SeLoadDriverPrivilege 1208 wmic.exe Token: SeSystemProfilePrivilege 1208 wmic.exe Token: SeSystemtimePrivilege 1208 wmic.exe Token: SeProfSingleProcessPrivilege 1208 wmic.exe Token: SeIncBasePriorityPrivilege 1208 wmic.exe Token: SeCreatePagefilePrivilege 1208 wmic.exe Token: SeBackupPrivilege 1208 wmic.exe Token: SeRestorePrivilege 1208 wmic.exe Token: SeShutdownPrivilege 1208 wmic.exe Token: SeDebugPrivilege 1208 wmic.exe Token: SeSystemEnvironmentPrivilege 1208 wmic.exe Token: SeRemoteShutdownPrivilege 1208 wmic.exe Token: SeUndockPrivilege 1208 wmic.exe Token: SeManageVolumePrivilege 1208 wmic.exe Token: 33 1208 wmic.exe Token: 34 1208 wmic.exe Token: 35 1208 wmic.exe Token: 36 1208 wmic.exe Token: SeIncreaseQuotaPrivilege 1208 wmic.exe Token: SeSecurityPrivilege 1208 wmic.exe Token: SeTakeOwnershipPrivilege 1208 wmic.exe Token: SeLoadDriverPrivilege 1208 wmic.exe Token: SeSystemProfilePrivilege 1208 wmic.exe Token: SeSystemtimePrivilege 1208 wmic.exe Token: SeProfSingleProcessPrivilege 1208 wmic.exe Token: SeIncBasePriorityPrivilege 1208 wmic.exe Token: SeCreatePagefilePrivilege 1208 wmic.exe Token: SeBackupPrivilege 1208 wmic.exe Token: SeRestorePrivilege 1208 wmic.exe Token: SeShutdownPrivilege 1208 wmic.exe Token: SeDebugPrivilege 1208 wmic.exe Token: SeSystemEnvironmentPrivilege 1208 wmic.exe Token: SeRemoteShutdownPrivilege 1208 wmic.exe Token: SeUndockPrivilege 1208 wmic.exe Token: SeManageVolumePrivilege 1208 wmic.exe Token: 33 1208 wmic.exe Token: 34 1208 wmic.exe Token: 35 1208 wmic.exe Token: 36 1208 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1208 1556 BLUME RUST.exe 84 PID 1556 wrote to memory of 1208 1556 BLUME RUST.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLUME RUST.exe"C:\Users\Admin\AppData\Local\Temp\BLUME RUST.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3764