Analysis
-
max time kernel
102s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 20:24
Behavioral task
behavioral1
Sample
Neverlose.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Neverlose.exe
-
Size
231KB
-
MD5
2a9d5da0bb69d53e1b68178bc63e9390
-
SHA1
b1170f7ca36ea613188a272dc8ff8720a586de3a
-
SHA256
b575e722311556b67bc4f2ff77470063e5453e8f9952ddcd33afec9bdefc3902
-
SHA512
372288f96c8d39cba9529e7c44ce4b083eddf50dc3c3317b7b97c02d07018cdc2e0913da3e8309d548f80d68c95b9dd65e4febd4d7ca3b4d6a8df3360cf6aca3
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4ZvHYe5xypXKYZd8ZC6lY8e1mGi:joZtL+EP8pHYe5xypXKYZd8dk2
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/3064-1-0x00000278421C0000-0x0000027842200000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3064 Neverlose.exe Token: SeIncreaseQuotaPrivilege 1548 wmic.exe Token: SeSecurityPrivilege 1548 wmic.exe Token: SeTakeOwnershipPrivilege 1548 wmic.exe Token: SeLoadDriverPrivilege 1548 wmic.exe Token: SeSystemProfilePrivilege 1548 wmic.exe Token: SeSystemtimePrivilege 1548 wmic.exe Token: SeProfSingleProcessPrivilege 1548 wmic.exe Token: SeIncBasePriorityPrivilege 1548 wmic.exe Token: SeCreatePagefilePrivilege 1548 wmic.exe Token: SeBackupPrivilege 1548 wmic.exe Token: SeRestorePrivilege 1548 wmic.exe Token: SeShutdownPrivilege 1548 wmic.exe Token: SeDebugPrivilege 1548 wmic.exe Token: SeSystemEnvironmentPrivilege 1548 wmic.exe Token: SeRemoteShutdownPrivilege 1548 wmic.exe Token: SeUndockPrivilege 1548 wmic.exe Token: SeManageVolumePrivilege 1548 wmic.exe Token: 33 1548 wmic.exe Token: 34 1548 wmic.exe Token: 35 1548 wmic.exe Token: 36 1548 wmic.exe Token: SeIncreaseQuotaPrivilege 1548 wmic.exe Token: SeSecurityPrivilege 1548 wmic.exe Token: SeTakeOwnershipPrivilege 1548 wmic.exe Token: SeLoadDriverPrivilege 1548 wmic.exe Token: SeSystemProfilePrivilege 1548 wmic.exe Token: SeSystemtimePrivilege 1548 wmic.exe Token: SeProfSingleProcessPrivilege 1548 wmic.exe Token: SeIncBasePriorityPrivilege 1548 wmic.exe Token: SeCreatePagefilePrivilege 1548 wmic.exe Token: SeBackupPrivilege 1548 wmic.exe Token: SeRestorePrivilege 1548 wmic.exe Token: SeShutdownPrivilege 1548 wmic.exe Token: SeDebugPrivilege 1548 wmic.exe Token: SeSystemEnvironmentPrivilege 1548 wmic.exe Token: SeRemoteShutdownPrivilege 1548 wmic.exe Token: SeUndockPrivilege 1548 wmic.exe Token: SeManageVolumePrivilege 1548 wmic.exe Token: 33 1548 wmic.exe Token: 34 1548 wmic.exe Token: 35 1548 wmic.exe Token: 36 1548 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1548 3064 Neverlose.exe 86 PID 3064 wrote to memory of 1548 3064 Neverlose.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-