Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 12:03
Behavioral task
behavioral1
Sample
Sash_crack.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
1200 seconds
General
-
Target
Sash_crack.exe
-
Size
229KB
-
MD5
b4194015c260caf700eb8fa8b68bd715
-
SHA1
fbba3ddf29726fdc112771d7d31e39ada64dbd47
-
SHA256
3e6c300b61fc97ddc3577f37aba155b7ca1023dc5206a2f763216d4bcc613973
-
SHA512
7a561d4282b9460cbc5947512c5d1ae0fdc886fa8f6752d3daa6a9f3d829e2984373cdfb66853bd424b161bde05b6f6ba704c52a422f9afb21b9b32c9d5497e5
-
SSDEEP
6144:tloZM+rIkd8g+EtXHkv/iD4/c2DmHdmOhPU9va6v/Rb8e1m4/i:voZtL+EP8/c2DmHdmOhPU9va6vBrq
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2132-1-0x0000000000970000-0x00000000009B0000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2132 Sash_crack.exe Token: SeIncreaseQuotaPrivilege 3036 wmic.exe Token: SeSecurityPrivilege 3036 wmic.exe Token: SeTakeOwnershipPrivilege 3036 wmic.exe Token: SeLoadDriverPrivilege 3036 wmic.exe Token: SeSystemProfilePrivilege 3036 wmic.exe Token: SeSystemtimePrivilege 3036 wmic.exe Token: SeProfSingleProcessPrivilege 3036 wmic.exe Token: SeIncBasePriorityPrivilege 3036 wmic.exe Token: SeCreatePagefilePrivilege 3036 wmic.exe Token: SeBackupPrivilege 3036 wmic.exe Token: SeRestorePrivilege 3036 wmic.exe Token: SeShutdownPrivilege 3036 wmic.exe Token: SeDebugPrivilege 3036 wmic.exe Token: SeSystemEnvironmentPrivilege 3036 wmic.exe Token: SeRemoteShutdownPrivilege 3036 wmic.exe Token: SeUndockPrivilege 3036 wmic.exe Token: SeManageVolumePrivilege 3036 wmic.exe Token: 33 3036 wmic.exe Token: 34 3036 wmic.exe Token: 35 3036 wmic.exe Token: SeIncreaseQuotaPrivilege 3036 wmic.exe Token: SeSecurityPrivilege 3036 wmic.exe Token: SeTakeOwnershipPrivilege 3036 wmic.exe Token: SeLoadDriverPrivilege 3036 wmic.exe Token: SeSystemProfilePrivilege 3036 wmic.exe Token: SeSystemtimePrivilege 3036 wmic.exe Token: SeProfSingleProcessPrivilege 3036 wmic.exe Token: SeIncBasePriorityPrivilege 3036 wmic.exe Token: SeCreatePagefilePrivilege 3036 wmic.exe Token: SeBackupPrivilege 3036 wmic.exe Token: SeRestorePrivilege 3036 wmic.exe Token: SeShutdownPrivilege 3036 wmic.exe Token: SeDebugPrivilege 3036 wmic.exe Token: SeSystemEnvironmentPrivilege 3036 wmic.exe Token: SeRemoteShutdownPrivilege 3036 wmic.exe Token: SeUndockPrivilege 3036 wmic.exe Token: SeManageVolumePrivilege 3036 wmic.exe Token: 33 3036 wmic.exe Token: 34 3036 wmic.exe Token: 35 3036 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2132 wrote to memory of 3036 2132 Sash_crack.exe 30 PID 2132 wrote to memory of 3036 2132 Sash_crack.exe 30 PID 2132 wrote to memory of 3036 2132 Sash_crack.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sash_crack.exe"C:\Users\Admin\AppData\Local\Temp\Sash_crack.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-