Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 11:48
Behavioral task
behavioral1
Sample
Bunifu.Licensing.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bunifu.Licensing.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
CODEMCFA.exe
Resource
win7-20241010-en
General
-
Target
CODEMCFA.exe
-
Size
231KB
-
MD5
9503a8b58a6162341186e7376beed76f
-
SHA1
1076edc775b7a770b4908ff8a961d6db50489ca0
-
SHA256
149e3d957ea166e513bfdf2152403b27e75ae5fe110bae79b2104fdab6f8f6b3
-
SHA512
f2f19b80e2d369c49d9dcc25fda842c28b31baca6f78528c2074591251a947e55978173ffc72f341fbb0959219470080ad59f2f7868661d903494a308e3a1f96
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD48xntPlO2ZTc1niinND1b8e1mXKDi:joZtL+EP88xntPlO2ZTc1niinNZI5
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral3/memory/2876-1-0x0000000001180000-0x00000000011C0000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2876 CODEMCFA.exe Token: SeIncreaseQuotaPrivilege 2796 wmic.exe Token: SeSecurityPrivilege 2796 wmic.exe Token: SeTakeOwnershipPrivilege 2796 wmic.exe Token: SeLoadDriverPrivilege 2796 wmic.exe Token: SeSystemProfilePrivilege 2796 wmic.exe Token: SeSystemtimePrivilege 2796 wmic.exe Token: SeProfSingleProcessPrivilege 2796 wmic.exe Token: SeIncBasePriorityPrivilege 2796 wmic.exe Token: SeCreatePagefilePrivilege 2796 wmic.exe Token: SeBackupPrivilege 2796 wmic.exe Token: SeRestorePrivilege 2796 wmic.exe Token: SeShutdownPrivilege 2796 wmic.exe Token: SeDebugPrivilege 2796 wmic.exe Token: SeSystemEnvironmentPrivilege 2796 wmic.exe Token: SeRemoteShutdownPrivilege 2796 wmic.exe Token: SeUndockPrivilege 2796 wmic.exe Token: SeManageVolumePrivilege 2796 wmic.exe Token: 33 2796 wmic.exe Token: 34 2796 wmic.exe Token: 35 2796 wmic.exe Token: SeIncreaseQuotaPrivilege 2796 wmic.exe Token: SeSecurityPrivilege 2796 wmic.exe Token: SeTakeOwnershipPrivilege 2796 wmic.exe Token: SeLoadDriverPrivilege 2796 wmic.exe Token: SeSystemProfilePrivilege 2796 wmic.exe Token: SeSystemtimePrivilege 2796 wmic.exe Token: SeProfSingleProcessPrivilege 2796 wmic.exe Token: SeIncBasePriorityPrivilege 2796 wmic.exe Token: SeCreatePagefilePrivilege 2796 wmic.exe Token: SeBackupPrivilege 2796 wmic.exe Token: SeRestorePrivilege 2796 wmic.exe Token: SeShutdownPrivilege 2796 wmic.exe Token: SeDebugPrivilege 2796 wmic.exe Token: SeSystemEnvironmentPrivilege 2796 wmic.exe Token: SeRemoteShutdownPrivilege 2796 wmic.exe Token: SeUndockPrivilege 2796 wmic.exe Token: SeManageVolumePrivilege 2796 wmic.exe Token: 33 2796 wmic.exe Token: 34 2796 wmic.exe Token: 35 2796 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2796 2876 CODEMCFA.exe 30 PID 2876 wrote to memory of 2796 2876 CODEMCFA.exe 30 PID 2876 wrote to memory of 2796 2876 CODEMCFA.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe"C:\Users\Admin\AppData\Local\Temp\CODEMCFA.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-