Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 20:53
Behavioral task
behavioral1
Sample
release07052024.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
release07052024.exe
-
Size
234KB
-
MD5
b7003ff817ee11ddb615fd88dd82fdcf
-
SHA1
43cb7c473ddcff872931ed0628cf25543cd56593
-
SHA256
2d1d0f47365bdb80e32d3378591b13b6412d2b67071d8083f95c8317cfa60fef
-
SHA512
b5ba5b1c858623a2d75316199229fc2dad581200b874ef2907d795948d79605237e7195365d81eedf3c5db9cd8c1542d638cd94ca47fb9911502e6596269ec6e
-
SSDEEP
6144:XloZM+rIkd8g+EtXHkv/iD4ZDmsN8e1mqtiU:1oZtL+EP8ZdG
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/4544-1-0x00000278074F0000-0x0000027807530000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4544 release07052024.exe Token: SeIncreaseQuotaPrivilege 4172 wmic.exe Token: SeSecurityPrivilege 4172 wmic.exe Token: SeTakeOwnershipPrivilege 4172 wmic.exe Token: SeLoadDriverPrivilege 4172 wmic.exe Token: SeSystemProfilePrivilege 4172 wmic.exe Token: SeSystemtimePrivilege 4172 wmic.exe Token: SeProfSingleProcessPrivilege 4172 wmic.exe Token: SeIncBasePriorityPrivilege 4172 wmic.exe Token: SeCreatePagefilePrivilege 4172 wmic.exe Token: SeBackupPrivilege 4172 wmic.exe Token: SeRestorePrivilege 4172 wmic.exe Token: SeShutdownPrivilege 4172 wmic.exe Token: SeDebugPrivilege 4172 wmic.exe Token: SeSystemEnvironmentPrivilege 4172 wmic.exe Token: SeRemoteShutdownPrivilege 4172 wmic.exe Token: SeUndockPrivilege 4172 wmic.exe Token: SeManageVolumePrivilege 4172 wmic.exe Token: 33 4172 wmic.exe Token: 34 4172 wmic.exe Token: 35 4172 wmic.exe Token: 36 4172 wmic.exe Token: SeIncreaseQuotaPrivilege 4172 wmic.exe Token: SeSecurityPrivilege 4172 wmic.exe Token: SeTakeOwnershipPrivilege 4172 wmic.exe Token: SeLoadDriverPrivilege 4172 wmic.exe Token: SeSystemProfilePrivilege 4172 wmic.exe Token: SeSystemtimePrivilege 4172 wmic.exe Token: SeProfSingleProcessPrivilege 4172 wmic.exe Token: SeIncBasePriorityPrivilege 4172 wmic.exe Token: SeCreatePagefilePrivilege 4172 wmic.exe Token: SeBackupPrivilege 4172 wmic.exe Token: SeRestorePrivilege 4172 wmic.exe Token: SeShutdownPrivilege 4172 wmic.exe Token: SeDebugPrivilege 4172 wmic.exe Token: SeSystemEnvironmentPrivilege 4172 wmic.exe Token: SeRemoteShutdownPrivilege 4172 wmic.exe Token: SeUndockPrivilege 4172 wmic.exe Token: SeManageVolumePrivilege 4172 wmic.exe Token: 33 4172 wmic.exe Token: 34 4172 wmic.exe Token: 35 4172 wmic.exe Token: 36 4172 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4544 wrote to memory of 4172 4544 release07052024.exe 84 PID 4544 wrote to memory of 4172 4544 release07052024.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\release07052024.exe"C:\Users\Admin\AppData\Local\Temp\release07052024.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-