Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 07:04
Behavioral task
behavioral1
Sample
Bedrock Client Injector.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Bedrock Client Injector.exe
-
Size
263KB
-
MD5
94e490af0574861f68fd0df23b1105aa
-
SHA1
47702a4a5ae6d39faa769599ef0e49daa6d5a6f6
-
SHA256
045414a6d58dcf47b3fb79c35cf892f7bc8e013b56ebc492ffb7e216fee84c0d
-
SHA512
ce84c060e82854cfb77d2ae573f9003b9f648995dc4a130c04a6fc9f9b772e4e04a43a3fe5ef30861c6726c095b15c0e3e48a6c06916d2268fa87dd18687a294
-
SSDEEP
6144:mloZMLrIkd8g+EtXHkv/iD4dzaww+A9J8e1mOiTlReeAt84I:QoZ0L+EP8dzawwNUT3tAW
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2252-1-0x0000000000D00000-0x0000000000D48000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2252 Bedrock Client Injector.exe Token: SeIncreaseQuotaPrivilege 2904 wmic.exe Token: SeSecurityPrivilege 2904 wmic.exe Token: SeTakeOwnershipPrivilege 2904 wmic.exe Token: SeLoadDriverPrivilege 2904 wmic.exe Token: SeSystemProfilePrivilege 2904 wmic.exe Token: SeSystemtimePrivilege 2904 wmic.exe Token: SeProfSingleProcessPrivilege 2904 wmic.exe Token: SeIncBasePriorityPrivilege 2904 wmic.exe Token: SeCreatePagefilePrivilege 2904 wmic.exe Token: SeBackupPrivilege 2904 wmic.exe Token: SeRestorePrivilege 2904 wmic.exe Token: SeShutdownPrivilege 2904 wmic.exe Token: SeDebugPrivilege 2904 wmic.exe Token: SeSystemEnvironmentPrivilege 2904 wmic.exe Token: SeRemoteShutdownPrivilege 2904 wmic.exe Token: SeUndockPrivilege 2904 wmic.exe Token: SeManageVolumePrivilege 2904 wmic.exe Token: 33 2904 wmic.exe Token: 34 2904 wmic.exe Token: 35 2904 wmic.exe Token: SeIncreaseQuotaPrivilege 2904 wmic.exe Token: SeSecurityPrivilege 2904 wmic.exe Token: SeTakeOwnershipPrivilege 2904 wmic.exe Token: SeLoadDriverPrivilege 2904 wmic.exe Token: SeSystemProfilePrivilege 2904 wmic.exe Token: SeSystemtimePrivilege 2904 wmic.exe Token: SeProfSingleProcessPrivilege 2904 wmic.exe Token: SeIncBasePriorityPrivilege 2904 wmic.exe Token: SeCreatePagefilePrivilege 2904 wmic.exe Token: SeBackupPrivilege 2904 wmic.exe Token: SeRestorePrivilege 2904 wmic.exe Token: SeShutdownPrivilege 2904 wmic.exe Token: SeDebugPrivilege 2904 wmic.exe Token: SeSystemEnvironmentPrivilege 2904 wmic.exe Token: SeRemoteShutdownPrivilege 2904 wmic.exe Token: SeUndockPrivilege 2904 wmic.exe Token: SeManageVolumePrivilege 2904 wmic.exe Token: 33 2904 wmic.exe Token: 34 2904 wmic.exe Token: 35 2904 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2904 2252 Bedrock Client Injector.exe 30 PID 2252 wrote to memory of 2904 2252 Bedrock Client Injector.exe 30 PID 2252 wrote to memory of 2904 2252 Bedrock Client Injector.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bedrock Client Injector.exe"C:\Users\Admin\AppData\Local\Temp\Bedrock Client Injector.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-