Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 19:04
Behavioral task
behavioral1
Sample
Hypnox TB V1.2.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Hypnox TB V1.2.exe
-
Size
239KB
-
MD5
f998146f650224b7a945c998246c79ca
-
SHA1
9ab4507aaf84093985febac2d5a28a1f0e00b52e
-
SHA256
93ce8e3689636df1bf9f269f4e96f0e30f3f7c5848778ad12f82275fd4061f85
-
SHA512
50a885cf13d60a59b25c3d9a8110feb5ba67b5f2b028b6abe5efac38b27c2ad5be9dd0f345379763b1b034458cebffd63ee4ce33c5a416b6662f004acf4a8224
-
SSDEEP
6144:rloZMLrIkd8g+EtXHkv/iD4pdeTKInDASZMK7bCQ0b8e1muYZi:poZ0L+EP8pdeTKInDASZMK7bCFjx
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2520-1-0x0000000001180000-0x00000000011C2000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2520 Hypnox TB V1.2.exe Token: SeIncreaseQuotaPrivilege 2124 wmic.exe Token: SeSecurityPrivilege 2124 wmic.exe Token: SeTakeOwnershipPrivilege 2124 wmic.exe Token: SeLoadDriverPrivilege 2124 wmic.exe Token: SeSystemProfilePrivilege 2124 wmic.exe Token: SeSystemtimePrivilege 2124 wmic.exe Token: SeProfSingleProcessPrivilege 2124 wmic.exe Token: SeIncBasePriorityPrivilege 2124 wmic.exe Token: SeCreatePagefilePrivilege 2124 wmic.exe Token: SeBackupPrivilege 2124 wmic.exe Token: SeRestorePrivilege 2124 wmic.exe Token: SeShutdownPrivilege 2124 wmic.exe Token: SeDebugPrivilege 2124 wmic.exe Token: SeSystemEnvironmentPrivilege 2124 wmic.exe Token: SeRemoteShutdownPrivilege 2124 wmic.exe Token: SeUndockPrivilege 2124 wmic.exe Token: SeManageVolumePrivilege 2124 wmic.exe Token: 33 2124 wmic.exe Token: 34 2124 wmic.exe Token: 35 2124 wmic.exe Token: SeIncreaseQuotaPrivilege 2124 wmic.exe Token: SeSecurityPrivilege 2124 wmic.exe Token: SeTakeOwnershipPrivilege 2124 wmic.exe Token: SeLoadDriverPrivilege 2124 wmic.exe Token: SeSystemProfilePrivilege 2124 wmic.exe Token: SeSystemtimePrivilege 2124 wmic.exe Token: SeProfSingleProcessPrivilege 2124 wmic.exe Token: SeIncBasePriorityPrivilege 2124 wmic.exe Token: SeCreatePagefilePrivilege 2124 wmic.exe Token: SeBackupPrivilege 2124 wmic.exe Token: SeRestorePrivilege 2124 wmic.exe Token: SeShutdownPrivilege 2124 wmic.exe Token: SeDebugPrivilege 2124 wmic.exe Token: SeSystemEnvironmentPrivilege 2124 wmic.exe Token: SeRemoteShutdownPrivilege 2124 wmic.exe Token: SeUndockPrivilege 2124 wmic.exe Token: SeManageVolumePrivilege 2124 wmic.exe Token: 33 2124 wmic.exe Token: 34 2124 wmic.exe Token: 35 2124 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2124 2520 Hypnox TB V1.2.exe 30 PID 2520 wrote to memory of 2124 2520 Hypnox TB V1.2.exe 30 PID 2520 wrote to memory of 2124 2520 Hypnox TB V1.2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hypnox TB V1.2.exe"C:\Users\Admin\AppData\Local\Temp\Hypnox TB V1.2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124
-