Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 04:02
Behavioral task
behavioral1
Sample
Big clean script.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Big clean script.exe
-
Size
230KB
-
MD5
b23d20593d9176d95302568243f60052
-
SHA1
fef1aa01b7a41a8255d71309c7c5badf48a7a907
-
SHA256
9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9
-
SHA512
13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/628-1-0x00000000001C0000-0x0000000000200000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 628 Big clean script.exe Token: SeIncreaseQuotaPrivilege 2780 wmic.exe Token: SeSecurityPrivilege 2780 wmic.exe Token: SeTakeOwnershipPrivilege 2780 wmic.exe Token: SeLoadDriverPrivilege 2780 wmic.exe Token: SeSystemProfilePrivilege 2780 wmic.exe Token: SeSystemtimePrivilege 2780 wmic.exe Token: SeProfSingleProcessPrivilege 2780 wmic.exe Token: SeIncBasePriorityPrivilege 2780 wmic.exe Token: SeCreatePagefilePrivilege 2780 wmic.exe Token: SeBackupPrivilege 2780 wmic.exe Token: SeRestorePrivilege 2780 wmic.exe Token: SeShutdownPrivilege 2780 wmic.exe Token: SeDebugPrivilege 2780 wmic.exe Token: SeSystemEnvironmentPrivilege 2780 wmic.exe Token: SeRemoteShutdownPrivilege 2780 wmic.exe Token: SeUndockPrivilege 2780 wmic.exe Token: SeManageVolumePrivilege 2780 wmic.exe Token: 33 2780 wmic.exe Token: 34 2780 wmic.exe Token: 35 2780 wmic.exe Token: SeIncreaseQuotaPrivilege 2780 wmic.exe Token: SeSecurityPrivilege 2780 wmic.exe Token: SeTakeOwnershipPrivilege 2780 wmic.exe Token: SeLoadDriverPrivilege 2780 wmic.exe Token: SeSystemProfilePrivilege 2780 wmic.exe Token: SeSystemtimePrivilege 2780 wmic.exe Token: SeProfSingleProcessPrivilege 2780 wmic.exe Token: SeIncBasePriorityPrivilege 2780 wmic.exe Token: SeCreatePagefilePrivilege 2780 wmic.exe Token: SeBackupPrivilege 2780 wmic.exe Token: SeRestorePrivilege 2780 wmic.exe Token: SeShutdownPrivilege 2780 wmic.exe Token: SeDebugPrivilege 2780 wmic.exe Token: SeSystemEnvironmentPrivilege 2780 wmic.exe Token: SeRemoteShutdownPrivilege 2780 wmic.exe Token: SeUndockPrivilege 2780 wmic.exe Token: SeManageVolumePrivilege 2780 wmic.exe Token: 33 2780 wmic.exe Token: 34 2780 wmic.exe Token: 35 2780 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 628 wrote to memory of 2780 628 Big clean script.exe 31 PID 628 wrote to memory of 2780 628 Big clean script.exe 31 PID 628 wrote to memory of 2780 628 Big clean script.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Big clean script.exe"C:\Users\Admin\AppData\Local\Temp\Big clean script.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-