Analysis
-
max time kernel
64s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 20:59
Behavioral task
behavioral1
Sample
fun_dog.exe
Resource
win7-20241010-en
windows7-x64
6 signatures
150 seconds
General
-
Target
fun_dog.exe
-
Size
234KB
-
MD5
7482f1ce2a78a763ab636f7052e12d82
-
SHA1
7577b69eb0d10a8d2271f323dffd7cb76f0ab393
-
SHA256
b49e4e472506a6be8c7b61601a5dddadf2e21bd01c04160395a349ee06910031
-
SHA512
02c7eb377ae7eb2b27703ce79ee3f2f55ad7f15989a1d59ba0dda2098a8cc7a8994e6907ee117f60d2c2576f0ae6e158cc4598305fac434103e24113993a950d
-
SSDEEP
6144:zloZMLrIkd8g+EtXHkv/iD4qF7AclTwk73iTlwsJnfb8e1mZi:xoZ0L+EP887AclTwk73iTlwsJ7v
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2476-1-0x0000000000210000-0x0000000000250000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2476 fun_dog.exe Token: SeIncreaseQuotaPrivilege 1868 wmic.exe Token: SeSecurityPrivilege 1868 wmic.exe Token: SeTakeOwnershipPrivilege 1868 wmic.exe Token: SeLoadDriverPrivilege 1868 wmic.exe Token: SeSystemProfilePrivilege 1868 wmic.exe Token: SeSystemtimePrivilege 1868 wmic.exe Token: SeProfSingleProcessPrivilege 1868 wmic.exe Token: SeIncBasePriorityPrivilege 1868 wmic.exe Token: SeCreatePagefilePrivilege 1868 wmic.exe Token: SeBackupPrivilege 1868 wmic.exe Token: SeRestorePrivilege 1868 wmic.exe Token: SeShutdownPrivilege 1868 wmic.exe Token: SeDebugPrivilege 1868 wmic.exe Token: SeSystemEnvironmentPrivilege 1868 wmic.exe Token: SeRemoteShutdownPrivilege 1868 wmic.exe Token: SeUndockPrivilege 1868 wmic.exe Token: SeManageVolumePrivilege 1868 wmic.exe Token: 33 1868 wmic.exe Token: 34 1868 wmic.exe Token: 35 1868 wmic.exe Token: SeIncreaseQuotaPrivilege 1868 wmic.exe Token: SeSecurityPrivilege 1868 wmic.exe Token: SeTakeOwnershipPrivilege 1868 wmic.exe Token: SeLoadDriverPrivilege 1868 wmic.exe Token: SeSystemProfilePrivilege 1868 wmic.exe Token: SeSystemtimePrivilege 1868 wmic.exe Token: SeProfSingleProcessPrivilege 1868 wmic.exe Token: SeIncBasePriorityPrivilege 1868 wmic.exe Token: SeCreatePagefilePrivilege 1868 wmic.exe Token: SeBackupPrivilege 1868 wmic.exe Token: SeRestorePrivilege 1868 wmic.exe Token: SeShutdownPrivilege 1868 wmic.exe Token: SeDebugPrivilege 1868 wmic.exe Token: SeSystemEnvironmentPrivilege 1868 wmic.exe Token: SeRemoteShutdownPrivilege 1868 wmic.exe Token: SeUndockPrivilege 1868 wmic.exe Token: SeManageVolumePrivilege 1868 wmic.exe Token: 33 1868 wmic.exe Token: 34 1868 wmic.exe Token: 35 1868 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1868 2476 fun_dog.exe 30 PID 2476 wrote to memory of 1868 2476 fun_dog.exe 30 PID 2476 wrote to memory of 1868 2476 fun_dog.exe 30