Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 20:59
Behavioral task
behavioral1
Sample
fun_dog.exe
Resource
win7-20241010-en
windows7-x64
6 signatures
150 seconds
General
-
Target
fun_dog.exe
-
Size
234KB
-
MD5
7482f1ce2a78a763ab636f7052e12d82
-
SHA1
7577b69eb0d10a8d2271f323dffd7cb76f0ab393
-
SHA256
b49e4e472506a6be8c7b61601a5dddadf2e21bd01c04160395a349ee06910031
-
SHA512
02c7eb377ae7eb2b27703ce79ee3f2f55ad7f15989a1d59ba0dda2098a8cc7a8994e6907ee117f60d2c2576f0ae6e158cc4598305fac434103e24113993a950d
-
SSDEEP
6144:zloZMLrIkd8g+EtXHkv/iD4qF7AclTwk73iTlwsJnfb8e1mZi:xoZ0L+EP887AclTwk73iTlwsJ7v
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/4620-1-0x0000024E3AEF0000-0x0000024E3AF30000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4620 fun_dog.exe Token: SeIncreaseQuotaPrivilege 3400 wmic.exe Token: SeSecurityPrivilege 3400 wmic.exe Token: SeTakeOwnershipPrivilege 3400 wmic.exe Token: SeLoadDriverPrivilege 3400 wmic.exe Token: SeSystemProfilePrivilege 3400 wmic.exe Token: SeSystemtimePrivilege 3400 wmic.exe Token: SeProfSingleProcessPrivilege 3400 wmic.exe Token: SeIncBasePriorityPrivilege 3400 wmic.exe Token: SeCreatePagefilePrivilege 3400 wmic.exe Token: SeBackupPrivilege 3400 wmic.exe Token: SeRestorePrivilege 3400 wmic.exe Token: SeShutdownPrivilege 3400 wmic.exe Token: SeDebugPrivilege 3400 wmic.exe Token: SeSystemEnvironmentPrivilege 3400 wmic.exe Token: SeRemoteShutdownPrivilege 3400 wmic.exe Token: SeUndockPrivilege 3400 wmic.exe Token: SeManageVolumePrivilege 3400 wmic.exe Token: 33 3400 wmic.exe Token: 34 3400 wmic.exe Token: 35 3400 wmic.exe Token: 36 3400 wmic.exe Token: SeIncreaseQuotaPrivilege 3400 wmic.exe Token: SeSecurityPrivilege 3400 wmic.exe Token: SeTakeOwnershipPrivilege 3400 wmic.exe Token: SeLoadDriverPrivilege 3400 wmic.exe Token: SeSystemProfilePrivilege 3400 wmic.exe Token: SeSystemtimePrivilege 3400 wmic.exe Token: SeProfSingleProcessPrivilege 3400 wmic.exe Token: SeIncBasePriorityPrivilege 3400 wmic.exe Token: SeCreatePagefilePrivilege 3400 wmic.exe Token: SeBackupPrivilege 3400 wmic.exe Token: SeRestorePrivilege 3400 wmic.exe Token: SeShutdownPrivilege 3400 wmic.exe Token: SeDebugPrivilege 3400 wmic.exe Token: SeSystemEnvironmentPrivilege 3400 wmic.exe Token: SeRemoteShutdownPrivilege 3400 wmic.exe Token: SeUndockPrivilege 3400 wmic.exe Token: SeManageVolumePrivilege 3400 wmic.exe Token: 33 3400 wmic.exe Token: 34 3400 wmic.exe Token: 35 3400 wmic.exe Token: 36 3400 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4620 wrote to memory of 3400 4620 fun_dog.exe 84 PID 4620 wrote to memory of 3400 4620 fun_dog.exe 84