Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 12:45
Behavioral task
behavioral1
Sample
Nursultan/NursultanCrack.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
30 seconds
General
-
Target
Nursultan/NursultanCrack.exe
-
Size
328KB
-
MD5
4f7415acf4f5a898dd0ea6e7924137e2
-
SHA1
13f5917af6bbf1f1f98633ac18532d8a43c2d92e
-
SHA256
c182f999bccd715dd8dfd60b2c212ceaec08bad843ee95ecef3abf6230b7a447
-
SHA512
eb903b09428f8ef8ba349a507a73627875096a4952ed768c640752b6bf1019a0ea1ca88246928055ba8591666de4dbfbf58bab65fc12e7544d013e13e838feb9
-
SSDEEP
6144:iloZM+rIkd8g+EtXHkv/iD4CzaYSx6PTg8e1mHisxBt25:soZtL+EP8CzaYSj9sxBt
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2572-1-0x0000000000D80000-0x0000000000DD8000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2572 NursultanCrack.exe Token: SeIncreaseQuotaPrivilege 2964 wmic.exe Token: SeSecurityPrivilege 2964 wmic.exe Token: SeTakeOwnershipPrivilege 2964 wmic.exe Token: SeLoadDriverPrivilege 2964 wmic.exe Token: SeSystemProfilePrivilege 2964 wmic.exe Token: SeSystemtimePrivilege 2964 wmic.exe Token: SeProfSingleProcessPrivilege 2964 wmic.exe Token: SeIncBasePriorityPrivilege 2964 wmic.exe Token: SeCreatePagefilePrivilege 2964 wmic.exe Token: SeBackupPrivilege 2964 wmic.exe Token: SeRestorePrivilege 2964 wmic.exe Token: SeShutdownPrivilege 2964 wmic.exe Token: SeDebugPrivilege 2964 wmic.exe Token: SeSystemEnvironmentPrivilege 2964 wmic.exe Token: SeRemoteShutdownPrivilege 2964 wmic.exe Token: SeUndockPrivilege 2964 wmic.exe Token: SeManageVolumePrivilege 2964 wmic.exe Token: 33 2964 wmic.exe Token: 34 2964 wmic.exe Token: 35 2964 wmic.exe Token: SeIncreaseQuotaPrivilege 2964 wmic.exe Token: SeSecurityPrivilege 2964 wmic.exe Token: SeTakeOwnershipPrivilege 2964 wmic.exe Token: SeLoadDriverPrivilege 2964 wmic.exe Token: SeSystemProfilePrivilege 2964 wmic.exe Token: SeSystemtimePrivilege 2964 wmic.exe Token: SeProfSingleProcessPrivilege 2964 wmic.exe Token: SeIncBasePriorityPrivilege 2964 wmic.exe Token: SeCreatePagefilePrivilege 2964 wmic.exe Token: SeBackupPrivilege 2964 wmic.exe Token: SeRestorePrivilege 2964 wmic.exe Token: SeShutdownPrivilege 2964 wmic.exe Token: SeDebugPrivilege 2964 wmic.exe Token: SeSystemEnvironmentPrivilege 2964 wmic.exe Token: SeRemoteShutdownPrivilege 2964 wmic.exe Token: SeUndockPrivilege 2964 wmic.exe Token: SeManageVolumePrivilege 2964 wmic.exe Token: 33 2964 wmic.exe Token: 34 2964 wmic.exe Token: 35 2964 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2964 2572 NursultanCrack.exe 31 PID 2572 wrote to memory of 2964 2572 NursultanCrack.exe 31 PID 2572 wrote to memory of 2964 2572 NursultanCrack.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan\NursultanCrack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan\NursultanCrack.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-