Analysis
-
max time kernel
1151s -
max time network
1159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 15:57
General
-
Target
Krampus/b5uEJHZB6Rl.exe
-
Size
231KB
-
MD5
438289fb9c72ed39bf5497f9af21ec7a
-
SHA1
8120391ecb41ed6a4c6ef0b259776e59311d6997
-
SHA256
ea4cb7c7b4cfb2fcc04d1c3f96b20c26638e69a97b15cae14659f0d6afb78f85
-
SHA512
3647907fa2d503a242ef07cb20b081444b75e0c618a91232c8e77903b4b6aa823b8a7cbe07a45e02591fe48fdd23b5eae88565006b85863c0a5f6e42d7589fe0
-
SSDEEP
6144:YloZM+rIkd8g+EtXHkv/iD4Bs4DdLocD/abtIEx6tb8e1mTiu:GoZtL+EP8Bs4DdLocD/abtIExq1
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3908-1-0x000001F06A560000-0x000001F06A5A0000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3908 b5uEJHZB6Rl.exe Token: SeIncreaseQuotaPrivilege 5028 wmic.exe Token: SeSecurityPrivilege 5028 wmic.exe Token: SeTakeOwnershipPrivilege 5028 wmic.exe Token: SeLoadDriverPrivilege 5028 wmic.exe Token: SeSystemProfilePrivilege 5028 wmic.exe Token: SeSystemtimePrivilege 5028 wmic.exe Token: SeProfSingleProcessPrivilege 5028 wmic.exe Token: SeIncBasePriorityPrivilege 5028 wmic.exe Token: SeCreatePagefilePrivilege 5028 wmic.exe Token: SeBackupPrivilege 5028 wmic.exe Token: SeRestorePrivilege 5028 wmic.exe Token: SeShutdownPrivilege 5028 wmic.exe Token: SeDebugPrivilege 5028 wmic.exe Token: SeSystemEnvironmentPrivilege 5028 wmic.exe Token: SeRemoteShutdownPrivilege 5028 wmic.exe Token: SeUndockPrivilege 5028 wmic.exe Token: SeManageVolumePrivilege 5028 wmic.exe Token: 33 5028 wmic.exe Token: 34 5028 wmic.exe Token: 35 5028 wmic.exe Token: 36 5028 wmic.exe Token: SeIncreaseQuotaPrivilege 5028 wmic.exe Token: SeSecurityPrivilege 5028 wmic.exe Token: SeTakeOwnershipPrivilege 5028 wmic.exe Token: SeLoadDriverPrivilege 5028 wmic.exe Token: SeSystemProfilePrivilege 5028 wmic.exe Token: SeSystemtimePrivilege 5028 wmic.exe Token: SeProfSingleProcessPrivilege 5028 wmic.exe Token: SeIncBasePriorityPrivilege 5028 wmic.exe Token: SeCreatePagefilePrivilege 5028 wmic.exe Token: SeBackupPrivilege 5028 wmic.exe Token: SeRestorePrivilege 5028 wmic.exe Token: SeShutdownPrivilege 5028 wmic.exe Token: SeDebugPrivilege 5028 wmic.exe Token: SeSystemEnvironmentPrivilege 5028 wmic.exe Token: SeRemoteShutdownPrivilege 5028 wmic.exe Token: SeUndockPrivilege 5028 wmic.exe Token: SeManageVolumePrivilege 5028 wmic.exe Token: 33 5028 wmic.exe Token: 34 5028 wmic.exe Token: 35 5028 wmic.exe Token: 36 5028 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3908 wrote to memory of 5028 3908 b5uEJHZB6Rl.exe 83 PID 3908 wrote to memory of 5028 3908 b5uEJHZB6Rl.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Krampus\b5uEJHZB6Rl.exe"C:\Users\Admin\AppData\Local\Temp\Krampus\b5uEJHZB6Rl.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1876