Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-02-2025 23:19
Behavioral task
behavioral1
Sample
5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe
Resource
win7-20241023-en
windows7-x64
6 signatures
150 seconds
General
-
Target
5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe
-
Size
229KB
-
MD5
b08dd189fe369fc815b6a5e33234d43e
-
SHA1
45371d00cee048328c2c29ad4155cdf964c124b4
-
SHA256
5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979
-
SHA512
174c941fa210f7b9dce9f30ddf3bfcbeca069966aefc2964aa54d3b4052a995a5e87ea119016e3de01a13b9d76a1714c4886965227b5818277d41daab3e8eb63
-
SSDEEP
6144:FloZM+rIkd8g+EtXHkv/iD4DKWiiAfboqxUyzzqcJb8e1m0Yi:HoZtL+EP8DKWiiAfboqxUyzzqsd
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2628-1-0x00000000001E0000-0x0000000000220000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2628 5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe Token: SeIncreaseQuotaPrivilege 2632 wmic.exe Token: SeSecurityPrivilege 2632 wmic.exe Token: SeTakeOwnershipPrivilege 2632 wmic.exe Token: SeLoadDriverPrivilege 2632 wmic.exe Token: SeSystemProfilePrivilege 2632 wmic.exe Token: SeSystemtimePrivilege 2632 wmic.exe Token: SeProfSingleProcessPrivilege 2632 wmic.exe Token: SeIncBasePriorityPrivilege 2632 wmic.exe Token: SeCreatePagefilePrivilege 2632 wmic.exe Token: SeBackupPrivilege 2632 wmic.exe Token: SeRestorePrivilege 2632 wmic.exe Token: SeShutdownPrivilege 2632 wmic.exe Token: SeDebugPrivilege 2632 wmic.exe Token: SeSystemEnvironmentPrivilege 2632 wmic.exe Token: SeRemoteShutdownPrivilege 2632 wmic.exe Token: SeUndockPrivilege 2632 wmic.exe Token: SeManageVolumePrivilege 2632 wmic.exe Token: 33 2632 wmic.exe Token: 34 2632 wmic.exe Token: 35 2632 wmic.exe Token: SeIncreaseQuotaPrivilege 2632 wmic.exe Token: SeSecurityPrivilege 2632 wmic.exe Token: SeTakeOwnershipPrivilege 2632 wmic.exe Token: SeLoadDriverPrivilege 2632 wmic.exe Token: SeSystemProfilePrivilege 2632 wmic.exe Token: SeSystemtimePrivilege 2632 wmic.exe Token: SeProfSingleProcessPrivilege 2632 wmic.exe Token: SeIncBasePriorityPrivilege 2632 wmic.exe Token: SeCreatePagefilePrivilege 2632 wmic.exe Token: SeBackupPrivilege 2632 wmic.exe Token: SeRestorePrivilege 2632 wmic.exe Token: SeShutdownPrivilege 2632 wmic.exe Token: SeDebugPrivilege 2632 wmic.exe Token: SeSystemEnvironmentPrivilege 2632 wmic.exe Token: SeRemoteShutdownPrivilege 2632 wmic.exe Token: SeUndockPrivilege 2632 wmic.exe Token: SeManageVolumePrivilege 2632 wmic.exe Token: 33 2632 wmic.exe Token: 34 2632 wmic.exe Token: 35 2632 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2632 2628 5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe 30 PID 2628 wrote to memory of 2632 2628 5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe 30 PID 2628 wrote to memory of 2632 2628 5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe"C:\Users\Admin\AppData\Local\Temp\5af4a6acd79b023a9149a31fb1769b7d058b74604bfdd36337c75cca3a47d979.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
-