Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 01:53
Static task
static1
Behavioral task
behavioral1
Sample
Edge.exe
Resource
win10v2004-20230703-en
General
-
Target
Edge.exe
-
Size
375KB
-
MD5
9c0a7d6267feb0e77ddf181e95d48b72
-
SHA1
ebbe54a2eb63652e5d75e5875410d914b5b4928c
-
SHA256
8161798db8edce12fa902151dda8562edbec804bd2e5256e4ed35124ecf4891e
-
SHA512
426eca46895bd1d2d98c6a586e535e0f39ad55145b4ca6d56ed972f9e96e9ac521a10094a8447cabc3c27d29c6880ac3401f1a22d2c48a49aa8655e363ba4096
-
SSDEEP
6144:tfWwGYVWUBA5Kw3J92q4Eh7E7PBl0gvv1+TrEuoA0k9M+BK578+9pe5v0WURy:sYVWyI3J98Ei7PBl0g8rELA0nz5oQNWw
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1126841818676469870/wKxpU1x96IZptY7EnGleqZ9QSvJnnb_kUZs-okVDW4YwrmKMhSdXUiJ2NC1IkE5gclP3
Signatures
-
Detect Umbral payload 4 IoCs
resource yara_rule behavioral1/files/0x0009000000023203-190.dat family_umbral behavioral1/files/0x0009000000023203-196.dat family_umbral behavioral1/files/0x0009000000023203-199.dat family_umbral behavioral1/memory/4480-202-0x00000237C6600000-0x00000237C6686000-memory.dmp family_umbral -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation Edge.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe Edge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe Edge.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe Edge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe Edge.exe -
Executes dropped EXE 2 IoCs
pid Process 3316 msedge.exe 4480 Update.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msedge.exe" Edge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Update.exe" Edge.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3232 3316 WerFault.exe 91 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3948 schtasks.exe 4208 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2508 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1668 powershell.exe 1668 powershell.exe 2052 powershell.exe 2052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2996 Edge.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 4480 Update.exe Token: SeIncreaseQuotaPrivilege 2256 wmic.exe Token: SeSecurityPrivilege 2256 wmic.exe Token: SeTakeOwnershipPrivilege 2256 wmic.exe Token: SeLoadDriverPrivilege 2256 wmic.exe Token: SeSystemProfilePrivilege 2256 wmic.exe Token: SeSystemtimePrivilege 2256 wmic.exe Token: SeProfSingleProcessPrivilege 2256 wmic.exe Token: SeIncBasePriorityPrivilege 2256 wmic.exe Token: SeCreatePagefilePrivilege 2256 wmic.exe Token: SeBackupPrivilege 2256 wmic.exe Token: SeRestorePrivilege 2256 wmic.exe Token: SeShutdownPrivilege 2256 wmic.exe Token: SeDebugPrivilege 2256 wmic.exe Token: SeSystemEnvironmentPrivilege 2256 wmic.exe Token: SeRemoteShutdownPrivilege 2256 wmic.exe Token: SeUndockPrivilege 2256 wmic.exe Token: SeManageVolumePrivilege 2256 wmic.exe Token: 33 2256 wmic.exe Token: 34 2256 wmic.exe Token: 35 2256 wmic.exe Token: 36 2256 wmic.exe Token: SeIncreaseQuotaPrivilege 2256 wmic.exe Token: SeSecurityPrivilege 2256 wmic.exe Token: SeTakeOwnershipPrivilege 2256 wmic.exe Token: SeLoadDriverPrivilege 2256 wmic.exe Token: SeSystemProfilePrivilege 2256 wmic.exe Token: SeSystemtimePrivilege 2256 wmic.exe Token: SeProfSingleProcessPrivilege 2256 wmic.exe Token: SeIncBasePriorityPrivilege 2256 wmic.exe Token: SeCreatePagefilePrivilege 2256 wmic.exe Token: SeBackupPrivilege 2256 wmic.exe Token: SeRestorePrivilege 2256 wmic.exe Token: SeShutdownPrivilege 2256 wmic.exe Token: SeDebugPrivilege 2256 wmic.exe Token: SeSystemEnvironmentPrivilege 2256 wmic.exe Token: SeRemoteShutdownPrivilege 2256 wmic.exe Token: SeUndockPrivilege 2256 wmic.exe Token: SeManageVolumePrivilege 2256 wmic.exe Token: 33 2256 wmic.exe Token: 34 2256 wmic.exe Token: 35 2256 wmic.exe Token: 36 2256 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2996 wrote to memory of 1668 2996 Edge.exe 87 PID 2996 wrote to memory of 1668 2996 Edge.exe 87 PID 2996 wrote to memory of 3948 2996 Edge.exe 89 PID 2996 wrote to memory of 3948 2996 Edge.exe 89 PID 2996 wrote to memory of 3316 2996 Edge.exe 91 PID 2996 wrote to memory of 3316 2996 Edge.exe 91 PID 2996 wrote to memory of 2052 2996 Edge.exe 93 PID 2996 wrote to memory of 2052 2996 Edge.exe 93 PID 2996 wrote to memory of 4208 2996 Edge.exe 94 PID 2996 wrote to memory of 4208 2996 Edge.exe 94 PID 2996 wrote to memory of 4480 2996 Edge.exe 97 PID 2996 wrote to memory of 4480 2996 Edge.exe 97 PID 2996 wrote to memory of 4428 2996 Edge.exe 98 PID 2996 wrote to memory of 4428 2996 Edge.exe 98 PID 4428 wrote to memory of 2508 4428 cmd.exe 102 PID 4428 wrote to memory of 2508 4428 cmd.exe 102 PID 4480 wrote to memory of 2256 4480 Update.exe 103 PID 4480 wrote to memory of 2256 4480 Update.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Edge.exe"C:\Users\Admin\AppData\Local\Temp\Edge.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "msedge" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:3948
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe"2⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3316 -s 11123⤵
- Program crash
PID:3232
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Update" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:4208
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD66A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2508
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 3316 -ip 33161⤵PID:1936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156B
MD5f24d04ef5022a6e35c81972cdf1a2d5a
SHA1c2bc0b5d61d15b8f25ea14c71aee61ba8541aa97
SHA256f81c2e5f14a8086319b7f421290cac432e021a9e796059891fa9f75f161a5a24
SHA512bfda849d45c8af577404d22dc2feb4fb3fe2047e4f2060cc00848275898671bf58edfe5ca5d562162d9e8fb0e3b21b2fc1fe11d6e562b0f0afbb5950d7c81d93
-
Filesize
508KB
MD5e100e66222e53137091e45ff97c495cc
SHA14d236ab8d332101f9205be932ee3267091a77179
SHA256780e6a974b3f4da3714c08855264cfa1556bb602a1ba971aa01f61bf41ac4e9f
SHA5123ac2fe770048b7070e8ad1113d2c2f42190dac630255cd99934dbaa07ba54b6973199540119b3c6acf4fd598e31b55a614f40c700c5d0142ba68bf027f4ea5a2
-
Filesize
508KB
MD5e100e66222e53137091e45ff97c495cc
SHA14d236ab8d332101f9205be932ee3267091a77179
SHA256780e6a974b3f4da3714c08855264cfa1556bb602a1ba971aa01f61bf41ac4e9f
SHA5123ac2fe770048b7070e8ad1113d2c2f42190dac630255cd99934dbaa07ba54b6973199540119b3c6acf4fd598e31b55a614f40c700c5d0142ba68bf027f4ea5a2
-
Filesize
508KB
MD5e100e66222e53137091e45ff97c495cc
SHA14d236ab8d332101f9205be932ee3267091a77179
SHA256780e6a974b3f4da3714c08855264cfa1556bb602a1ba971aa01f61bf41ac4e9f
SHA5123ac2fe770048b7070e8ad1113d2c2f42190dac630255cd99934dbaa07ba54b6973199540119b3c6acf4fd598e31b55a614f40c700c5d0142ba68bf027f4ea5a2
-
Filesize
530KB
MD5766f0f0554418f987c7ae0b1b5a4c87b
SHA1c1864afa5323fe9d809bc1485c8c95318a4616e1
SHA256a6c266d002b6c1b61722afb924bfe93a0dd2f4b4861ee35d0600c92cb42b797e
SHA512aa5c3e4f9b1d19d1bbe28f5184dde1779e7498a00781c87faf0b91f605275f65ca8231630cc1bee0a502a63ee945ff31aa5a709c95cdc7d47838e80da9fa2b6f
-
Filesize
530KB
MD5766f0f0554418f987c7ae0b1b5a4c87b
SHA1c1864afa5323fe9d809bc1485c8c95318a4616e1
SHA256a6c266d002b6c1b61722afb924bfe93a0dd2f4b4861ee35d0600c92cb42b797e
SHA512aa5c3e4f9b1d19d1bbe28f5184dde1779e7498a00781c87faf0b91f605275f65ca8231630cc1bee0a502a63ee945ff31aa5a709c95cdc7d47838e80da9fa2b6f
-
Filesize
530KB
MD5766f0f0554418f987c7ae0b1b5a4c87b
SHA1c1864afa5323fe9d809bc1485c8c95318a4616e1
SHA256a6c266d002b6c1b61722afb924bfe93a0dd2f4b4861ee35d0600c92cb42b797e
SHA512aa5c3e4f9b1d19d1bbe28f5184dde1779e7498a00781c87faf0b91f605275f65ca8231630cc1bee0a502a63ee945ff31aa5a709c95cdc7d47838e80da9fa2b6f