Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 18:27
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20231215-en
General
-
Target
test.exe
-
Size
229KB
-
MD5
4a1a7343912696cddb2f5e4fcb02a1c1
-
SHA1
a7ed28d7dce1e93b349c9709690f2f03fc01a379
-
SHA256
4baa876c24d03ddeb3484975bc7bcc90a498f26274d10a3ee499b5a1f8e5c749
-
SHA512
355ce587a28634e7ebfe86f754693a1f04feb463db3439549022ec4601c154be4d19057a81b22c3b69ce68bf86839aae0d3c8e4af6297dffe2d04fa430a35850
-
SSDEEP
6144:lloZM9rIkd8g+EtXHkv/iD45Pu6qoHjgv5sqb7ivrATb8e1mmi:noZOL+EP85Pu6qoHjgv5sqb7ivGE
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/2308-0-0x00000000008F0000-0x0000000000930000-memory.dmp family_umbral behavioral1/memory/2308-2-0x000000001AF50000-0x000000001AFD0000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts test.exe -
Deletes itself 1 IoCs
pid Process 972 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1244 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2496 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 748 powershell.exe 524 powershell.exe 1536 powershell.exe 2272 powershell.exe 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2308 test.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeIncreaseQuotaPrivilege 2472 wmic.exe Token: SeSecurityPrivilege 2472 wmic.exe Token: SeTakeOwnershipPrivilege 2472 wmic.exe Token: SeLoadDriverPrivilege 2472 wmic.exe Token: SeSystemProfilePrivilege 2472 wmic.exe Token: SeSystemtimePrivilege 2472 wmic.exe Token: SeProfSingleProcessPrivilege 2472 wmic.exe Token: SeIncBasePriorityPrivilege 2472 wmic.exe Token: SeCreatePagefilePrivilege 2472 wmic.exe Token: SeBackupPrivilege 2472 wmic.exe Token: SeRestorePrivilege 2472 wmic.exe Token: SeShutdownPrivilege 2472 wmic.exe Token: SeDebugPrivilege 2472 wmic.exe Token: SeSystemEnvironmentPrivilege 2472 wmic.exe Token: SeRemoteShutdownPrivilege 2472 wmic.exe Token: SeUndockPrivilege 2472 wmic.exe Token: SeManageVolumePrivilege 2472 wmic.exe Token: 33 2472 wmic.exe Token: 34 2472 wmic.exe Token: 35 2472 wmic.exe Token: SeIncreaseQuotaPrivilege 2472 wmic.exe Token: SeSecurityPrivilege 2472 wmic.exe Token: SeTakeOwnershipPrivilege 2472 wmic.exe Token: SeLoadDriverPrivilege 2472 wmic.exe Token: SeSystemProfilePrivilege 2472 wmic.exe Token: SeSystemtimePrivilege 2472 wmic.exe Token: SeProfSingleProcessPrivilege 2472 wmic.exe Token: SeIncBasePriorityPrivilege 2472 wmic.exe Token: SeCreatePagefilePrivilege 2472 wmic.exe Token: SeBackupPrivilege 2472 wmic.exe Token: SeRestorePrivilege 2472 wmic.exe Token: SeShutdownPrivilege 2472 wmic.exe Token: SeDebugPrivilege 2472 wmic.exe Token: SeSystemEnvironmentPrivilege 2472 wmic.exe Token: SeRemoteShutdownPrivilege 2472 wmic.exe Token: SeUndockPrivilege 2472 wmic.exe Token: SeManageVolumePrivilege 2472 wmic.exe Token: 33 2472 wmic.exe Token: 34 2472 wmic.exe Token: 35 2472 wmic.exe Token: SeIncreaseQuotaPrivilege 1572 wmic.exe Token: SeSecurityPrivilege 1572 wmic.exe Token: SeTakeOwnershipPrivilege 1572 wmic.exe Token: SeLoadDriverPrivilege 1572 wmic.exe Token: SeSystemProfilePrivilege 1572 wmic.exe Token: SeSystemtimePrivilege 1572 wmic.exe Token: SeProfSingleProcessPrivilege 1572 wmic.exe Token: SeIncBasePriorityPrivilege 1572 wmic.exe Token: SeCreatePagefilePrivilege 1572 wmic.exe Token: SeBackupPrivilege 1572 wmic.exe Token: SeRestorePrivilege 1572 wmic.exe Token: SeShutdownPrivilege 1572 wmic.exe Token: SeDebugPrivilege 1572 wmic.exe Token: SeSystemEnvironmentPrivilege 1572 wmic.exe Token: SeRemoteShutdownPrivilege 1572 wmic.exe Token: SeUndockPrivilege 1572 wmic.exe Token: SeManageVolumePrivilege 1572 wmic.exe Token: 33 1572 wmic.exe Token: 34 1572 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2604 2308 test.exe 29 PID 2308 wrote to memory of 2604 2308 test.exe 29 PID 2308 wrote to memory of 2604 2308 test.exe 29 PID 2308 wrote to memory of 748 2308 test.exe 31 PID 2308 wrote to memory of 748 2308 test.exe 31 PID 2308 wrote to memory of 748 2308 test.exe 31 PID 2308 wrote to memory of 524 2308 test.exe 33 PID 2308 wrote to memory of 524 2308 test.exe 33 PID 2308 wrote to memory of 524 2308 test.exe 33 PID 2308 wrote to memory of 1536 2308 test.exe 35 PID 2308 wrote to memory of 1536 2308 test.exe 35 PID 2308 wrote to memory of 1536 2308 test.exe 35 PID 2308 wrote to memory of 2272 2308 test.exe 37 PID 2308 wrote to memory of 2272 2308 test.exe 37 PID 2308 wrote to memory of 2272 2308 test.exe 37 PID 2308 wrote to memory of 2472 2308 test.exe 39 PID 2308 wrote to memory of 2472 2308 test.exe 39 PID 2308 wrote to memory of 2472 2308 test.exe 39 PID 2308 wrote to memory of 1572 2308 test.exe 42 PID 2308 wrote to memory of 1572 2308 test.exe 42 PID 2308 wrote to memory of 1572 2308 test.exe 42 PID 2308 wrote to memory of 804 2308 test.exe 44 PID 2308 wrote to memory of 804 2308 test.exe 44 PID 2308 wrote to memory of 804 2308 test.exe 44 PID 2308 wrote to memory of 1672 2308 test.exe 46 PID 2308 wrote to memory of 1672 2308 test.exe 46 PID 2308 wrote to memory of 1672 2308 test.exe 46 PID 2308 wrote to memory of 1244 2308 test.exe 48 PID 2308 wrote to memory of 1244 2308 test.exe 48 PID 2308 wrote to memory of 1244 2308 test.exe 48 PID 2308 wrote to memory of 972 2308 test.exe 50 PID 2308 wrote to memory of 972 2308 test.exe 50 PID 2308 wrote to memory of 972 2308 test.exe 50 PID 972 wrote to memory of 2496 972 cmd.exe 52 PID 972 wrote to memory of 2496 972 cmd.exe 52 PID 972 wrote to memory of 2496 972 cmd.exe 52 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2604 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Views/modifies file attributes
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\test.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1244
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\test.exe" && pause2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b657032ae41672bc09251b745b0ca8e7
SHA1cc34d91ac6e5f16a52bab1c8620fb25f478786bf
SHA25628b5d53907d8cb8eec5335ecdd8ab910d59fff27240e30ae39d9827aa5944b08
SHA512ecd1786acc65c478803447b486fe4986445b01f9f87f9f76bed4254ef14165869e04fc49ade0eef836560ce1cee4977f437b0e7a1e0dbc62a0c241de4fd865b3