Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 16:52
Behavioral task
behavioral1
Sample
ClientBetaNew.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
ClientBetaNew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
ClientBetaNew.exe
Resource
win10v2004-20240412-en
General
-
Target
ClientBetaNew.exe
-
Size
229KB
-
MD5
e7fca17393a9f4cb9ccb2f65fc2bb214
-
SHA1
cef26fa30e3f68d85ab923beecc0cd0dbfa2a720
-
SHA256
499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978
-
SHA512
303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a
-
SSDEEP
6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral3/memory/876-0-0x000001ED3E0F0000-0x000001ED3E130000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts ClientBetaNew.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 42 discord.com 43 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4896 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3432 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 876 ClientBetaNew.exe 2576 powershell.exe 2576 powershell.exe 2932 powershell.exe 2932 powershell.exe 4728 powershell.exe 4728 powershell.exe 3908 powershell.exe 3908 powershell.exe 1664 powershell.exe 1664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 876 ClientBetaNew.exe Token: SeIncreaseQuotaPrivilege 2060 wmic.exe Token: SeSecurityPrivilege 2060 wmic.exe Token: SeTakeOwnershipPrivilege 2060 wmic.exe Token: SeLoadDriverPrivilege 2060 wmic.exe Token: SeSystemProfilePrivilege 2060 wmic.exe Token: SeSystemtimePrivilege 2060 wmic.exe Token: SeProfSingleProcessPrivilege 2060 wmic.exe Token: SeIncBasePriorityPrivilege 2060 wmic.exe Token: SeCreatePagefilePrivilege 2060 wmic.exe Token: SeBackupPrivilege 2060 wmic.exe Token: SeRestorePrivilege 2060 wmic.exe Token: SeShutdownPrivilege 2060 wmic.exe Token: SeDebugPrivilege 2060 wmic.exe Token: SeSystemEnvironmentPrivilege 2060 wmic.exe Token: SeRemoteShutdownPrivilege 2060 wmic.exe Token: SeUndockPrivilege 2060 wmic.exe Token: SeManageVolumePrivilege 2060 wmic.exe Token: 33 2060 wmic.exe Token: 34 2060 wmic.exe Token: 35 2060 wmic.exe Token: 36 2060 wmic.exe Token: SeIncreaseQuotaPrivilege 2060 wmic.exe Token: SeSecurityPrivilege 2060 wmic.exe Token: SeTakeOwnershipPrivilege 2060 wmic.exe Token: SeLoadDriverPrivilege 2060 wmic.exe Token: SeSystemProfilePrivilege 2060 wmic.exe Token: SeSystemtimePrivilege 2060 wmic.exe Token: SeProfSingleProcessPrivilege 2060 wmic.exe Token: SeIncBasePriorityPrivilege 2060 wmic.exe Token: SeCreatePagefilePrivilege 2060 wmic.exe Token: SeBackupPrivilege 2060 wmic.exe Token: SeRestorePrivilege 2060 wmic.exe Token: SeShutdownPrivilege 2060 wmic.exe Token: SeDebugPrivilege 2060 wmic.exe Token: SeSystemEnvironmentPrivilege 2060 wmic.exe Token: SeRemoteShutdownPrivilege 2060 wmic.exe Token: SeUndockPrivilege 2060 wmic.exe Token: SeManageVolumePrivilege 2060 wmic.exe Token: 33 2060 wmic.exe Token: 34 2060 wmic.exe Token: 35 2060 wmic.exe Token: 36 2060 wmic.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeIncreaseQuotaPrivilege 1472 wmic.exe Token: SeSecurityPrivilege 1472 wmic.exe Token: SeTakeOwnershipPrivilege 1472 wmic.exe Token: SeLoadDriverPrivilege 1472 wmic.exe Token: SeSystemProfilePrivilege 1472 wmic.exe Token: SeSystemtimePrivilege 1472 wmic.exe Token: SeProfSingleProcessPrivilege 1472 wmic.exe Token: SeIncBasePriorityPrivilege 1472 wmic.exe Token: SeCreatePagefilePrivilege 1472 wmic.exe Token: SeBackupPrivilege 1472 wmic.exe Token: SeRestorePrivilege 1472 wmic.exe Token: SeShutdownPrivilege 1472 wmic.exe Token: SeDebugPrivilege 1472 wmic.exe Token: SeSystemEnvironmentPrivilege 1472 wmic.exe Token: SeRemoteShutdownPrivilege 1472 wmic.exe Token: SeUndockPrivilege 1472 wmic.exe Token: SeManageVolumePrivilege 1472 wmic.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 876 wrote to memory of 2060 876 ClientBetaNew.exe 86 PID 876 wrote to memory of 2060 876 ClientBetaNew.exe 86 PID 876 wrote to memory of 64 876 ClientBetaNew.exe 90 PID 876 wrote to memory of 64 876 ClientBetaNew.exe 90 PID 876 wrote to memory of 2576 876 ClientBetaNew.exe 92 PID 876 wrote to memory of 2576 876 ClientBetaNew.exe 92 PID 876 wrote to memory of 2932 876 ClientBetaNew.exe 95 PID 876 wrote to memory of 2932 876 ClientBetaNew.exe 95 PID 876 wrote to memory of 4728 876 ClientBetaNew.exe 97 PID 876 wrote to memory of 4728 876 ClientBetaNew.exe 97 PID 876 wrote to memory of 3908 876 ClientBetaNew.exe 100 PID 876 wrote to memory of 3908 876 ClientBetaNew.exe 100 PID 876 wrote to memory of 1472 876 ClientBetaNew.exe 105 PID 876 wrote to memory of 1472 876 ClientBetaNew.exe 105 PID 876 wrote to memory of 3608 876 ClientBetaNew.exe 107 PID 876 wrote to memory of 3608 876 ClientBetaNew.exe 107 PID 876 wrote to memory of 2056 876 ClientBetaNew.exe 109 PID 876 wrote to memory of 2056 876 ClientBetaNew.exe 109 PID 876 wrote to memory of 1664 876 ClientBetaNew.exe 111 PID 876 wrote to memory of 1664 876 ClientBetaNew.exe 111 PID 876 wrote to memory of 4896 876 ClientBetaNew.exe 113 PID 876 wrote to memory of 4896 876 ClientBetaNew.exe 113 PID 876 wrote to memory of 5000 876 ClientBetaNew.exe 116 PID 876 wrote to memory of 5000 876 ClientBetaNew.exe 116 PID 5000 wrote to memory of 3432 5000 cmd.exe 118 PID 5000 wrote to memory of 3432 5000 cmd.exe 118 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 64 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"2⤵
- Views/modifies file attributes
PID:64
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:3608
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:4896
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:3432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD52b177ee51274376214d9f897a4cb90d2
SHA16cd0e8f9d48257d5824b700d1d02f6fde583b41f
SHA25655e37da08076fdb55cfcb3ba36bf305ab5a306734d6294280daa4c92481a5339
SHA5125d40f255cea9bdcf2b9576f393ea9246cfba9b910b5960e74c4bf1fe1d2dd53108341d20baf8f963e839694a112a51df4a720c52039699c2c99b4f7cb915624e
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
948B
MD5966914e2e771de7a4a57a95b6ecfa8a9
SHA17a32282fd51dd032967ed4d9a40cc57e265aeff2
SHA25698d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba
SHA512dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5
-
Filesize
1KB
MD588be3bc8a7f90e3953298c0fdbec4d72
SHA1f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA5124fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82