Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
immortal.bin.exe
Resource
win7-20240215-en
General
-
Target
immortal.bin.exe
-
Size
1.1MB
-
MD5
9e511d399fbc2bf0c2d45302dc62be61
-
SHA1
3100c1c0c5f98b1a7bccef0cdcfde6b34e38992b
-
SHA256
ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8
-
SHA512
7e4560bd6e76d181b47f44eca0a7195cb905e852ed2a94308cad57576a16c62335256978c73ddac275d736423c5c6a9a4eed648090847ee80e8183be77c04486
-
SSDEEP
24576:fO29aTBMPYvJnXAvKhO7CMbNdCrty7ARVJ3g6cbhbZxvI:G29adQt3CrtWQcb3xv
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x000800000002324a-9.dat family_umbral behavioral2/memory/3852-17-0x00000250FFF10000-0x00000250FFF50000-memory.dmp family_umbral -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation immortal.bin.exe -
Executes dropped EXE 1 IoCs
pid Process 3852 c4osbxx5.fdk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 raw.githubusercontent.com 12 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3400 immortal.bin.exe 3400 immortal.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3400 immortal.bin.exe Token: SeDebugPrivilege 3852 c4osbxx5.fdk.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe Token: 35 1148 wmic.exe Token: 36 1148 wmic.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe Token: 35 1148 wmic.exe Token: 36 1148 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3400 immortal.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3400 wrote to memory of 3852 3400 immortal.bin.exe 92 PID 3400 wrote to memory of 3852 3400 immortal.bin.exe 92 PID 3852 wrote to memory of 1148 3852 c4osbxx5.fdk.exe 93 PID 3852 wrote to memory of 1148 3852 c4osbxx5.fdk.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe"C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:4272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD57f32dcbb00de079c31ff7895ae9c0560
SHA1e80841a355b8dce9955b9bbba63f02a4ad31a836
SHA2565658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
SHA512776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc