Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
immortal.bin.exe
Resource
win7-20240215-en
General
-
Target
immortal.bin.exe
-
Size
1.1MB
-
MD5
9e511d399fbc2bf0c2d45302dc62be61
-
SHA1
3100c1c0c5f98b1a7bccef0cdcfde6b34e38992b
-
SHA256
ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8
-
SHA512
7e4560bd6e76d181b47f44eca0a7195cb905e852ed2a94308cad57576a16c62335256978c73ddac275d736423c5c6a9a4eed648090847ee80e8183be77c04486
-
SSDEEP
24576:fO29aTBMPYvJnXAvKhO7CMbNdCrty7ARVJ3g6cbhbZxvI:G29adQt3CrtWQcb3xv
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe family_umbral behavioral2/memory/3852-17-0x00000250FFF10000-0x00000250FFF50000-memory.dmp family_umbral -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
immortal.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation immortal.bin.exe -
Executes dropped EXE 1 IoCs
Processes:
c4osbxx5.fdk.exepid process 3852 c4osbxx5.fdk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
immortal.bin.exepid process 3400 immortal.bin.exe 3400 immortal.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
immortal.bin.exec4osbxx5.fdk.exewmic.exedescription pid process Token: SeDebugPrivilege 3400 immortal.bin.exe Token: SeDebugPrivilege 3852 c4osbxx5.fdk.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe Token: 35 1148 wmic.exe Token: 36 1148 wmic.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe Token: 35 1148 wmic.exe Token: 36 1148 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
immortal.bin.exepid process 3400 immortal.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
immortal.bin.exec4osbxx5.fdk.exedescription pid process target process PID 3400 wrote to memory of 3852 3400 immortal.bin.exe c4osbxx5.fdk.exe PID 3400 wrote to memory of 3852 3400 immortal.bin.exe c4osbxx5.fdk.exe PID 3852 wrote to memory of 1148 3852 c4osbxx5.fdk.exe wmic.exe PID 3852 wrote to memory of 1148 3852 c4osbxx5.fdk.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe"C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c4osbxx5.fdk.exeFilesize
227KB
MD57f32dcbb00de079c31ff7895ae9c0560
SHA1e80841a355b8dce9955b9bbba63f02a4ad31a836
SHA2565658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f
SHA512776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc
-
memory/3400-0-0x0000000000170000-0x00000000004DE000-memory.dmpFilesize
3.4MB
-
memory/3400-1-0x0000000074750000-0x0000000074F00000-memory.dmpFilesize
7.7MB
-
memory/3400-2-0x0000000000170000-0x00000000004DE000-memory.dmpFilesize
3.4MB
-
memory/3400-3-0x0000000006090000-0x00000000060A0000-memory.dmpFilesize
64KB
-
memory/3400-19-0x0000000000170000-0x00000000004DE000-memory.dmpFilesize
3.4MB
-
memory/3400-20-0x0000000074750000-0x0000000074F00000-memory.dmpFilesize
7.7MB
-
memory/3852-17-0x00000250FFF10000-0x00000250FFF50000-memory.dmpFilesize
256KB
-
memory/3852-21-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmpFilesize
10.8MB
-
memory/3852-22-0x000002509A4E0000-0x000002509A4F0000-memory.dmpFilesize
64KB
-
memory/3852-24-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmpFilesize
10.8MB