Analysis Overview
SHA256
ce8f179e7e29d4f28f1c5039808e82c198264183166069d8ad567f63275c74a8
Threat Level: Known bad
The file immortal.bin.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Downloads MZ/PE file
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-27 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 22:30
Reported
2024-04-27 22:36
Platform
win7-20240220-en
Max time kernel
290s
Max time network
121s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2276 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2276 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2276 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2276 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe
"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1160
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/2276-0-0x0000000000BB0000-0x0000000000F1E000-memory.dmp
memory/2276-3-0x0000000000BB0000-0x0000000000F1E000-memory.dmp
memory/2276-2-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/2276-1-0x0000000000BB0000-0x0000000000F1E000-memory.dmp
memory/2276-4-0x00000000051D0000-0x0000000005210000-memory.dmp
memory/2276-7-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/2276-8-0x00000000051D0000-0x0000000005210000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-27 22:30
Reported
2024-04-27 22:36
Platform
win10-20240404-en
Max time kernel
195s
Max time network
298s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4296 wrote to memory of 3452 | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe |
| PID 4296 wrote to memory of 3452 | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe |
| PID 3452 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 3452 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe
"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"
C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe
"C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
Files
memory/4296-0-0x00000000000B0000-0x000000000041E000-memory.dmp
memory/4296-1-0x00000000000B0000-0x000000000041E000-memory.dmp
memory/4296-2-0x0000000073450000-0x0000000073B3E000-memory.dmp
memory/4296-3-0x00000000055A0000-0x00000000055B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dykelpby.cpq.exe
| MD5 | 7f32dcbb00de079c31ff7895ae9c0560 |
| SHA1 | e80841a355b8dce9955b9bbba63f02a4ad31a836 |
| SHA256 | 5658f42d6332d99827d772a710d74e905f822d23e958c86f802973c2cffe850f |
| SHA512 | 776cabc7d2442d90655eec0f434c811146b7f569dbace3c8609a582c167af5990ec25d1d7a8eb111744cecbdcd43d37af7d623eb97eb414ad926371083f7aadc |
memory/4296-12-0x00000000000B0000-0x000000000041E000-memory.dmp
memory/3452-11-0x0000016D96F80000-0x0000016D96FC0000-memory.dmp
memory/4296-13-0x0000000073450000-0x0000000073B3E000-memory.dmp
memory/3452-15-0x0000016DB1620000-0x0000016DB1630000-memory.dmp
memory/3452-14-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp
memory/3452-17-0x00007FFD6FBC0000-0x00007FFD705AC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-27 22:30
Reported
2024-04-27 22:36
Platform
win10v2004-20240419-en
Max time kernel
55s
Max time network
50s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe
"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1540
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2816-0-0x0000000000FB0000-0x000000000131E000-memory.dmp
memory/2816-1-0x0000000000FB0000-0x000000000131E000-memory.dmp
memory/2816-2-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/2816-3-0x00000000062C0000-0x00000000062D0000-memory.dmp
memory/2816-6-0x0000000000FB0000-0x000000000131E000-memory.dmp
memory/2816-7-0x00000000748A0000-0x0000000075050000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-27 22:30
Reported
2024-04-27 22:36
Platform
win11-20240419-en
Max time kernel
251s
Max time network
261s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe
"C:\Users\Admin\AppData\Local\Temp\immortal.bin.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3876 -ip 3876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1572
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3876-0-0x0000000000950000-0x0000000000CBE000-memory.dmp
memory/3876-1-0x0000000000950000-0x0000000000CBE000-memory.dmp
memory/3876-2-0x00000000745B0000-0x0000000074D61000-memory.dmp
memory/3876-3-0x0000000005D80000-0x0000000005D90000-memory.dmp
memory/3876-6-0x0000000000950000-0x0000000000CBE000-memory.dmp
memory/3876-7-0x00000000745B0000-0x0000000074D61000-memory.dmp