Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 12:09
Behavioral task
behavioral1
Sample
Malinovka Install.exe
Resource
win7-20240221-en
General
-
Target
Malinovka Install.exe
-
Size
319KB
-
MD5
f69924b642ac4b9ef1dfacdfd43759a9
-
SHA1
95da50564c7cbc3749148419c68a08b0f2869ee1
-
SHA256
d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
-
SHA512
2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07
-
SSDEEP
6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%AppData%
-
install_file
Client.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x000a0000000144e9-2.dat family_umbral behavioral1/memory/2920-11-0x0000000000400000-0x0000000000457000-memory.dmp family_umbral behavioral1/memory/2300-14-0x0000000000B10000-0x0000000000B50000-memory.dmp family_umbral -
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/files/0x0033000000014817-8.dat family_xworm behavioral1/memory/2920-11-0x0000000000400000-0x0000000000457000-memory.dmp family_xworm behavioral1/memory/2760-13-0x0000000000210000-0x000000000022A000-memory.dmp family_xworm behavioral1/memory/1520-84-0x0000000000D20000-0x0000000000D3A000-memory.dmp family_xworm behavioral1/memory/2632-87-0x0000000000F90000-0x0000000000FAA000-memory.dmp family_xworm -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral3.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk XClient.exe -
Executes dropped EXE 4 IoCs
pid Process 2300 Umbral3.exe 2760 XClient.exe 1520 Client.exe 2632 Client.exe -
Loads dropped DLL 2 IoCs
pid Process 2920 Malinovka Install.exe 2920 Malinovka Install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 discord.com 11 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2860 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2876 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 560 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2080 powershell.exe 2972 powershell.exe 1768 powershell.exe 2768 powershell.exe 1800 powershell.exe 336 powershell.exe 2336 powershell.exe 2276 powershell.exe 1880 powershell.exe 2760 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2760 XClient.exe Token: SeDebugPrivilege 2300 Umbral3.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2412 wmic.exe Token: SeSecurityPrivilege 2412 wmic.exe Token: SeTakeOwnershipPrivilege 2412 wmic.exe Token: SeLoadDriverPrivilege 2412 wmic.exe Token: SeSystemProfilePrivilege 2412 wmic.exe Token: SeSystemtimePrivilege 2412 wmic.exe Token: SeProfSingleProcessPrivilege 2412 wmic.exe Token: SeIncBasePriorityPrivilege 2412 wmic.exe Token: SeCreatePagefilePrivilege 2412 wmic.exe Token: SeBackupPrivilege 2412 wmic.exe Token: SeRestorePrivilege 2412 wmic.exe Token: SeShutdownPrivilege 2412 wmic.exe Token: SeDebugPrivilege 2412 wmic.exe Token: SeSystemEnvironmentPrivilege 2412 wmic.exe Token: SeRemoteShutdownPrivilege 2412 wmic.exe Token: SeUndockPrivilege 2412 wmic.exe Token: SeManageVolumePrivilege 2412 wmic.exe Token: 33 2412 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2760 XClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2300 2920 Malinovka Install.exe 28 PID 2920 wrote to memory of 2300 2920 Malinovka Install.exe 28 PID 2920 wrote to memory of 2300 2920 Malinovka Install.exe 28 PID 2920 wrote to memory of 2300 2920 Malinovka Install.exe 28 PID 2920 wrote to memory of 2760 2920 Malinovka Install.exe 29 PID 2920 wrote to memory of 2760 2920 Malinovka Install.exe 29 PID 2920 wrote to memory of 2760 2920 Malinovka Install.exe 29 PID 2920 wrote to memory of 2760 2920 Malinovka Install.exe 29 PID 2300 wrote to memory of 2756 2300 Umbral3.exe 30 PID 2300 wrote to memory of 2756 2300 Umbral3.exe 30 PID 2300 wrote to memory of 2756 2300 Umbral3.exe 30 PID 2300 wrote to memory of 2080 2300 Umbral3.exe 32 PID 2300 wrote to memory of 2080 2300 Umbral3.exe 32 PID 2300 wrote to memory of 2080 2300 Umbral3.exe 32 PID 2300 wrote to memory of 2972 2300 Umbral3.exe 35 PID 2300 wrote to memory of 2972 2300 Umbral3.exe 35 PID 2300 wrote to memory of 2972 2300 Umbral3.exe 35 PID 2300 wrote to memory of 1768 2300 Umbral3.exe 37 PID 2300 wrote to memory of 1768 2300 Umbral3.exe 37 PID 2300 wrote to memory of 1768 2300 Umbral3.exe 37 PID 2300 wrote to memory of 2768 2300 Umbral3.exe 39 PID 2300 wrote to memory of 2768 2300 Umbral3.exe 39 PID 2300 wrote to memory of 2768 2300 Umbral3.exe 39 PID 2300 wrote to memory of 2688 2300 Umbral3.exe 41 PID 2300 wrote to memory of 2688 2300 Umbral3.exe 41 PID 2300 wrote to memory of 2688 2300 Umbral3.exe 41 PID 2300 wrote to memory of 2412 2300 Umbral3.exe 43 PID 2300 wrote to memory of 2412 2300 Umbral3.exe 43 PID 2300 wrote to memory of 2412 2300 Umbral3.exe 43 PID 2300 wrote to memory of 1068 2300 Umbral3.exe 45 PID 2300 wrote to memory of 1068 2300 Umbral3.exe 45 PID 2300 wrote to memory of 1068 2300 Umbral3.exe 45 PID 2300 wrote to memory of 1800 2300 Umbral3.exe 47 PID 2300 wrote to memory of 1800 2300 Umbral3.exe 47 PID 2300 wrote to memory of 1800 2300 Umbral3.exe 47 PID 2300 wrote to memory of 2876 2300 Umbral3.exe 49 PID 2300 wrote to memory of 2876 2300 Umbral3.exe 49 PID 2300 wrote to memory of 2876 2300 Umbral3.exe 49 PID 2760 wrote to memory of 336 2760 XClient.exe 51 PID 2760 wrote to memory of 336 2760 XClient.exe 51 PID 2760 wrote to memory of 336 2760 XClient.exe 51 PID 2300 wrote to memory of 1116 2300 Umbral3.exe 53 PID 2300 wrote to memory of 1116 2300 Umbral3.exe 53 PID 2300 wrote to memory of 1116 2300 Umbral3.exe 53 PID 1116 wrote to memory of 560 1116 cmd.exe 55 PID 1116 wrote to memory of 560 1116 cmd.exe 55 PID 1116 wrote to memory of 560 1116 cmd.exe 55 PID 2760 wrote to memory of 2336 2760 XClient.exe 56 PID 2760 wrote to memory of 2336 2760 XClient.exe 56 PID 2760 wrote to memory of 2336 2760 XClient.exe 56 PID 2760 wrote to memory of 2276 2760 XClient.exe 58 PID 2760 wrote to memory of 2276 2760 XClient.exe 58 PID 2760 wrote to memory of 2276 2760 XClient.exe 58 PID 2760 wrote to memory of 1880 2760 XClient.exe 60 PID 2760 wrote to memory of 1880 2760 XClient.exe 60 PID 2760 wrote to memory of 1880 2760 XClient.exe 60 PID 2760 wrote to memory of 2860 2760 XClient.exe 62 PID 2760 wrote to memory of 2860 2760 XClient.exe 62 PID 2760 wrote to memory of 2860 2760 XClient.exe 62 PID 1976 wrote to memory of 1520 1976 taskeng.exe 65 PID 1976 wrote to memory of 1520 1976 taskeng.exe 65 PID 1976 wrote to memory of 1520 1976 taskeng.exe 65 PID 1976 wrote to memory of 2632 1976 taskeng.exe 68 PID 1976 wrote to memory of 2632 1976 taskeng.exe 68 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"3⤵
- Views/modifies file attributes
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:2876
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:560
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"3⤵
- Creates scheduled task(s)
PID:2860
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {16A5A0CF-D02F-4D23-9C5A-2C8E1182CB1A} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\Client.exeC:\Users\Admin\AppData\Roaming\Client.exe2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Users\Admin\AppData\Roaming\Client.exeC:\Users\Admin\AppData\Roaming\Client.exe2⤵
- Executes dropped EXE
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52ac40f71bb116c3f32983f5d224e1c94
SHA1bf262915d35729dfbfbb6f00b70f69311cd87f49
SHA2561f1c554eb0c90a727e88ddaa5e4e88213ff4443503a30165bf1ffd022565c3e7
SHA512df6e9fcc8cbd480744540db4d9d63234b325b1357f2b3c8ebc1d1cdbe5d259433808bd28b94b3f1b15447e5ad967eff322b92be4780dadc8a74a0de14a034e3f
-
Filesize
229KB
MD57a902c87a60986f18a6b097712299256
SHA12c01906a39faa9d27a41e0d3cd84e92410b9c483
SHA256e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5
SHA512c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6
-
Filesize
80KB
MD53fc932775533f1bcea180de679a902dd
SHA13f393d02af4653e34bf5526ec5b6f8d6e4df65e8
SHA25609a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a
SHA512f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764