Analysis
-
max time kernel
76s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:54
Behavioral task
behavioral1
Sample
UNBANNED-GG-PERM-10-18-23/loader.exe
Resource
win10v2004-20240226-en
General
-
Target
UNBANNED-GG-PERM-10-18-23/loader.exe
-
Size
365KB
-
MD5
cbd720ad4f7be1c099ec22f56ee61dd6
-
SHA1
9989030c7ea1756e1834c464688d418e773919fc
-
SHA256
20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846
-
SHA512
2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740
-
SSDEEP
6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000002325b-8.dat family_umbral behavioral1/memory/4040-10-0x0000022619760000-0x00000226197A0000-memory.dmp family_umbral -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 4040 loader.exe 2088 icsys.icn.exe 4256 explorer.exe 1252 spoolsv.exe 612 svchost.exe 452 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe loader.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2320 loader.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 2088 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4256 explorer.exe 612 svchost.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4040 loader.exe Token: SeIncreaseQuotaPrivilege 1712 wmic.exe Token: SeSecurityPrivilege 1712 wmic.exe Token: SeTakeOwnershipPrivilege 1712 wmic.exe Token: SeLoadDriverPrivilege 1712 wmic.exe Token: SeSystemProfilePrivilege 1712 wmic.exe Token: SeSystemtimePrivilege 1712 wmic.exe Token: SeProfSingleProcessPrivilege 1712 wmic.exe Token: SeIncBasePriorityPrivilege 1712 wmic.exe Token: SeCreatePagefilePrivilege 1712 wmic.exe Token: SeBackupPrivilege 1712 wmic.exe Token: SeRestorePrivilege 1712 wmic.exe Token: SeShutdownPrivilege 1712 wmic.exe Token: SeDebugPrivilege 1712 wmic.exe Token: SeSystemEnvironmentPrivilege 1712 wmic.exe Token: SeRemoteShutdownPrivilege 1712 wmic.exe Token: SeUndockPrivilege 1712 wmic.exe Token: SeManageVolumePrivilege 1712 wmic.exe Token: 33 1712 wmic.exe Token: 34 1712 wmic.exe Token: 35 1712 wmic.exe Token: 36 1712 wmic.exe Token: SeIncreaseQuotaPrivilege 1712 wmic.exe Token: SeSecurityPrivilege 1712 wmic.exe Token: SeTakeOwnershipPrivilege 1712 wmic.exe Token: SeLoadDriverPrivilege 1712 wmic.exe Token: SeSystemProfilePrivilege 1712 wmic.exe Token: SeSystemtimePrivilege 1712 wmic.exe Token: SeProfSingleProcessPrivilege 1712 wmic.exe Token: SeIncBasePriorityPrivilege 1712 wmic.exe Token: SeCreatePagefilePrivilege 1712 wmic.exe Token: SeBackupPrivilege 1712 wmic.exe Token: SeRestorePrivilege 1712 wmic.exe Token: SeShutdownPrivilege 1712 wmic.exe Token: SeDebugPrivilege 1712 wmic.exe Token: SeSystemEnvironmentPrivilege 1712 wmic.exe Token: SeRemoteShutdownPrivilege 1712 wmic.exe Token: SeUndockPrivilege 1712 wmic.exe Token: SeManageVolumePrivilege 1712 wmic.exe Token: 33 1712 wmic.exe Token: 34 1712 wmic.exe Token: 35 1712 wmic.exe Token: 36 1712 wmic.exe Token: SeDebugPrivilege 316 taskmgr.exe Token: SeSystemProfilePrivilege 316 taskmgr.exe Token: SeCreateGlobalPrivilege 316 taskmgr.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe -
Suspicious use of SendNotifyMessage 59 IoCs
pid Process 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe 316 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2320 loader.exe 2320 loader.exe 2088 icsys.icn.exe 2088 icsys.icn.exe 4256 explorer.exe 4256 explorer.exe 1252 spoolsv.exe 1252 spoolsv.exe 612 svchost.exe 612 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2320 wrote to memory of 4040 2320 loader.exe 94 PID 2320 wrote to memory of 4040 2320 loader.exe 94 PID 4040 wrote to memory of 1712 4040 loader.exe 97 PID 4040 wrote to memory of 1712 4040 loader.exe 97 PID 2320 wrote to memory of 2088 2320 loader.exe 101 PID 2320 wrote to memory of 2088 2320 loader.exe 101 PID 2320 wrote to memory of 2088 2320 loader.exe 101 PID 2088 wrote to memory of 4256 2088 icsys.icn.exe 102 PID 2088 wrote to memory of 4256 2088 icsys.icn.exe 102 PID 2088 wrote to memory of 4256 2088 icsys.icn.exe 102 PID 4256 wrote to memory of 1252 4256 explorer.exe 103 PID 4256 wrote to memory of 1252 4256 explorer.exe 103 PID 4256 wrote to memory of 1252 4256 explorer.exe 103 PID 1252 wrote to memory of 612 1252 spoolsv.exe 104 PID 1252 wrote to memory of 612 1252 spoolsv.exe 104 PID 1252 wrote to memory of 612 1252 spoolsv.exe 104 PID 612 wrote to memory of 452 612 svchost.exe 105 PID 612 wrote to memory of 452 612 svchost.exe 105 PID 612 wrote to memory of 452 612 svchost.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\UNBANNED-GG-PERM-10-18-23\loader.exe"C:\Users\Admin\AppData\Local\Temp\UNBANNED-GG-PERM-10-18-23\loader.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\users\admin\appdata\local\temp\unbanned-gg-perm-10-18-23\loader.exec:\users\admin\appdata\local\temp\unbanned-gg-perm-10-18-23\loader.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
PID:452
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5564179149fffb757d47df20f39bf841e
SHA1455dbd93e7a5f8bb8e3a7b15d22aa0cf9c8b1bdb
SHA2560d1624f286111c651fc10785fa0a16fbe807e411948b6e8731ad89573434282f
SHA512104e7b9f4750d992d86b947b9ca6d22d921cacc842b295c79153aa71cfba3b40f1c738ecedb36c2cdcfd93af96bf7dc5de1d9d2b62ba1b3ec540a4a306e9fd25
-
Filesize
135KB
MD5b6c6d532091f6de047c1a68a4b69bf10
SHA101439b14f2158014ef0255092f4c11a136483889
SHA25639931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11
SHA512b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d
-
Filesize
135KB
MD5f036e37d72127c78d5392d57a5c08ba8
SHA1e7161eb0868b12b9201f33edfeb9e970ea1ae2e1
SHA256d058d6585d0db0748d23bea1a2b86ef2261ef42734b8e88e90e0711fc500dbe9
SHA512eb5ee17a586e63c45c91a417a31fca49db3c626e68889657580f169f5ff5274c174d42f4a48fb018209234ecfd32ae8f3ae584d07b4c0964784d06fc7b62bd43
-
Filesize
135KB
MD53679a36450cd4187debd64c86d8204ce
SHA192e269e802fcde3780881d7884386d359163f95c
SHA256c1da5c34627b46d31d5a56d2fede8773ab085eb8cdc6572c9d17c251576435f3
SHA512c9ee9f229cb32c88b109764f075f19eeff9a7aecd8d5a2dd765eb5176a257982c55023de0f37ddc72aee0c92089a191e061d571a3b3301280665e16001c32813
-
Filesize
230KB
MD5d23ca81d16873706f5e26fbac64eaee9
SHA1c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee
SHA256007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7
SHA5124a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4