Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 16:12
Static task
static1
Behavioral task
behavioral1
Sample
FIXER-2.3.exe
Resource
win7-20240221-en
General
-
Target
FIXER-2.3.exe
-
Size
678KB
-
MD5
c4a81b5b47dab29d88805f75c95035a0
-
SHA1
092fcb36a736198e19530c96991d9bcb0354fa75
-
SHA256
1ce288b4eace5690b66c6681e77f4f75d1c5fda07eab5a410ffe38271d515909
-
SHA512
eb98f91df470f6f52ad8db2d44da3a090b63d4067e371ca8df1b5e54e7623123d6ba7df779b27cf6298d7778b415e9569f29c62ef6276f8d666134ff4aa7006e
-
SSDEEP
6144:u4zMHU2N3RSUDqnopqonzuv4NIAyxuQiOfFs3OJ18xNz+KgbqUypit:u44RuS78onzuv4NIAAuQkOzu
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1247657758921330688/6inL47rtBda5FWXQ9j3KkuojoQUQIHytZMOftRLQPHv1vmGRuP44zUd_P2lo-8gb3cBC
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/668-16-0x0000000000D90000-0x0000000000DD0000-memory.dmp family_umbral behavioral1/files/0x000d0000000122b8-6.dat family_umbral -
Executes dropped EXE 1 IoCs
pid Process 668 Umbral.exe -
Loads dropped DLL 1 IoCs
pid Process 2180 FIXER-2.3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 668 Umbral.exe Token: SeIncreaseQuotaPrivilege 2864 wmic.exe Token: SeSecurityPrivilege 2864 wmic.exe Token: SeTakeOwnershipPrivilege 2864 wmic.exe Token: SeLoadDriverPrivilege 2864 wmic.exe Token: SeSystemProfilePrivilege 2864 wmic.exe Token: SeSystemtimePrivilege 2864 wmic.exe Token: SeProfSingleProcessPrivilege 2864 wmic.exe Token: SeIncBasePriorityPrivilege 2864 wmic.exe Token: SeCreatePagefilePrivilege 2864 wmic.exe Token: SeBackupPrivilege 2864 wmic.exe Token: SeRestorePrivilege 2864 wmic.exe Token: SeShutdownPrivilege 2864 wmic.exe Token: SeDebugPrivilege 2864 wmic.exe Token: SeSystemEnvironmentPrivilege 2864 wmic.exe Token: SeRemoteShutdownPrivilege 2864 wmic.exe Token: SeUndockPrivilege 2864 wmic.exe Token: SeManageVolumePrivilege 2864 wmic.exe Token: 33 2864 wmic.exe Token: 34 2864 wmic.exe Token: 35 2864 wmic.exe Token: SeIncreaseQuotaPrivilege 2864 wmic.exe Token: SeSecurityPrivilege 2864 wmic.exe Token: SeTakeOwnershipPrivilege 2864 wmic.exe Token: SeLoadDriverPrivilege 2864 wmic.exe Token: SeSystemProfilePrivilege 2864 wmic.exe Token: SeSystemtimePrivilege 2864 wmic.exe Token: SeProfSingleProcessPrivilege 2864 wmic.exe Token: SeIncBasePriorityPrivilege 2864 wmic.exe Token: SeCreatePagefilePrivilege 2864 wmic.exe Token: SeBackupPrivilege 2864 wmic.exe Token: SeRestorePrivilege 2864 wmic.exe Token: SeShutdownPrivilege 2864 wmic.exe Token: SeDebugPrivilege 2864 wmic.exe Token: SeSystemEnvironmentPrivilege 2864 wmic.exe Token: SeRemoteShutdownPrivilege 2864 wmic.exe Token: SeUndockPrivilege 2864 wmic.exe Token: SeManageVolumePrivilege 2864 wmic.exe Token: 33 2864 wmic.exe Token: 34 2864 wmic.exe Token: 35 2864 wmic.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2180 wrote to memory of 668 2180 FIXER-2.3.exe 28 PID 2180 wrote to memory of 668 2180 FIXER-2.3.exe 28 PID 2180 wrote to memory of 668 2180 FIXER-2.3.exe 28 PID 2180 wrote to memory of 668 2180 FIXER-2.3.exe 28 PID 2180 wrote to memory of 2736 2180 FIXER-2.3.exe 29 PID 2180 wrote to memory of 2736 2180 FIXER-2.3.exe 29 PID 2180 wrote to memory of 2736 2180 FIXER-2.3.exe 29 PID 2180 wrote to memory of 2736 2180 FIXER-2.3.exe 29 PID 668 wrote to memory of 2864 668 Umbral.exe 31 PID 668 wrote to memory of 2864 668 Umbral.exe 31 PID 668 wrote to memory of 2864 668 Umbral.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bum.bat" "2⤵PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD54726eb272b00df9ffd0274d16aa7c8ae
SHA1a3c98c19fd956d61f32e0fe214f855e4ac810904
SHA2567b5df9094a3d6133b309f01585bb2391b4e5e4c7d91737e25399e73053b219ad
SHA512bd8acb0ab507ac015cb213ec5baed52f60b7144c25e5b32828e8406a7a7264a708708a6149e09e80d83664eadda7381a440305e607c6511e101b51da2f2a110b
-
Filesize
442KB
MD512e75cc92bd7f9350f40745437a75e0f
SHA14deead6e14afc6df1afd88e91fd7caa1acf37294
SHA2560f8ebc8ff32f92408a8d383cceb1e1bc2dc0f0dfe1cffbfe808d82303c98f759
SHA512c43fdde607adaea7f2d8949dac5db7143553f8ef498f2801180c7cdcd31353dcd80af42ce65677305432bf8e5a59bf0f728b9cb4a69a14bca0e529342f03070d