Analysis
-
max time kernel
133s -
max time network
134s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-06-2024 16:18
Static task
static1
Behavioral task
behavioral1
Sample
FIXER-2.3.exe
Resource
win10-20240404-en
General
-
Target
FIXER-2.3.exe
-
Size
678KB
-
MD5
c4a81b5b47dab29d88805f75c95035a0
-
SHA1
092fcb36a736198e19530c96991d9bcb0354fa75
-
SHA256
1ce288b4eace5690b66c6681e77f4f75d1c5fda07eab5a410ffe38271d515909
-
SHA512
eb98f91df470f6f52ad8db2d44da3a090b63d4067e371ca8df1b5e54e7623123d6ba7df779b27cf6298d7778b415e9569f29c62ef6276f8d666134ff4aa7006e
-
SSDEEP
6144:u4zMHU2N3RSUDqnopqonzuv4NIAyxuQiOfFs3OJ18xNz+KgbqUypit:u44RuS78onzuv4NIAAuQkOzu
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1247657758921330688/6inL47rtBda5FWXQ9j3KkuojoQUQIHytZMOftRLQPHv1vmGRuP44zUd_P2lo-8gb3cBC
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000001ab4c-5.dat family_umbral behavioral1/memory/3040-8-0x000001D7EBBC0000-0x000001D7EBC00000-memory.dmp family_umbral -
Executes dropped EXE 1 IoCs
pid Process 3040 Umbral.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3040 Umbral.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe Token: SeSystemProfilePrivilege 2228 wmic.exe Token: SeSystemtimePrivilege 2228 wmic.exe Token: SeProfSingleProcessPrivilege 2228 wmic.exe Token: SeIncBasePriorityPrivilege 2228 wmic.exe Token: SeCreatePagefilePrivilege 2228 wmic.exe Token: SeBackupPrivilege 2228 wmic.exe Token: SeRestorePrivilege 2228 wmic.exe Token: SeShutdownPrivilege 2228 wmic.exe Token: SeDebugPrivilege 2228 wmic.exe Token: SeSystemEnvironmentPrivilege 2228 wmic.exe Token: SeRemoteShutdownPrivilege 2228 wmic.exe Token: SeUndockPrivilege 2228 wmic.exe Token: SeManageVolumePrivilege 2228 wmic.exe Token: 33 2228 wmic.exe Token: 34 2228 wmic.exe Token: 35 2228 wmic.exe Token: 36 2228 wmic.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe Token: SeSystemProfilePrivilege 2228 wmic.exe Token: SeSystemtimePrivilege 2228 wmic.exe Token: SeProfSingleProcessPrivilege 2228 wmic.exe Token: SeIncBasePriorityPrivilege 2228 wmic.exe Token: SeCreatePagefilePrivilege 2228 wmic.exe Token: SeBackupPrivilege 2228 wmic.exe Token: SeRestorePrivilege 2228 wmic.exe Token: SeShutdownPrivilege 2228 wmic.exe Token: SeDebugPrivilege 2228 wmic.exe Token: SeSystemEnvironmentPrivilege 2228 wmic.exe Token: SeRemoteShutdownPrivilege 2228 wmic.exe Token: SeUndockPrivilege 2228 wmic.exe Token: SeManageVolumePrivilege 2228 wmic.exe Token: 33 2228 wmic.exe Token: 34 2228 wmic.exe Token: 35 2228 wmic.exe Token: 36 2228 wmic.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 516 wrote to memory of 3040 516 FIXER-2.3.exe 73 PID 516 wrote to memory of 3040 516 FIXER-2.3.exe 73 PID 516 wrote to memory of 2132 516 FIXER-2.3.exe 74 PID 516 wrote to memory of 2132 516 FIXER-2.3.exe 74 PID 516 wrote to memory of 2132 516 FIXER-2.3.exe 74 PID 3040 wrote to memory of 2228 3040 Umbral.exe 76 PID 3040 wrote to memory of 2228 3040 Umbral.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bum.bat" "2⤵PID:2132
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD54726eb272b00df9ffd0274d16aa7c8ae
SHA1a3c98c19fd956d61f32e0fe214f855e4ac810904
SHA2567b5df9094a3d6133b309f01585bb2391b4e5e4c7d91737e25399e73053b219ad
SHA512bd8acb0ab507ac015cb213ec5baed52f60b7144c25e5b32828e8406a7a7264a708708a6149e09e80d83664eadda7381a440305e607c6511e101b51da2f2a110b
-
Filesize
442KB
MD512e75cc92bd7f9350f40745437a75e0f
SHA14deead6e14afc6df1afd88e91fd7caa1acf37294
SHA2560f8ebc8ff32f92408a8d383cceb1e1bc2dc0f0dfe1cffbfe808d82303c98f759
SHA512c43fdde607adaea7f2d8949dac5db7143553f8ef498f2801180c7cdcd31353dcd80af42ce65677305432bf8e5a59bf0f728b9cb4a69a14bca0e529342f03070d