Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 22:13

General

  • Target

    fix.exe

  • Size

    229KB

  • MD5

    1adeea63d576dea9add98e01e9fe78b4

  • SHA1

    8f754fd661d9ce2e9e9a7278b4dd7096b13fc585

  • SHA256

    5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84

  • SHA512

    0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb

  • SSDEEP

    6144:lloZMCrIkd8g+EtXHkv/iD4sodaBPUonIWvRsY99ib8e1miLZi:noZZL+EP8sodaBPUonIWvRsY9wfLA

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fix.exe
    "C:\Users\Admin\AppData\Local\Temp\fix.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:1036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1680
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:2408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      ab6d12b22710c8c3e352f1e42d0eda36

      SHA1

      cb9a33807863690bc7e8cf3c8fd361f92966f768

      SHA256

      67fe72829d4baab10365b86109a7e64233721052e6318ad0f2e8ab0a69cac47f

      SHA512

      d9901f44c57b69a7918f7f3776c10d3ce54538d2009412b8a65dea6b88a22a4e1c94d1dfa593bb3f2e68827b48967b9a7400d373ab36e49089028c1846617cf4

    • memory/1368-10-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

    • memory/1368-12-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

    • memory/1368-15-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

    • memory/1368-9-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

    • memory/1368-8-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

    • memory/1368-11-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

    • memory/1368-13-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

    • memory/1368-7-0x000007FEEDF5E000-0x000007FEEDF5F000-memory.dmp

      Filesize

      4KB

    • memory/1368-14-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

    • memory/1680-48-0x0000000002810000-0x0000000002818000-memory.dmp

      Filesize

      32KB

    • memory/2620-21-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

    • memory/2620-22-0x0000000001D20000-0x0000000001D28000-memory.dmp

      Filesize

      32KB

    • memory/2860-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

      Filesize

      4KB

    • memory/2860-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

      Filesize

      9.9MB

    • memory/2860-1-0x0000000000BE0000-0x0000000000C20000-memory.dmp

      Filesize

      256KB

    • memory/2860-52-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

      Filesize

      9.9MB