Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 22:13
Behavioral task
behavioral1
Sample
fix.exe
Resource
win7-20240508-en
General
-
Target
fix.exe
-
Size
229KB
-
MD5
1adeea63d576dea9add98e01e9fe78b4
-
SHA1
8f754fd661d9ce2e9e9a7278b4dd7096b13fc585
-
SHA256
5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84
-
SHA512
0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb
-
SSDEEP
6144:lloZMCrIkd8g+EtXHkv/iD4sodaBPUonIWvRsY99ib8e1miLZi:noZZL+EP8sodaBPUonIWvRsY9wfLA
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2860-1-0x0000000000BE0000-0x0000000000C20000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1368 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2408 wmic.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1368 powershell.exe 2620 powershell.exe 2656 powershell.exe 2544 powershell.exe 1680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2860 fix.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeIncreaseQuotaPrivilege 2832 wmic.exe Token: SeSecurityPrivilege 2832 wmic.exe Token: SeTakeOwnershipPrivilege 2832 wmic.exe Token: SeLoadDriverPrivilege 2832 wmic.exe Token: SeSystemProfilePrivilege 2832 wmic.exe Token: SeSystemtimePrivilege 2832 wmic.exe Token: SeProfSingleProcessPrivilege 2832 wmic.exe Token: SeIncBasePriorityPrivilege 2832 wmic.exe Token: SeCreatePagefilePrivilege 2832 wmic.exe Token: SeBackupPrivilege 2832 wmic.exe Token: SeRestorePrivilege 2832 wmic.exe Token: SeShutdownPrivilege 2832 wmic.exe Token: SeDebugPrivilege 2832 wmic.exe Token: SeSystemEnvironmentPrivilege 2832 wmic.exe Token: SeRemoteShutdownPrivilege 2832 wmic.exe Token: SeUndockPrivilege 2832 wmic.exe Token: SeManageVolumePrivilege 2832 wmic.exe Token: 33 2832 wmic.exe Token: 34 2832 wmic.exe Token: 35 2832 wmic.exe Token: SeIncreaseQuotaPrivilege 2832 wmic.exe Token: SeSecurityPrivilege 2832 wmic.exe Token: SeTakeOwnershipPrivilege 2832 wmic.exe Token: SeLoadDriverPrivilege 2832 wmic.exe Token: SeSystemProfilePrivilege 2832 wmic.exe Token: SeSystemtimePrivilege 2832 wmic.exe Token: SeProfSingleProcessPrivilege 2832 wmic.exe Token: SeIncBasePriorityPrivilege 2832 wmic.exe Token: SeCreatePagefilePrivilege 2832 wmic.exe Token: SeBackupPrivilege 2832 wmic.exe Token: SeRestorePrivilege 2832 wmic.exe Token: SeShutdownPrivilege 2832 wmic.exe Token: SeDebugPrivilege 2832 wmic.exe Token: SeSystemEnvironmentPrivilege 2832 wmic.exe Token: SeRemoteShutdownPrivilege 2832 wmic.exe Token: SeUndockPrivilege 2832 wmic.exe Token: SeManageVolumePrivilege 2832 wmic.exe Token: 33 2832 wmic.exe Token: 34 2832 wmic.exe Token: 35 2832 wmic.exe Token: SeIncreaseQuotaPrivilege 2452 wmic.exe Token: SeSecurityPrivilege 2452 wmic.exe Token: SeTakeOwnershipPrivilege 2452 wmic.exe Token: SeLoadDriverPrivilege 2452 wmic.exe Token: SeSystemProfilePrivilege 2452 wmic.exe Token: SeSystemtimePrivilege 2452 wmic.exe Token: SeProfSingleProcessPrivilege 2452 wmic.exe Token: SeIncBasePriorityPrivilege 2452 wmic.exe Token: SeCreatePagefilePrivilege 2452 wmic.exe Token: SeBackupPrivilege 2452 wmic.exe Token: SeRestorePrivilege 2452 wmic.exe Token: SeShutdownPrivilege 2452 wmic.exe Token: SeDebugPrivilege 2452 wmic.exe Token: SeSystemEnvironmentPrivilege 2452 wmic.exe Token: SeRemoteShutdownPrivilege 2452 wmic.exe Token: SeUndockPrivilege 2452 wmic.exe Token: SeManageVolumePrivilege 2452 wmic.exe Token: 33 2452 wmic.exe Token: 34 2452 wmic.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1368 2860 fix.exe 28 PID 2860 wrote to memory of 1368 2860 fix.exe 28 PID 2860 wrote to memory of 1368 2860 fix.exe 28 PID 2860 wrote to memory of 2620 2860 fix.exe 30 PID 2860 wrote to memory of 2620 2860 fix.exe 30 PID 2860 wrote to memory of 2620 2860 fix.exe 30 PID 2860 wrote to memory of 2656 2860 fix.exe 32 PID 2860 wrote to memory of 2656 2860 fix.exe 32 PID 2860 wrote to memory of 2656 2860 fix.exe 32 PID 2860 wrote to memory of 2544 2860 fix.exe 34 PID 2860 wrote to memory of 2544 2860 fix.exe 34 PID 2860 wrote to memory of 2544 2860 fix.exe 34 PID 2860 wrote to memory of 2832 2860 fix.exe 36 PID 2860 wrote to memory of 2832 2860 fix.exe 36 PID 2860 wrote to memory of 2832 2860 fix.exe 36 PID 2860 wrote to memory of 2452 2860 fix.exe 39 PID 2860 wrote to memory of 2452 2860 fix.exe 39 PID 2860 wrote to memory of 2452 2860 fix.exe 39 PID 2860 wrote to memory of 1036 2860 fix.exe 41 PID 2860 wrote to memory of 1036 2860 fix.exe 41 PID 2860 wrote to memory of 1036 2860 fix.exe 41 PID 2860 wrote to memory of 1680 2860 fix.exe 43 PID 2860 wrote to memory of 1680 2860 fix.exe 43 PID 2860 wrote to memory of 1680 2860 fix.exe 43 PID 2860 wrote to memory of 2408 2860 fix.exe 45 PID 2860 wrote to memory of 2408 2860 fix.exe 45 PID 2860 wrote to memory of 2408 2860 fix.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ab6d12b22710c8c3e352f1e42d0eda36
SHA1cb9a33807863690bc7e8cf3c8fd361f92966f768
SHA25667fe72829d4baab10365b86109a7e64233721052e6318ad0f2e8ab0a69cac47f
SHA512d9901f44c57b69a7918f7f3776c10d3ce54538d2009412b8a65dea6b88a22a4e1c94d1dfa593bb3f2e68827b48967b9a7400d373ab36e49089028c1846617cf4