Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 22:13

General

  • Target

    fix.exe

  • Size

    229KB

  • MD5

    1adeea63d576dea9add98e01e9fe78b4

  • SHA1

    8f754fd661d9ce2e9e9a7278b4dd7096b13fc585

  • SHA256

    5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84

  • SHA512

    0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb

  • SSDEEP

    6144:lloZMCrIkd8g+EtXHkv/iD4sodaBPUonIWvRsY99ib8e1miLZi:noZZL+EP8sodaBPUonIWvRsY9wfLA

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fix.exe
    "C:\Users\Admin\AppData\Local\Temp\fix.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3376
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2328
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:388
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:3204
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3104

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        ecac37a294a8f17b9c89abc6354cb1fe

        SHA1

        b918fd8ca0ec11fc4a39633a8dc94abe60140eb9

        SHA256

        51037b293178bc395824bb6fd9b80ba7c23399c4e4a74f0bc067a557a1da9fb8

        SHA512

        7b5e3032a2848f46cbf330b06693304945e4257cc2a7220f28adaa7b71aad7f63872379aebe6f1cfb68b78a9605d3ed5c1ddc6549f720e9bb7ac95b1c2a0ed64

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        57c9afc76e218af6740cddec86b8d154

        SHA1

        5284732e69315f90b9e9515180f1612a19dedaa5

        SHA256

        0be96f24ba9a643ea5e09901c8c9398d63c475f2c41e126563f1ca980338a48c

        SHA512

        7fc967fc456f93e5ad1752171256284afb53768ec2e5ec1c02c35175b7bf0586a0e9e0318a9779970abac3c0d55e2946840d3597c2f28db0ad22d123b8b1f0fe

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        d9d2e5db9e09be20ad0a44e76e96e104

        SHA1

        76d8f8e9cccf05ad348e6b31ecd05a4d55f9c04a

        SHA256

        443e637928501418b10db993aa9a59b0d5eee42a1e37f1888e8c05bd42206a6e

        SHA512

        2c87b1d2d208b25c3e5ffe38d8ff3a6b86c1eddac7e9d4a036826884f08d72b0855df11e2c8b9144054e07e5f1e431936413fd9de276aac2862613c2dd6c6fcc

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3rrdby4a.ngt.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/652-0-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmp

        Filesize

        8KB

      • memory/652-35-0x0000024BC4390000-0x0000024BC43AE000-memory.dmp

        Filesize

        120KB

      • memory/652-69-0x0000024BC44B0000-0x0000024BC44C2000-memory.dmp

        Filesize

        72KB

      • memory/652-68-0x0000024BC4260000-0x0000024BC426A000-memory.dmp

        Filesize

        40KB

      • memory/652-87-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/652-2-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/652-1-0x0000024BA9B90000-0x0000024BA9BD0000-memory.dmp

        Filesize

        256KB

      • memory/652-33-0x0000024BC4310000-0x0000024BC4386000-memory.dmp

        Filesize

        472KB

      • memory/652-34-0x0000024BC4290000-0x0000024BC42E0000-memory.dmp

        Filesize

        320KB

      • memory/3108-13-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3108-20-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3108-17-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3108-16-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3108-15-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3108-14-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3108-9-0x00000212DA830000-0x00000212DA852000-memory.dmp

        Filesize

        136KB