Analysis
-
max time kernel
1561s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 16:38
Behavioral task
behavioral1
Sample
TOKEN BOT.exe
Resource
win7-20240508-en
General
-
Target
TOKEN BOT.exe
-
Size
231KB
-
MD5
6237b7bfdeef6aa9095852ac74ab5e6e
-
SHA1
deaf71a3709b52817cdfe5aec902507c8b89b36b
-
SHA256
b4aff6f798705f34a3edf6b528a71aa2dbbeb6d71299799eb1042a09822af2f6
-
SHA512
263e769b21fc67f6ccb3c3135b66635cfb12af503b3d90bcc304a1d0b3f7a2524df630c2f3d2dbb968eb5296569e77a49aa66e0627eaea7d5df89c761454541d
-
SSDEEP
6144:RloZMQrIkd8g+EtXHkv/iD4vBLU69VewbGkFZw1fUtLJU8e1mci:joZ3L+EP8vBLU69VewbGkFZwlkL42
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2964-1-0x00000000000B0000-0x00000000000F0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1156 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts TOKEN BOT.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1720 wmic.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1156 powershell.exe 2664 powershell.exe 3048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2964 TOKEN BOT.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeIncreaseQuotaPrivilege 2564 wmic.exe Token: SeSecurityPrivilege 2564 wmic.exe Token: SeTakeOwnershipPrivilege 2564 wmic.exe Token: SeLoadDriverPrivilege 2564 wmic.exe Token: SeSystemProfilePrivilege 2564 wmic.exe Token: SeSystemtimePrivilege 2564 wmic.exe Token: SeProfSingleProcessPrivilege 2564 wmic.exe Token: SeIncBasePriorityPrivilege 2564 wmic.exe Token: SeCreatePagefilePrivilege 2564 wmic.exe Token: SeBackupPrivilege 2564 wmic.exe Token: SeRestorePrivilege 2564 wmic.exe Token: SeShutdownPrivilege 2564 wmic.exe Token: SeDebugPrivilege 2564 wmic.exe Token: SeSystemEnvironmentPrivilege 2564 wmic.exe Token: SeRemoteShutdownPrivilege 2564 wmic.exe Token: SeUndockPrivilege 2564 wmic.exe Token: SeManageVolumePrivilege 2564 wmic.exe Token: 33 2564 wmic.exe Token: 34 2564 wmic.exe Token: 35 2564 wmic.exe Token: SeIncreaseQuotaPrivilege 2564 wmic.exe Token: SeSecurityPrivilege 2564 wmic.exe Token: SeTakeOwnershipPrivilege 2564 wmic.exe Token: SeLoadDriverPrivilege 2564 wmic.exe Token: SeSystemProfilePrivilege 2564 wmic.exe Token: SeSystemtimePrivilege 2564 wmic.exe Token: SeProfSingleProcessPrivilege 2564 wmic.exe Token: SeIncBasePriorityPrivilege 2564 wmic.exe Token: SeCreatePagefilePrivilege 2564 wmic.exe Token: SeBackupPrivilege 2564 wmic.exe Token: SeRestorePrivilege 2564 wmic.exe Token: SeShutdownPrivilege 2564 wmic.exe Token: SeDebugPrivilege 2564 wmic.exe Token: SeSystemEnvironmentPrivilege 2564 wmic.exe Token: SeRemoteShutdownPrivilege 2564 wmic.exe Token: SeUndockPrivilege 2564 wmic.exe Token: SeManageVolumePrivilege 2564 wmic.exe Token: 33 2564 wmic.exe Token: 34 2564 wmic.exe Token: 35 2564 wmic.exe Token: SeIncreaseQuotaPrivilege 2776 wmic.exe Token: SeSecurityPrivilege 2776 wmic.exe Token: SeTakeOwnershipPrivilege 2776 wmic.exe Token: SeLoadDriverPrivilege 2776 wmic.exe Token: SeSystemProfilePrivilege 2776 wmic.exe Token: SeSystemtimePrivilege 2776 wmic.exe Token: SeProfSingleProcessPrivilege 2776 wmic.exe Token: SeIncBasePriorityPrivilege 2776 wmic.exe Token: SeCreatePagefilePrivilege 2776 wmic.exe Token: SeBackupPrivilege 2776 wmic.exe Token: SeRestorePrivilege 2776 wmic.exe Token: SeShutdownPrivilege 2776 wmic.exe Token: SeDebugPrivilege 2776 wmic.exe Token: SeSystemEnvironmentPrivilege 2776 wmic.exe Token: SeRemoteShutdownPrivilege 2776 wmic.exe Token: SeUndockPrivilege 2776 wmic.exe Token: SeManageVolumePrivilege 2776 wmic.exe Token: 33 2776 wmic.exe Token: 34 2776 wmic.exe Token: 35 2776 wmic.exe Token: SeIncreaseQuotaPrivilege 2776 wmic.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2964 wrote to memory of 1156 2964 TOKEN BOT.exe 28 PID 2964 wrote to memory of 1156 2964 TOKEN BOT.exe 28 PID 2964 wrote to memory of 1156 2964 TOKEN BOT.exe 28 PID 2964 wrote to memory of 2664 2964 TOKEN BOT.exe 30 PID 2964 wrote to memory of 2664 2964 TOKEN BOT.exe 30 PID 2964 wrote to memory of 2664 2964 TOKEN BOT.exe 30 PID 2964 wrote to memory of 2564 2964 TOKEN BOT.exe 32 PID 2964 wrote to memory of 2564 2964 TOKEN BOT.exe 32 PID 2964 wrote to memory of 2564 2964 TOKEN BOT.exe 32 PID 2964 wrote to memory of 2776 2964 TOKEN BOT.exe 35 PID 2964 wrote to memory of 2776 2964 TOKEN BOT.exe 35 PID 2964 wrote to memory of 2776 2964 TOKEN BOT.exe 35 PID 2964 wrote to memory of 2848 2964 TOKEN BOT.exe 37 PID 2964 wrote to memory of 2848 2964 TOKEN BOT.exe 37 PID 2964 wrote to memory of 2848 2964 TOKEN BOT.exe 37 PID 2964 wrote to memory of 3048 2964 TOKEN BOT.exe 39 PID 2964 wrote to memory of 3048 2964 TOKEN BOT.exe 39 PID 2964 wrote to memory of 3048 2964 TOKEN BOT.exe 39 PID 2964 wrote to memory of 1720 2964 TOKEN BOT.exe 41 PID 2964 wrote to memory of 1720 2964 TOKEN BOT.exe 41 PID 2964 wrote to memory of 1720 2964 TOKEN BOT.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe"C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a67732045b096ec4f5ae09d861800770
SHA10ee61491be20b0124fcee9631282437d6a1bb472
SHA25697398cfe7274be5d40d11e0b00f12719a89ace9a1037aa7441580b7b1fd27df5
SHA512c7d21ef527044c14df092066f0a9eef12e90ee8043f240f1a6b75ad0bfa7574b4fa3cfed6de4fb823fada5aa36eae89f3e467ec8c1527c298f2c5f3cb08288ae