Analysis

  • max time kernel
    1561s
  • max time network
    1562s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 16:38

General

  • Target

    TOKEN BOT.exe

  • Size

    231KB

  • MD5

    6237b7bfdeef6aa9095852ac74ab5e6e

  • SHA1

    deaf71a3709b52817cdfe5aec902507c8b89b36b

  • SHA256

    b4aff6f798705f34a3edf6b528a71aa2dbbeb6d71299799eb1042a09822af2f6

  • SHA512

    263e769b21fc67f6ccb3c3135b66635cfb12af503b3d90bcc304a1d0b3f7a2524df630c2f3d2dbb968eb5296569e77a49aa66e0627eaea7d5df89c761454541d

  • SSDEEP

    6144:RloZMQrIkd8g+EtXHkv/iD4vBLU69VewbGkFZw1fUtLJU8e1mci:joZ3L+EP8vBLU69VewbGkFZwlkL42

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe
    "C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:2848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3048
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1720

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      a67732045b096ec4f5ae09d861800770

      SHA1

      0ee61491be20b0124fcee9631282437d6a1bb472

      SHA256

      97398cfe7274be5d40d11e0b00f12719a89ace9a1037aa7441580b7b1fd27df5

      SHA512

      c7d21ef527044c14df092066f0a9eef12e90ee8043f240f1a6b75ad0bfa7574b4fa3cfed6de4fb823fada5aa36eae89f3e467ec8c1527c298f2c5f3cb08288ae

    • memory/1156-8-0x000000001B670000-0x000000001B952000-memory.dmp

      Filesize

      2.9MB

    • memory/1156-13-0x000007FEEDDC0000-0x000007FEEE75D000-memory.dmp

      Filesize

      9.6MB

    • memory/1156-15-0x000007FEEDDC0000-0x000007FEEE75D000-memory.dmp

      Filesize

      9.6MB

    • memory/1156-9-0x0000000001F00000-0x0000000001F08000-memory.dmp

      Filesize

      32KB

    • memory/1156-10-0x000007FEEDDC0000-0x000007FEEE75D000-memory.dmp

      Filesize

      9.6MB

    • memory/1156-11-0x000007FEEDDC0000-0x000007FEEE75D000-memory.dmp

      Filesize

      9.6MB

    • memory/1156-14-0x000007FEEDDC0000-0x000007FEEE75D000-memory.dmp

      Filesize

      9.6MB

    • memory/1156-7-0x000007FEEE07E000-0x000007FEEE07F000-memory.dmp

      Filesize

      4KB

    • memory/1156-12-0x000007FEEDDC0000-0x000007FEEE75D000-memory.dmp

      Filesize

      9.6MB

    • memory/2664-22-0x0000000002980000-0x0000000002988000-memory.dmp

      Filesize

      32KB

    • memory/2664-21-0x000000001B620000-0x000000001B902000-memory.dmp

      Filesize

      2.9MB

    • memory/2964-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

      Filesize

      4KB

    • memory/2964-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

      Filesize

      9.9MB

    • memory/2964-1-0x00000000000B0000-0x00000000000F0000-memory.dmp

      Filesize

      256KB

    • memory/2964-40-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

      Filesize

      9.9MB

    • memory/3048-37-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB