Analysis
-
max time kernel
1350s -
max time network
1171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 16:38
Behavioral task
behavioral1
Sample
TOKEN BOT.exe
Resource
win7-20240508-en
General
-
Target
TOKEN BOT.exe
-
Size
231KB
-
MD5
6237b7bfdeef6aa9095852ac74ab5e6e
-
SHA1
deaf71a3709b52817cdfe5aec902507c8b89b36b
-
SHA256
b4aff6f798705f34a3edf6b528a71aa2dbbeb6d71299799eb1042a09822af2f6
-
SHA512
263e769b21fc67f6ccb3c3135b66635cfb12af503b3d90bcc304a1d0b3f7a2524df630c2f3d2dbb968eb5296569e77a49aa66e0627eaea7d5df89c761454541d
-
SSDEEP
6144:RloZMQrIkd8g+EtXHkv/iD4vBLU69VewbGkFZw1fUtLJU8e1mci:joZ3L+EP8vBLU69VewbGkFZwlkL42
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/4028-0-0x000001133AC80000-0x000001133ACC0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1460 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts TOKEN BOT.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 discord.com 21 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4756 wmic.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1460 powershell.exe 1460 powershell.exe 2908 powershell.exe 2908 powershell.exe 1548 powershell.exe 1548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4028 TOKEN BOT.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeIncreaseQuotaPrivilege 3988 wmic.exe Token: SeSecurityPrivilege 3988 wmic.exe Token: SeTakeOwnershipPrivilege 3988 wmic.exe Token: SeLoadDriverPrivilege 3988 wmic.exe Token: SeSystemProfilePrivilege 3988 wmic.exe Token: SeSystemtimePrivilege 3988 wmic.exe Token: SeProfSingleProcessPrivilege 3988 wmic.exe Token: SeIncBasePriorityPrivilege 3988 wmic.exe Token: SeCreatePagefilePrivilege 3988 wmic.exe Token: SeBackupPrivilege 3988 wmic.exe Token: SeRestorePrivilege 3988 wmic.exe Token: SeShutdownPrivilege 3988 wmic.exe Token: SeDebugPrivilege 3988 wmic.exe Token: SeSystemEnvironmentPrivilege 3988 wmic.exe Token: SeRemoteShutdownPrivilege 3988 wmic.exe Token: SeUndockPrivilege 3988 wmic.exe Token: SeManageVolumePrivilege 3988 wmic.exe Token: 33 3988 wmic.exe Token: 34 3988 wmic.exe Token: 35 3988 wmic.exe Token: 36 3988 wmic.exe Token: SeIncreaseQuotaPrivilege 3988 wmic.exe Token: SeSecurityPrivilege 3988 wmic.exe Token: SeTakeOwnershipPrivilege 3988 wmic.exe Token: SeLoadDriverPrivilege 3988 wmic.exe Token: SeSystemProfilePrivilege 3988 wmic.exe Token: SeSystemtimePrivilege 3988 wmic.exe Token: SeProfSingleProcessPrivilege 3988 wmic.exe Token: SeIncBasePriorityPrivilege 3988 wmic.exe Token: SeCreatePagefilePrivilege 3988 wmic.exe Token: SeBackupPrivilege 3988 wmic.exe Token: SeRestorePrivilege 3988 wmic.exe Token: SeShutdownPrivilege 3988 wmic.exe Token: SeDebugPrivilege 3988 wmic.exe Token: SeSystemEnvironmentPrivilege 3988 wmic.exe Token: SeRemoteShutdownPrivilege 3988 wmic.exe Token: SeUndockPrivilege 3988 wmic.exe Token: SeManageVolumePrivilege 3988 wmic.exe Token: 33 3988 wmic.exe Token: 34 3988 wmic.exe Token: 35 3988 wmic.exe Token: 36 3988 wmic.exe Token: SeIncreaseQuotaPrivilege 3760 wmic.exe Token: SeSecurityPrivilege 3760 wmic.exe Token: SeTakeOwnershipPrivilege 3760 wmic.exe Token: SeLoadDriverPrivilege 3760 wmic.exe Token: SeSystemProfilePrivilege 3760 wmic.exe Token: SeSystemtimePrivilege 3760 wmic.exe Token: SeProfSingleProcessPrivilege 3760 wmic.exe Token: SeIncBasePriorityPrivilege 3760 wmic.exe Token: SeCreatePagefilePrivilege 3760 wmic.exe Token: SeBackupPrivilege 3760 wmic.exe Token: SeRestorePrivilege 3760 wmic.exe Token: SeShutdownPrivilege 3760 wmic.exe Token: SeDebugPrivilege 3760 wmic.exe Token: SeSystemEnvironmentPrivilege 3760 wmic.exe Token: SeRemoteShutdownPrivilege 3760 wmic.exe Token: SeUndockPrivilege 3760 wmic.exe Token: SeManageVolumePrivilege 3760 wmic.exe Token: 33 3760 wmic.exe Token: 34 3760 wmic.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4028 wrote to memory of 1460 4028 TOKEN BOT.exe 82 PID 4028 wrote to memory of 1460 4028 TOKEN BOT.exe 82 PID 4028 wrote to memory of 2908 4028 TOKEN BOT.exe 86 PID 4028 wrote to memory of 2908 4028 TOKEN BOT.exe 86 PID 4028 wrote to memory of 3988 4028 TOKEN BOT.exe 88 PID 4028 wrote to memory of 3988 4028 TOKEN BOT.exe 88 PID 4028 wrote to memory of 3760 4028 TOKEN BOT.exe 91 PID 4028 wrote to memory of 3760 4028 TOKEN BOT.exe 91 PID 4028 wrote to memory of 4376 4028 TOKEN BOT.exe 93 PID 4028 wrote to memory of 4376 4028 TOKEN BOT.exe 93 PID 4028 wrote to memory of 1548 4028 TOKEN BOT.exe 95 PID 4028 wrote to memory of 1548 4028 TOKEN BOT.exe 95 PID 4028 wrote to memory of 4756 4028 TOKEN BOT.exe 97 PID 4028 wrote to memory of 4756 4028 TOKEN BOT.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe"C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TOKEN BOT.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:4756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD505626d543357a7b9aab66738323d7ac6
SHA18a0366530637b0f977af59dde44fae4df8906f0f
SHA256352265151df8fcc298bbbde14c4ddff51683a9a43416ce1987511ee7a27fa433
SHA51211222b457bce9d25eca8b7f4768c5706ad117960d122bf049f94158725187fbaea86f38b3910402043f5a565dcc5faca535366880c0bd92f58a799931a32401d
-
Filesize
948B
MD5c65738617888921a153bd9b1ef516ee7
SHA15245e71ea3c181d76320c857b639272ac9e079b1
SHA2564640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA5122e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82