Analysis
-
max time kernel
449s -
max time network
1173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 18:00
Behavioral task
behavioral1
Sample
token bot.exe
Resource
win7-20240221-en
General
-
Target
token bot.exe
-
Size
229KB
-
MD5
9dc985d83754309760ae45747d8081c2
-
SHA1
b60e1c39ee8da20c5bdf1df501fab12fd45eaf50
-
SHA256
f3fdf0137c30af49a71a174e204795a0b96ef2a8a0a53fda4add34574f79005b
-
SHA512
d0908c5e493bd83cd58e73b715c9318cb6032bb388d7c6ffbdc75b4bb813e594153a57e2ecebbe0a2d1aa0513312be16886b08ad8b91fc590217838057a730cf
-
SSDEEP
6144:tloZM+rIkd8g+EtXHkv/iD4hYBSGELnsmd42X3WVzb8e1mzi:voZtL+EP8hYBSGELnsmd42X3WtB
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/2816-0-0x000001CF145E0000-0x000001CF14620000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2056 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts token bot.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 discord.com 22 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 320 wmic.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2056 powershell.exe 2056 powershell.exe 2652 powershell.exe 2652 powershell.exe 1204 powershell.exe 1204 powershell.exe 868 powershell.exe 868 powershell.exe 2856 powershell.exe 2856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2816 token bot.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeIncreaseQuotaPrivilege 2388 wmic.exe Token: SeSecurityPrivilege 2388 wmic.exe Token: SeTakeOwnershipPrivilege 2388 wmic.exe Token: SeLoadDriverPrivilege 2388 wmic.exe Token: SeSystemProfilePrivilege 2388 wmic.exe Token: SeSystemtimePrivilege 2388 wmic.exe Token: SeProfSingleProcessPrivilege 2388 wmic.exe Token: SeIncBasePriorityPrivilege 2388 wmic.exe Token: SeCreatePagefilePrivilege 2388 wmic.exe Token: SeBackupPrivilege 2388 wmic.exe Token: SeRestorePrivilege 2388 wmic.exe Token: SeShutdownPrivilege 2388 wmic.exe Token: SeDebugPrivilege 2388 wmic.exe Token: SeSystemEnvironmentPrivilege 2388 wmic.exe Token: SeRemoteShutdownPrivilege 2388 wmic.exe Token: SeUndockPrivilege 2388 wmic.exe Token: SeManageVolumePrivilege 2388 wmic.exe Token: 33 2388 wmic.exe Token: 34 2388 wmic.exe Token: 35 2388 wmic.exe Token: 36 2388 wmic.exe Token: SeIncreaseQuotaPrivilege 2388 wmic.exe Token: SeSecurityPrivilege 2388 wmic.exe Token: SeTakeOwnershipPrivilege 2388 wmic.exe Token: SeLoadDriverPrivilege 2388 wmic.exe Token: SeSystemProfilePrivilege 2388 wmic.exe Token: SeSystemtimePrivilege 2388 wmic.exe Token: SeProfSingleProcessPrivilege 2388 wmic.exe Token: SeIncBasePriorityPrivilege 2388 wmic.exe Token: SeCreatePagefilePrivilege 2388 wmic.exe Token: SeBackupPrivilege 2388 wmic.exe Token: SeRestorePrivilege 2388 wmic.exe Token: SeShutdownPrivilege 2388 wmic.exe Token: SeDebugPrivilege 2388 wmic.exe Token: SeSystemEnvironmentPrivilege 2388 wmic.exe Token: SeRemoteShutdownPrivilege 2388 wmic.exe Token: SeUndockPrivilege 2388 wmic.exe Token: SeManageVolumePrivilege 2388 wmic.exe Token: 33 2388 wmic.exe Token: 34 2388 wmic.exe Token: 35 2388 wmic.exe Token: 36 2388 wmic.exe Token: SeIncreaseQuotaPrivilege 528 wmic.exe Token: SeSecurityPrivilege 528 wmic.exe Token: SeTakeOwnershipPrivilege 528 wmic.exe Token: SeLoadDriverPrivilege 528 wmic.exe Token: SeSystemProfilePrivilege 528 wmic.exe Token: SeSystemtimePrivilege 528 wmic.exe Token: SeProfSingleProcessPrivilege 528 wmic.exe Token: SeIncBasePriorityPrivilege 528 wmic.exe Token: SeCreatePagefilePrivilege 528 wmic.exe Token: SeBackupPrivilege 528 wmic.exe Token: SeRestorePrivilege 528 wmic.exe Token: SeShutdownPrivilege 528 wmic.exe Token: SeDebugPrivilege 528 wmic.exe Token: SeSystemEnvironmentPrivilege 528 wmic.exe Token: SeRemoteShutdownPrivilege 528 wmic.exe Token: SeUndockPrivilege 528 wmic.exe Token: SeManageVolumePrivilege 528 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2056 2816 token bot.exe 81 PID 2816 wrote to memory of 2056 2816 token bot.exe 81 PID 2816 wrote to memory of 2652 2816 token bot.exe 86 PID 2816 wrote to memory of 2652 2816 token bot.exe 86 PID 2816 wrote to memory of 1204 2816 token bot.exe 88 PID 2816 wrote to memory of 1204 2816 token bot.exe 88 PID 2816 wrote to memory of 868 2816 token bot.exe 90 PID 2816 wrote to memory of 868 2816 token bot.exe 90 PID 2816 wrote to memory of 2388 2816 token bot.exe 92 PID 2816 wrote to memory of 2388 2816 token bot.exe 92 PID 2816 wrote to memory of 528 2816 token bot.exe 95 PID 2816 wrote to memory of 528 2816 token bot.exe 95 PID 2816 wrote to memory of 4364 2816 token bot.exe 97 PID 2816 wrote to memory of 4364 2816 token bot.exe 97 PID 2816 wrote to memory of 2856 2816 token bot.exe 99 PID 2816 wrote to memory of 2856 2816 token bot.exe 99 PID 2816 wrote to memory of 320 2816 token bot.exe 101 PID 2816 wrote to memory of 320 2816 token bot.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\token bot.exe"C:\Users\Admin\AppData\Local\Temp\token bot.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\token bot.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:4364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD571fa55c67a762ba70e40011153e19b3c
SHA1a36d2bb4802a8ec7db1a68de5f0c3d6007987492
SHA256b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291
SHA51232760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f
-
Filesize
944B
MD5c67d20463454cbe08d7cf5270b6783d0
SHA179de1f9eb55910cfaba59537fbfc457b7a6bc5e2
SHA256efa29ca5393e2434c431df14860ef828ff59ae0d9c7409bf3c758c84eb02d007
SHA512d839d3e85bcf18b4371060f15b2d4cb9ee3988fc52070c8012a01b7d164b00f6b3c636b29ce8b664e02ce2566242b9d6b2c2e315b698fb7b2b18d69e39f1a502
-
Filesize
948B
MD5f4bf3ca8753d6bb9725419fec1ec74b9
SHA171fce9d17d1d92873236a9a827c52eb9e4827f3d
SHA256ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417
SHA512a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54
-
Filesize
1KB
MD5d3235ed022a42ec4338123ab87144afa
SHA15058608bc0deb720a585a2304a8f7cf63a50a315
SHA25610663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf
-
Filesize
1KB
MD5063fa26d779f114734bd9130125608c3
SHA13a1b8fb1a319f6c40a71b117d6b07106d2a53857
SHA256e8f8cb3e295999c4b311836d5fe1213b4721d56ab14af3eacd1bcdd051b5a66b
SHA512fbe868cad1196fa3630581f269e8c512af1ed7b1d1e5708c369ed28810d37e48301370f19260657f47a560165113d28437741db39b91aaff69776143598b4391
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82