Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 02:01
Behavioral task
behavioral1
Sample
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
Resource
win7-20240704-en
General
-
Target
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe
-
Size
227KB
-
MD5
fe415b65db443f8d7e3aa075d79b4a72
-
SHA1
71fa4604b053ac55c7afa5a2d87ea0bcf8d0a116
-
SHA256
0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0
-
SHA512
dc715d2c938f22446f155afa615adbee775eb7abdc688b204037eccadd435490be3ab0fe6b2a9d493cb357de5730e864ffb842c42dc3051671a7fbc9a9117fb8
-
SSDEEP
6144:+loZM9rIkd8g+EtXHkv/iD4W9YhFzQEbmCzFQMpi+b8e1mSPi:ooZOL+EP8W9YhFzQEbmCzFQMp9Pa
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2664-1-0x0000000000DC0000-0x0000000000E00000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
pid Process 2568 powershell.exe 692 powershell.exe 2848 powershell.exe 2200 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe -
Deletes itself 1 IoCs
pid Process 2928 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2928 cmd.exe 3040 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 852 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2200 powershell.exe 2568 powershell.exe 692 powershell.exe 2856 powershell.exe 2848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeIncreaseQuotaPrivilege 1184 wmic.exe Token: SeSecurityPrivilege 1184 wmic.exe Token: SeTakeOwnershipPrivilege 1184 wmic.exe Token: SeLoadDriverPrivilege 1184 wmic.exe Token: SeSystemProfilePrivilege 1184 wmic.exe Token: SeSystemtimePrivilege 1184 wmic.exe Token: SeProfSingleProcessPrivilege 1184 wmic.exe Token: SeIncBasePriorityPrivilege 1184 wmic.exe Token: SeCreatePagefilePrivilege 1184 wmic.exe Token: SeBackupPrivilege 1184 wmic.exe Token: SeRestorePrivilege 1184 wmic.exe Token: SeShutdownPrivilege 1184 wmic.exe Token: SeDebugPrivilege 1184 wmic.exe Token: SeSystemEnvironmentPrivilege 1184 wmic.exe Token: SeRemoteShutdownPrivilege 1184 wmic.exe Token: SeUndockPrivilege 1184 wmic.exe Token: SeManageVolumePrivilege 1184 wmic.exe Token: 33 1184 wmic.exe Token: 34 1184 wmic.exe Token: 35 1184 wmic.exe Token: SeIncreaseQuotaPrivilege 1184 wmic.exe Token: SeSecurityPrivilege 1184 wmic.exe Token: SeTakeOwnershipPrivilege 1184 wmic.exe Token: SeLoadDriverPrivilege 1184 wmic.exe Token: SeSystemProfilePrivilege 1184 wmic.exe Token: SeSystemtimePrivilege 1184 wmic.exe Token: SeProfSingleProcessPrivilege 1184 wmic.exe Token: SeIncBasePriorityPrivilege 1184 wmic.exe Token: SeCreatePagefilePrivilege 1184 wmic.exe Token: SeBackupPrivilege 1184 wmic.exe Token: SeRestorePrivilege 1184 wmic.exe Token: SeShutdownPrivilege 1184 wmic.exe Token: SeDebugPrivilege 1184 wmic.exe Token: SeSystemEnvironmentPrivilege 1184 wmic.exe Token: SeRemoteShutdownPrivilege 1184 wmic.exe Token: SeUndockPrivilege 1184 wmic.exe Token: SeManageVolumePrivilege 1184 wmic.exe Token: 33 1184 wmic.exe Token: 34 1184 wmic.exe Token: 35 1184 wmic.exe Token: SeIncreaseQuotaPrivilege 1672 wmic.exe Token: SeSecurityPrivilege 1672 wmic.exe Token: SeTakeOwnershipPrivilege 1672 wmic.exe Token: SeLoadDriverPrivilege 1672 wmic.exe Token: SeSystemProfilePrivilege 1672 wmic.exe Token: SeSystemtimePrivilege 1672 wmic.exe Token: SeProfSingleProcessPrivilege 1672 wmic.exe Token: SeIncBasePriorityPrivilege 1672 wmic.exe Token: SeCreatePagefilePrivilege 1672 wmic.exe Token: SeBackupPrivilege 1672 wmic.exe Token: SeRestorePrivilege 1672 wmic.exe Token: SeShutdownPrivilege 1672 wmic.exe Token: SeDebugPrivilege 1672 wmic.exe Token: SeSystemEnvironmentPrivilege 1672 wmic.exe Token: SeRemoteShutdownPrivilege 1672 wmic.exe Token: SeUndockPrivilege 1672 wmic.exe Token: SeManageVolumePrivilege 1672 wmic.exe Token: 33 1672 wmic.exe Token: 34 1672 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2740 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 30 PID 2664 wrote to memory of 2740 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 30 PID 2664 wrote to memory of 2740 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 30 PID 2664 wrote to memory of 2200 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 32 PID 2664 wrote to memory of 2200 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 32 PID 2664 wrote to memory of 2200 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 32 PID 2664 wrote to memory of 2568 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 34 PID 2664 wrote to memory of 2568 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 34 PID 2664 wrote to memory of 2568 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 34 PID 2664 wrote to memory of 692 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 36 PID 2664 wrote to memory of 692 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 36 PID 2664 wrote to memory of 692 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 36 PID 2664 wrote to memory of 2856 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 38 PID 2664 wrote to memory of 2856 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 38 PID 2664 wrote to memory of 2856 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 38 PID 2664 wrote to memory of 1184 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 40 PID 2664 wrote to memory of 1184 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 40 PID 2664 wrote to memory of 1184 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 40 PID 2664 wrote to memory of 1672 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 43 PID 2664 wrote to memory of 1672 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 43 PID 2664 wrote to memory of 1672 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 43 PID 2664 wrote to memory of 1920 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 45 PID 2664 wrote to memory of 1920 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 45 PID 2664 wrote to memory of 1920 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 45 PID 2664 wrote to memory of 2848 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 47 PID 2664 wrote to memory of 2848 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 47 PID 2664 wrote to memory of 2848 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 47 PID 2664 wrote to memory of 852 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 49 PID 2664 wrote to memory of 852 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 49 PID 2664 wrote to memory of 852 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 49 PID 2664 wrote to memory of 2928 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 51 PID 2664 wrote to memory of 2928 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 51 PID 2664 wrote to memory of 2928 2664 0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe 51 PID 2928 wrote to memory of 3040 2928 cmd.exe 53 PID 2928 wrote to memory of 3040 2928 cmd.exe 53 PID 2928 wrote to memory of 3040 2928 cmd.exe 53 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe"C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe"2⤵
- Views/modifies file attributes
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:852
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe" && pause2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A216.58.214.67
-
GEThttps://gstatic.com/generate_2040bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exeRemote address:216.58.214.67:443RequestGET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Thu, 22 Aug 2024 02:01:12 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/json/?fields=2255450bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exeRemote address:208.95.112.1:80RequestGET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 161
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.128.233discord.comIN A162.159.136.232discord.comIN A162.159.135.232discord.comIN A162.159.138.232discord.comIN A162.159.137.232
-
216.58.214.67:443https://gstatic.com/generate_204tls, http0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe862 B 4.7kB 11 8
HTTP Request
GET https://gstatic.com/generate_204HTTP Response
204 -
208.95.112.1:80http://ip-api.com/json/?fields=225545http0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe309 B 510 B 5 4
HTTP Request
GET http://ip-api.com/json/?fields=225545HTTP Response
200 -
162.159.128.233:443discord.comtls0bb64c9c095b99117d8250f97cda9a257985ce3ba6b5891796c7ece426b61ed0.exe345 B 219 B 5 5
-
57 B 73 B 1 1
DNS Request
gstatic.com
DNS Response
216.58.214.67
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
57 B 137 B 1 1
DNS Request
discord.com
DNS Response
162.159.128.233162.159.136.232162.159.135.232162.159.138.232162.159.137.232
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a46df4d585e57a4ffe9b49434689754e
SHA15e894d21610605ec909cc9dc4b82de89ec673228
SHA256333b13d1466ebfb8e4a4806052ebe2b5aab1c6f2c7f31f7373c329c008efae9c
SHA512aff2c4d56fcd124ff6c2381cfbde9d4ddb00ae4d447eca844c8049945a21634960981b9c4068de202e5c2c342748f7c9b65566c1f928fcd16c418370480b0224