Analysis
-
max time kernel
34s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 01:47
Behavioral task
behavioral1
Sample
nvngx_dlss.dll
Resource
win7-20241010-en
General
-
Target
nvngx_dlss.dll
-
Size
5.8MB
-
MD5
8de5c0e5b2257874f05b2dbca186dc6a
-
SHA1
1e76d52f66d37e804a6c0b93e242fcf2a402705c
-
SHA256
788cf3cb6aaba23ae7735a80b0ac34ea62ccdac8851b94ad0a185137c2b72297
-
SHA512
75e5724ed2b28e1294a042a05c082346be5a1186f6a8547ba5b9ddd623c5a37872f36c637833133fa88d00e237fffaa619c35976bed558cd66f32b4c153026f5
-
SSDEEP
98304:Es2V9unkmnmFZZb5U39X0VFCb5cFUH+MRKqzFRShhDzij5IZdaaaU4ksdW80t/5:E9unjnu/beiQMU15UhNej5IsUOdWD15
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1286314458028834867/yKG65rXAPQ0O6J-mHuUbeHui0J1VN6nIRNQYJzDQ9n4Jzx4zD57TzvNsJrOfWLaF3etV
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000016d3f-24.dat family_umbral behavioral1/memory/2912-26-0x0000000000F50000-0x0000000000F90000-memory.dmp family_umbral -
Umbral family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 4 2412 rundll32.exe 7 2412 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 2912 nvsvc64.exe -
resource yara_rule behavioral1/memory/2412-1-0x0000000180000000-0x0000000180EA8000-memory.dmp themida behavioral1/memory/2412-2-0x0000000180000000-0x0000000180EA8000-memory.dmp themida behavioral1/memory/2412-3-0x0000000180000000-0x0000000180EA8000-memory.dmp themida behavioral1/memory/2412-5-0x0000000180000000-0x0000000180EA8000-memory.dmp themida behavioral1/memory/2412-28-0x0000000180000000-0x0000000180EA8000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2412 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\nvsvc64.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2912 nvsvc64.exe Token: SeIncreaseQuotaPrivilege 3056 wmic.exe Token: SeSecurityPrivilege 3056 wmic.exe Token: SeTakeOwnershipPrivilege 3056 wmic.exe Token: SeLoadDriverPrivilege 3056 wmic.exe Token: SeSystemProfilePrivilege 3056 wmic.exe Token: SeSystemtimePrivilege 3056 wmic.exe Token: SeProfSingleProcessPrivilege 3056 wmic.exe Token: SeIncBasePriorityPrivilege 3056 wmic.exe Token: SeCreatePagefilePrivilege 3056 wmic.exe Token: SeBackupPrivilege 3056 wmic.exe Token: SeRestorePrivilege 3056 wmic.exe Token: SeShutdownPrivilege 3056 wmic.exe Token: SeDebugPrivilege 3056 wmic.exe Token: SeSystemEnvironmentPrivilege 3056 wmic.exe Token: SeRemoteShutdownPrivilege 3056 wmic.exe Token: SeUndockPrivilege 3056 wmic.exe Token: SeManageVolumePrivilege 3056 wmic.exe Token: 33 3056 wmic.exe Token: 34 3056 wmic.exe Token: 35 3056 wmic.exe Token: SeIncreaseQuotaPrivilege 3056 wmic.exe Token: SeSecurityPrivilege 3056 wmic.exe Token: SeTakeOwnershipPrivilege 3056 wmic.exe Token: SeLoadDriverPrivilege 3056 wmic.exe Token: SeSystemProfilePrivilege 3056 wmic.exe Token: SeSystemtimePrivilege 3056 wmic.exe Token: SeProfSingleProcessPrivilege 3056 wmic.exe Token: SeIncBasePriorityPrivilege 3056 wmic.exe Token: SeCreatePagefilePrivilege 3056 wmic.exe Token: SeBackupPrivilege 3056 wmic.exe Token: SeRestorePrivilege 3056 wmic.exe Token: SeShutdownPrivilege 3056 wmic.exe Token: SeDebugPrivilege 3056 wmic.exe Token: SeSystemEnvironmentPrivilege 3056 wmic.exe Token: SeRemoteShutdownPrivilege 3056 wmic.exe Token: SeUndockPrivilege 3056 wmic.exe Token: SeManageVolumePrivilege 3056 wmic.exe Token: 33 3056 wmic.exe Token: 34 3056 wmic.exe Token: 35 3056 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2912 2412 rundll32.exe 29 PID 2412 wrote to memory of 2912 2412 rundll32.exe 29 PID 2412 wrote to memory of 2912 2412 rundll32.exe 29 PID 2912 wrote to memory of 3056 2912 nvsvc64.exe 30 PID 2912 wrote to memory of 3056 2912 nvsvc64.exe 30 PID 2912 wrote to memory of 3056 2912 nvsvc64.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\nvngx_dlss.dll,#11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SoftwareDistribution\nvsvc64.exe"C:\Windows\SoftwareDistribution\nvsvc64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5db91000fe7eb1d5e6d6ec2282b9df079
SHA1796efefed175006f206fe83ecd0e1a0755347646
SHA256a44fd93c951d382db9062769546c27f46edf147e20b4bbf0ee965a228573c030
SHA512594dd398418b54abc626da9865b5ffff50052e52b9f628dce7409fee5eadc8d9364f28a8d6739f59d6d161cdbb093c2d029692ad981f77a818c5894dafab8e28