Analysis
-
max time kernel
1151s -
max time network
1134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 01:53
General
-
Target
nvngx_dlss.dll
-
Size
5.8MB
-
MD5
8de5c0e5b2257874f05b2dbca186dc6a
-
SHA1
1e76d52f66d37e804a6c0b93e242fcf2a402705c
-
SHA256
788cf3cb6aaba23ae7735a80b0ac34ea62ccdac8851b94ad0a185137c2b72297
-
SHA512
75e5724ed2b28e1294a042a05c082346be5a1186f6a8547ba5b9ddd623c5a37872f36c637833133fa88d00e237fffaa619c35976bed558cd66f32b4c153026f5
-
SSDEEP
98304:Es2V9unkmnmFZZb5U39X0VFCb5cFUH+MRKqzFRShhDzij5IZdaaaU4ksdW80t/5:E9unjnu/beiQMU15UhNej5IsUOdWD15
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023caf-14.dat family_umbral behavioral1/memory/2920-21-0x00000193D61B0000-0x00000193D61F0000-memory.dmp family_umbral -
Umbral family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 10 4864 rundll32.exe 14 4864 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 2920 nvsvc64.exe -
resource yara_rule behavioral1/memory/4864-0-0x0000000180000000-0x0000000180EA8000-memory.dmp themida behavioral1/memory/4864-2-0x0000000180000000-0x0000000180EA8000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4864 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\nvsvc64.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2920 nvsvc64.exe Token: SeIncreaseQuotaPrivilege 4684 wmic.exe Token: SeSecurityPrivilege 4684 wmic.exe Token: SeTakeOwnershipPrivilege 4684 wmic.exe Token: SeLoadDriverPrivilege 4684 wmic.exe Token: SeSystemProfilePrivilege 4684 wmic.exe Token: SeSystemtimePrivilege 4684 wmic.exe Token: SeProfSingleProcessPrivilege 4684 wmic.exe Token: SeIncBasePriorityPrivilege 4684 wmic.exe Token: SeCreatePagefilePrivilege 4684 wmic.exe Token: SeBackupPrivilege 4684 wmic.exe Token: SeRestorePrivilege 4684 wmic.exe Token: SeShutdownPrivilege 4684 wmic.exe Token: SeDebugPrivilege 4684 wmic.exe Token: SeSystemEnvironmentPrivilege 4684 wmic.exe Token: SeRemoteShutdownPrivilege 4684 wmic.exe Token: SeUndockPrivilege 4684 wmic.exe Token: SeManageVolumePrivilege 4684 wmic.exe Token: 33 4684 wmic.exe Token: 34 4684 wmic.exe Token: 35 4684 wmic.exe Token: 36 4684 wmic.exe Token: SeIncreaseQuotaPrivilege 4684 wmic.exe Token: SeSecurityPrivilege 4684 wmic.exe Token: SeTakeOwnershipPrivilege 4684 wmic.exe Token: SeLoadDriverPrivilege 4684 wmic.exe Token: SeSystemProfilePrivilege 4684 wmic.exe Token: SeSystemtimePrivilege 4684 wmic.exe Token: SeProfSingleProcessPrivilege 4684 wmic.exe Token: SeIncBasePriorityPrivilege 4684 wmic.exe Token: SeCreatePagefilePrivilege 4684 wmic.exe Token: SeBackupPrivilege 4684 wmic.exe Token: SeRestorePrivilege 4684 wmic.exe Token: SeShutdownPrivilege 4684 wmic.exe Token: SeDebugPrivilege 4684 wmic.exe Token: SeSystemEnvironmentPrivilege 4684 wmic.exe Token: SeRemoteShutdownPrivilege 4684 wmic.exe Token: SeUndockPrivilege 4684 wmic.exe Token: SeManageVolumePrivilege 4684 wmic.exe Token: 33 4684 wmic.exe Token: 34 4684 wmic.exe Token: 35 4684 wmic.exe Token: 36 4684 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4864 wrote to memory of 2920 4864 rundll32.exe 86 PID 4864 wrote to memory of 2920 4864 rundll32.exe 86 PID 2920 wrote to memory of 4684 2920 nvsvc64.exe 88 PID 2920 wrote to memory of 4684 2920 nvsvc64.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\nvngx_dlss.dll,#11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SoftwareDistribution\nvsvc64.exe"C:\Windows\SoftwareDistribution\nvsvc64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5db91000fe7eb1d5e6d6ec2282b9df079
SHA1796efefed175006f206fe83ecd0e1a0755347646
SHA256a44fd93c951d382db9062769546c27f46edf147e20b4bbf0ee965a228573c030
SHA512594dd398418b54abc626da9865b5ffff50052e52b9f628dce7409fee5eadc8d9364f28a8d6739f59d6d161cdbb093c2d029692ad981f77a818c5894dafab8e28