Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 20:48
Behavioral task
behavioral1
Sample
GTAGLoader.exe
Resource
win7-20240903-en
General
-
Target
GTAGLoader.exe
-
Size
229KB
-
MD5
18cb3d1a221a079d9b499f2eec3a3e64
-
SHA1
5fb17f7e655b5cb79be1099c8ea550ac1f5ace1f
-
SHA256
e22bde6d04787794012e7e12ceaf1cf8fdf145f81551d90febf6a4f9c5d4e029
-
SHA512
ca4fdb1e0bbf0d63667d5faa71f691efa4f1a629ca391665d0c361ce84876fc2fd0962b3a2c8bb8735e09931cc4401f912dece4e43f325fa8fe56b5c24630b03
-
SSDEEP
6144:lloZM9rIkd8g+EtXHkv/iD4uNKIkqNlO+LWU1pAOqb8e1mSi:noZOL+EP8uNKIkqNlO+LWU1pAxQ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1992-1-0x00000000009D0000-0x0000000000A10000-memory.dmp family_umbral -
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3036 powershell.exe 2920 powershell.exe 2556 powershell.exe 1672 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts GTAGLoader.exe -
Deletes itself 1 IoCs
pid Process 2460 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2460 cmd.exe 2148 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2296 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2148 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3036 powershell.exe 2920 powershell.exe 2556 powershell.exe 2300 powershell.exe 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1992 GTAGLoader.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeIncreaseQuotaPrivilege 2952 wmic.exe Token: SeSecurityPrivilege 2952 wmic.exe Token: SeTakeOwnershipPrivilege 2952 wmic.exe Token: SeLoadDriverPrivilege 2952 wmic.exe Token: SeSystemProfilePrivilege 2952 wmic.exe Token: SeSystemtimePrivilege 2952 wmic.exe Token: SeProfSingleProcessPrivilege 2952 wmic.exe Token: SeIncBasePriorityPrivilege 2952 wmic.exe Token: SeCreatePagefilePrivilege 2952 wmic.exe Token: SeBackupPrivilege 2952 wmic.exe Token: SeRestorePrivilege 2952 wmic.exe Token: SeShutdownPrivilege 2952 wmic.exe Token: SeDebugPrivilege 2952 wmic.exe Token: SeSystemEnvironmentPrivilege 2952 wmic.exe Token: SeRemoteShutdownPrivilege 2952 wmic.exe Token: SeUndockPrivilege 2952 wmic.exe Token: SeManageVolumePrivilege 2952 wmic.exe Token: 33 2952 wmic.exe Token: 34 2952 wmic.exe Token: 35 2952 wmic.exe Token: SeIncreaseQuotaPrivilege 2952 wmic.exe Token: SeSecurityPrivilege 2952 wmic.exe Token: SeTakeOwnershipPrivilege 2952 wmic.exe Token: SeLoadDriverPrivilege 2952 wmic.exe Token: SeSystemProfilePrivilege 2952 wmic.exe Token: SeSystemtimePrivilege 2952 wmic.exe Token: SeProfSingleProcessPrivilege 2952 wmic.exe Token: SeIncBasePriorityPrivilege 2952 wmic.exe Token: SeCreatePagefilePrivilege 2952 wmic.exe Token: SeBackupPrivilege 2952 wmic.exe Token: SeRestorePrivilege 2952 wmic.exe Token: SeShutdownPrivilege 2952 wmic.exe Token: SeDebugPrivilege 2952 wmic.exe Token: SeSystemEnvironmentPrivilege 2952 wmic.exe Token: SeRemoteShutdownPrivilege 2952 wmic.exe Token: SeUndockPrivilege 2952 wmic.exe Token: SeManageVolumePrivilege 2952 wmic.exe Token: 33 2952 wmic.exe Token: 34 2952 wmic.exe Token: 35 2952 wmic.exe Token: SeIncreaseQuotaPrivilege 396 wmic.exe Token: SeSecurityPrivilege 396 wmic.exe Token: SeTakeOwnershipPrivilege 396 wmic.exe Token: SeLoadDriverPrivilege 396 wmic.exe Token: SeSystemProfilePrivilege 396 wmic.exe Token: SeSystemtimePrivilege 396 wmic.exe Token: SeProfSingleProcessPrivilege 396 wmic.exe Token: SeIncBasePriorityPrivilege 396 wmic.exe Token: SeCreatePagefilePrivilege 396 wmic.exe Token: SeBackupPrivilege 396 wmic.exe Token: SeRestorePrivilege 396 wmic.exe Token: SeShutdownPrivilege 396 wmic.exe Token: SeDebugPrivilege 396 wmic.exe Token: SeSystemEnvironmentPrivilege 396 wmic.exe Token: SeRemoteShutdownPrivilege 396 wmic.exe Token: SeUndockPrivilege 396 wmic.exe Token: SeManageVolumePrivilege 396 wmic.exe Token: 33 396 wmic.exe Token: 34 396 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2836 1992 GTAGLoader.exe 30 PID 1992 wrote to memory of 2836 1992 GTAGLoader.exe 30 PID 1992 wrote to memory of 2836 1992 GTAGLoader.exe 30 PID 1992 wrote to memory of 3036 1992 GTAGLoader.exe 32 PID 1992 wrote to memory of 3036 1992 GTAGLoader.exe 32 PID 1992 wrote to memory of 3036 1992 GTAGLoader.exe 32 PID 1992 wrote to memory of 2920 1992 GTAGLoader.exe 34 PID 1992 wrote to memory of 2920 1992 GTAGLoader.exe 34 PID 1992 wrote to memory of 2920 1992 GTAGLoader.exe 34 PID 1992 wrote to memory of 2556 1992 GTAGLoader.exe 36 PID 1992 wrote to memory of 2556 1992 GTAGLoader.exe 36 PID 1992 wrote to memory of 2556 1992 GTAGLoader.exe 36 PID 1992 wrote to memory of 2300 1992 GTAGLoader.exe 38 PID 1992 wrote to memory of 2300 1992 GTAGLoader.exe 38 PID 1992 wrote to memory of 2300 1992 GTAGLoader.exe 38 PID 1992 wrote to memory of 2952 1992 GTAGLoader.exe 40 PID 1992 wrote to memory of 2952 1992 GTAGLoader.exe 40 PID 1992 wrote to memory of 2952 1992 GTAGLoader.exe 40 PID 1992 wrote to memory of 396 1992 GTAGLoader.exe 43 PID 1992 wrote to memory of 396 1992 GTAGLoader.exe 43 PID 1992 wrote to memory of 396 1992 GTAGLoader.exe 43 PID 1992 wrote to memory of 1980 1992 GTAGLoader.exe 45 PID 1992 wrote to memory of 1980 1992 GTAGLoader.exe 45 PID 1992 wrote to memory of 1980 1992 GTAGLoader.exe 45 PID 1992 wrote to memory of 1672 1992 GTAGLoader.exe 47 PID 1992 wrote to memory of 1672 1992 GTAGLoader.exe 47 PID 1992 wrote to memory of 1672 1992 GTAGLoader.exe 47 PID 1992 wrote to memory of 2296 1992 GTAGLoader.exe 49 PID 1992 wrote to memory of 2296 1992 GTAGLoader.exe 49 PID 1992 wrote to memory of 2296 1992 GTAGLoader.exe 49 PID 1992 wrote to memory of 2460 1992 GTAGLoader.exe 51 PID 1992 wrote to memory of 2460 1992 GTAGLoader.exe 51 PID 1992 wrote to memory of 2460 1992 GTAGLoader.exe 51 PID 2460 wrote to memory of 2148 2460 cmd.exe 53 PID 2460 wrote to memory of 2148 2460 cmd.exe 53 PID 2460 wrote to memory of 2148 2460 cmd.exe 53 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2836 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe"2⤵
- Views/modifies file attributes
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:2296
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\GTAGLoader.exe" && pause2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2148
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5146a82ebf1e4fabc69e2f2e163ed8e77
SHA1bda0eb899c9925fbaed59b13126dc36a2e004bf9
SHA25603c7c5379155ac4b198263b253fdc9463b6711623d0d3d844aa85d390c5dc3e2
SHA5125b79acf8b57fc2dc2de855b540a1fb7fab18db55e7bcdfd4d1a90626bec94cb6a651ad2eea198c3cab7d371dfd0fdb9aeec4de25131858225acb6a501a85e400