Overview

overview

10

Static

static

3

HWID.exe

windows7-x64

10

HWID.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2023 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HWID.exe

  • Size

    149KB

  • MD5

    2c1ec91ada25a4a34441200dd9773c2a

  • SHA1

    80154f3f48a32866de9742bed33ebb907086125e

  • SHA256

    0f8980228acd3d9dd7bc9208c13a68b244ee903212327e4d350a82010aa37993

  • SHA512

    0ff2d7b2ac069c8bb2b381333f896b2d09ee0c0ec23b1943c35ae758adc71bd34c69502fb22208b1bdb568bda8a908ed548f407010d09532664b02d83fde5b99

  • SSDEEP

    3072:+r8dXu13UyQlK/UbZcZJuQCdM79xQbj8alpC5cgiTWMolM2i:+r8de1krcsbQuQpUQallgiboF

Score
10/10
umbralxwormratstealertrojan

Malware Config

Extracted

Family

xworm

C2

owner-cc.gl.at.ply.gg:32281

Attributes
  • Install_directory

    %AppData%

  • install_file

    WindowsSoundSystem.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1181010758201520208/iCxvWqp_69ofS-eHs5naW1_4vBzPxLSr9zIR5Bso1e4orm8yDICPrre5CTF60DCywY_3

Signatures

  • Detect Umbral payload 4 IoCs
  • Detect Xworm Payload 4 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HWID.exe
    "C:\Users\Admin\AppData\Local\Temp\HWID.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\Windows sound.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows sound.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4188
    • C:\Users\Admin\AppData\Local\Temp\Windows Blue Tooth.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Blue Tooth.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Windows Blue Tooth.exe
    Filesize

    229KB

    MD5

    33405e3ec22e3bd98c3339fa179438b6

    SHA1

    77134fb582641f0a54007b6ea92c5ad62ef3ed62

    SHA256

    f336096f486e9507e51d6cf172745ab126cd57f98e3b9429e77f488c65a59019

    SHA512

    fa8649a280a4b8099f6c46a71226e8e03388c794c3cdded278128322d612a48a85dfbe7467da2c8079ff4fefde9491e4e867c6e4786bf690f76acbc948880f56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows Blue Tooth.exe
    Filesize

    229KB

    MD5

    33405e3ec22e3bd98c3339fa179438b6

    SHA1

    77134fb582641f0a54007b6ea92c5ad62ef3ed62

    SHA256

    f336096f486e9507e51d6cf172745ab126cd57f98e3b9429e77f488c65a59019

    SHA512

    fa8649a280a4b8099f6c46a71226e8e03388c794c3cdded278128322d612a48a85dfbe7467da2c8079ff4fefde9491e4e867c6e4786bf690f76acbc948880f56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows Blue Tooth.exe
    Filesize

    229KB

    MD5

    33405e3ec22e3bd98c3339fa179438b6

    SHA1

    77134fb582641f0a54007b6ea92c5ad62ef3ed62

    SHA256

    f336096f486e9507e51d6cf172745ab126cd57f98e3b9429e77f488c65a59019

    SHA512

    fa8649a280a4b8099f6c46a71226e8e03388c794c3cdded278128322d612a48a85dfbe7467da2c8079ff4fefde9491e4e867c6e4786bf690f76acbc948880f56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows sound.exe
    Filesize

    75KB

    MD5

    cf4187443a0b1f17e74f66723631a822

    SHA1

    2e17093723097c3729d29d19da3df6d7e18e37be

    SHA256

    5eed1e22f8d10b33233ff690d9fc10df6e419c7c7d6223230bbd0d8efaa51887

    SHA512

    2f4865810ad1f291018babd5ec627360d460e29647f6383d0afc6c2f219fd78ddb5113cfa3f27d125d0a59216588805f86b7fa78f3b5f4d45d15192f72d134a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows sound.exe
    Filesize

    75KB

    MD5

    cf4187443a0b1f17e74f66723631a822

    SHA1

    2e17093723097c3729d29d19da3df6d7e18e37be

    SHA256

    5eed1e22f8d10b33233ff690d9fc10df6e419c7c7d6223230bbd0d8efaa51887

    SHA512

    2f4865810ad1f291018babd5ec627360d460e29647f6383d0afc6c2f219fd78ddb5113cfa3f27d125d0a59216588805f86b7fa78f3b5f4d45d15192f72d134a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows sound.exe
    Filesize

    75KB

    MD5

    cf4187443a0b1f17e74f66723631a822

    SHA1

    2e17093723097c3729d29d19da3df6d7e18e37be

    SHA256

    5eed1e22f8d10b33233ff690d9fc10df6e419c7c7d6223230bbd0d8efaa51887

    SHA512

    2f4865810ad1f291018babd5ec627360d460e29647f6383d0afc6c2f219fd78ddb5113cfa3f27d125d0a59216588805f86b7fa78f3b5f4d45d15192f72d134a7

    Download Submit

  • memory/3220-0-0x0000000000F30000-0x0000000000F5C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3220-1-0x00007FF926410000-0x00007FF926ED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3220-2-0x000000001C040000-0x000000001C050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3220-29-0x00007FF926410000-0x00007FF926ED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-28-0x00007FF926410000-0x00007FF926ED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-27-0x0000000000460000-0x000000000047A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4188-32-0x000000001B150000-0x000000001B160000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4188-37-0x00007FF926410000-0x00007FF926ED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-40-0x000000001B150000-0x000000001B160000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4852-30-0x00007FF926410000-0x00007FF926ED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4852-25-0x0000024E7A390000-0x0000024E7A3D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4852-31-0x0000024E7BF30000-0x0000024E7BF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4852-38-0x00007FF926410000-0x00007FF926ED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4852-39-0x0000024E7BF30000-0x0000024E7BF40000-memory.dmp

    Filesize

    64KB

    Download