umbral | 22c914a74fb920ee0124c81be75da93a49ab86d044b3ea6dee2ca6d090c47429

Analysis

max time kernel
91s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20231130-es
resource tags

arch:x64arch:x86image:win10v2004-20231130-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12-12-2023 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HWID.exe
Size

143KB
MD5

216b93184fc784e9956b169983cf5af0
SHA1

dc8a16b4c7823d60fcb0ea0ae1e3ffee940c74a3
SHA256

486c1e6cf97c3466196e9657613be7abcbc81903ef91a70c3dc77e6c1f94bfd3
SHA512

8b2afe6cdeeefd3e7e8c8a7b9328d555ede6699729b76c2900f2545fd871047ff34ccedc6612f17e77754eeca27244be16c5a2b44371a3d77e8d9965730c37b2
SSDEEP

3072:Zc0MzJUdXr4Gg72hXaz5CojcYgaXr+LSLjj74Rp4p:Zc0E6do72hGCtYX+q4R6

Score

10^/10

umbral xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

owner-cc.gl.at.ply.gg:32281

4.tcp.ngrok.io:32281

Attributes

Install_directory
%AppData%
install_file
WindowsSoundSystem.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000023136-18.dat	family_umbral
behavioral1/memory/3060-27-0x000001E675BB0000-0x000001E675BF0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023123-7.dat	family_xworm
behavioral1/memory/3592-26-0x0000000000130000-0x0000000000148000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	HWID.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSoundSystem.lnk	HWID3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSoundSystem.lnk	HWID3.exe

Executes dropped EXE 2 IoCs

pid	Process
3592	HWID3.exe
3060	HWID4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	HWID3.exe
Token: SeDebugPrivilege	3060	HWID4.exe
Token: SeDebugPrivilege	3592	HWID3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3592	4036	HWID.exe	89
PID 4036 wrote to memory of 3592	4036	HWID.exe	89
PID 4036 wrote to memory of 3060	4036	HWID.exe	90
PID 4036 wrote to memory of 3060	4036	HWID.exe	90

C:\Users\Admin\AppData\Local\Temp\HWID.exe
"C:\Users\Admin\AppData\Local\Temp\HWID.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\HWID3.exe
  "C:\Users\Admin\AppData\Local\Temp\HWID3.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\HWID4.exe
  "C:\Users\Admin\AppData\Local\Temp\HWID4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HWID3.exe

Filesize
67KB

MD5
ea9dec731581c5733c63b25583e8ba0a

SHA1
1f1a3624dfd9d6d672394c775f481320e51fdd60

SHA256
d781bb8af81e580ac6058777da93792bbba0489c1dd54b10a97008537083106c

SHA512
2a50894f59b0cac4f87c73adc951793793ef87513840d77d36b7a8db18c546dea95fae066543c027026437caad813f27ebd7f43f8b0a53c6b616c7366d4cc1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWID4.exe

Filesize
231KB

MD5
9d09b4c2dec76f410a1b46377b573bc0

SHA1
8149d29384ab7ad61e821fef2824d289d13cd095

SHA256
85ddf86a2f9c77502cde7217a587611370423af04effee7788af4427e1b4dc1d

SHA512
83d75fa5af5a6eadd8dd6e1f1afc7a9952a3c6b86426d5b4295cc2e0bb5623323d89a4e1fd3b104f5d5f08e720db51118fe1abc6f64f1b2459949c2f703db13a

Download Submit
memory/3060-33-0x000001E6781B0000-0x000001E6781F0000-memory.dmp

Filesize
256KB

Download
memory/3060-30-0x000001E678220000-0x000001E678230000-memory.dmp

Filesize
64KB

Download
memory/3060-41-0x00007FF876A20000-0x00007FF8774E1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-27-0x000001E675BB0000-0x000001E675BF0000-memory.dmp

Filesize
256KB

Download
memory/3060-40-0x000001E678220000-0x000001E678230000-memory.dmp

Filesize
64KB

Download
memory/3060-34-0x000001E678440000-0x000001E678542000-memory.dmp

Filesize
1.0MB

Download
memory/3060-31-0x00007FF876A20000-0x00007FF8774E1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-26-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/3592-32-0x000000001AFD0000-0x000000001AFE0000-memory.dmp

Filesize
64KB

Download
memory/3592-29-0x00007FF876A20000-0x00007FF8774E1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-39-0x00007FF876A20000-0x00007FF8774E1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-42-0x000000001AFD0000-0x000000001AFE0000-memory.dmp

Filesize
64KB

Download
memory/4036-28-0x00007FF876A20000-0x00007FF8774E1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-0-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/4036-3-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/4036-1-0x00007FF876A20000-0x00007FF8774E1000-memory.dmp

Filesize
10.8MB

Download