umbral | 4c8616f89a7f53938f21cd3e1d737c0980b5ab0faab3e8e2c401e4b5ed28106b

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Size

1.7MB
MD5

683c060ccca9ee3a5dad65946c8c9a88
SHA1

35a18395cd290cf377fe665aebdfb26e59869a5c
SHA256

ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a
SHA512

63ab8296b245430a3b13d7eea08d89845a32a8c14b7b88bc516a3b45192a2aa10abdd5e0d9483bc72c5f9b57b228ac498dd7166a54dcafefa630b364377063ef
SSDEEP

24576:XHfPkK8FXhOdkO/MHqP0OF8u/N6HH6rrcBpbYTa+cy:PPj8FXodouFDr3Txc

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/2540-73-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2540-75-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2540-79-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2540-82-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2540-84-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1396	wmic.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2936	powershell.exe
2424	powershell.exe
1456	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
Token: SeDebugPrivilege	2540	RegAsm.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeIncreaseQuotaPrivilege	816	wmic.exe
Token: SeSecurityPrivilege	816	wmic.exe
Token: SeTakeOwnershipPrivilege	816	wmic.exe
Token: SeLoadDriverPrivilege	816	wmic.exe
Token: SeSystemProfilePrivilege	816	wmic.exe
Token: SeSystemtimePrivilege	816	wmic.exe
Token: SeProfSingleProcessPrivilege	816	wmic.exe
Token: SeIncBasePriorityPrivilege	816	wmic.exe
Token: SeCreatePagefilePrivilege	816	wmic.exe
Token: SeBackupPrivilege	816	wmic.exe
Token: SeRestorePrivilege	816	wmic.exe
Token: SeShutdownPrivilege	816	wmic.exe
Token: SeDebugPrivilege	816	wmic.exe
Token: SeSystemEnvironmentPrivilege	816	wmic.exe
Token: SeRemoteShutdownPrivilege	816	wmic.exe
Token: SeUndockPrivilege	816	wmic.exe
Token: SeManageVolumePrivilege	816	wmic.exe
Token: 33	816	wmic.exe
Token: 34	816	wmic.exe
Token: 35	816	wmic.exe
Token: SeIncreaseQuotaPrivilege	816	wmic.exe
Token: SeSecurityPrivilege	816	wmic.exe
Token: SeTakeOwnershipPrivilege	816	wmic.exe
Token: SeLoadDriverPrivilege	816	wmic.exe
Token: SeSystemProfilePrivilege	816	wmic.exe
Token: SeSystemtimePrivilege	816	wmic.exe
Token: SeProfSingleProcessPrivilege	816	wmic.exe
Token: SeIncBasePriorityPrivilege	816	wmic.exe
Token: SeCreatePagefilePrivilege	816	wmic.exe
Token: SeBackupPrivilege	816	wmic.exe
Token: SeRestorePrivilege	816	wmic.exe
Token: SeShutdownPrivilege	816	wmic.exe
Token: SeDebugPrivilege	816	wmic.exe
Token: SeSystemEnvironmentPrivilege	816	wmic.exe
Token: SeRemoteShutdownPrivilege	816	wmic.exe
Token: SeUndockPrivilege	816	wmic.exe
Token: SeManageVolumePrivilege	816	wmic.exe
Token: 33	816	wmic.exe
Token: 34	816	wmic.exe
Token: 35	816	wmic.exe
Token: SeIncreaseQuotaPrivilege	1676	wmic.exe
Token: SeSecurityPrivilege	1676	wmic.exe
Token: SeTakeOwnershipPrivilege	1676	wmic.exe
Token: SeLoadDriverPrivilege	1676	wmic.exe
Token: SeSystemProfilePrivilege	1676	wmic.exe
Token: SeSystemtimePrivilege	1676	wmic.exe
Token: SeProfSingleProcessPrivilege	1676	wmic.exe
Token: SeIncBasePriorityPrivilege	1676	wmic.exe
Token: SeCreatePagefilePrivilege	1676	wmic.exe
Token: SeBackupPrivilege	1676	wmic.exe
Token: SeRestorePrivilege	1676	wmic.exe
Token: SeShutdownPrivilege	1676	wmic.exe
Token: SeDebugPrivilege	1676	wmic.exe
Token: SeSystemEnvironmentPrivilege	1676	wmic.exe
Token: SeRemoteShutdownPrivilege	1676	wmic.exe
Token: SeUndockPrivilege	1676	wmic.exe
Token: SeManageVolumePrivilege	1676	wmic.exe
Token: 33	1676	wmic.exe
Token: 34	1676	wmic.exe
Token: 35	1676	wmic.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2212 wrote to memory of 2540	2212	ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe	28
PID 2540 wrote to memory of 2936	2540	RegAsm.exe	29
PID 2540 wrote to memory of 2936	2540	RegAsm.exe	29
PID 2540 wrote to memory of 2936	2540	RegAsm.exe	29
PID 2540 wrote to memory of 2936	2540	RegAsm.exe	29
PID 2540 wrote to memory of 2424	2540	RegAsm.exe	31
PID 2540 wrote to memory of 2424	2540	RegAsm.exe	31
PID 2540 wrote to memory of 2424	2540	RegAsm.exe	31
PID 2540 wrote to memory of 2424	2540	RegAsm.exe	31
PID 2540 wrote to memory of 816	2540	RegAsm.exe	33
PID 2540 wrote to memory of 816	2540	RegAsm.exe	33
PID 2540 wrote to memory of 816	2540	RegAsm.exe	33
PID 2540 wrote to memory of 816	2540	RegAsm.exe	33
PID 2540 wrote to memory of 1676	2540	RegAsm.exe	37
PID 2540 wrote to memory of 1676	2540	RegAsm.exe	37
PID 2540 wrote to memory of 1676	2540	RegAsm.exe	37
PID 2540 wrote to memory of 1676	2540	RegAsm.exe	37
PID 2540 wrote to memory of 2064	2540	RegAsm.exe	39
PID 2540 wrote to memory of 2064	2540	RegAsm.exe	39
PID 2540 wrote to memory of 2064	2540	RegAsm.exe	39
PID 2540 wrote to memory of 2064	2540	RegAsm.exe	39
PID 2540 wrote to memory of 1456	2540	RegAsm.exe	40
PID 2540 wrote to memory of 1456	2540	RegAsm.exe	40
PID 2540 wrote to memory of 1456	2540	RegAsm.exe	40
PID 2540 wrote to memory of 1456	2540	RegAsm.exe	40
PID 2540 wrote to memory of 1396	2540	RegAsm.exe	42
PID 2540 wrote to memory of 1396	2540	RegAsm.exe	42
PID 2540 wrote to memory of 1396	2540	RegAsm.exe	42
PID 2540 wrote to memory of 1396	2540	RegAsm.exe	42

C:\Users\Admin\AppData\Local\Temp\ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe
"C:\Users\Admin\AppData\Local\Temp\ea6f9411b4568ed828772ce578f40ff5b38715d067bdd76616d945f14462351a.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b922d65abec193f86281f13a88abfab

SHA1
31b7fd2f91169d5f0e5f2d0053c747208eeef55c

SHA256
33684d64d26501dc8b3cfb469044ff6e176bfc5b7b409088745f5baaa83ecc42

SHA512
062a991c0b5d1550c7ee237e4a75451aca502b740b9aa55d6de9a750ab9571afa003d12f4e30748da899ad03eeb7367a55a2b1893834c5dffa0703e3e1aa937f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6AD6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F6B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
50788623603c93d143dca6d59c49394d

SHA1
1e6629a9a80fab1dde0ad5ff75797279280503d4

SHA256
41acb532f0fce8730760787e78fe48a2fcfc00afc102a68264cd3ac9a2bf19ff

SHA512
2d89d8fc9ed8f17e079a73c4024a14f22348184b4f52bf12e99007b9e052b080a4535dd44439e565180680a6377f87908fc395e7a428f4d87108d60f6da4865d

Download Submit
memory/1456-117-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1456-116-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-118-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-119-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-2-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/2212-68-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/2212-67-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2212-0-0x00000000003A0000-0x0000000000560000-memory.dmp

Filesize
1.8MB

Download
memory/2212-81-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-106-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-105-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-104-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2424-103-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2424-102-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2424-101-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-90-0x000000006FB80000-0x000000007012B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-91-0x000000006FB80000-0x000000007012B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-95-0x000000006FB80000-0x000000007012B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-92-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2936-93-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2936-94-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download