Overview

overview

10

Static

static

3

IO tootls.exe

windows7-x64

10

IO tootls.exe

windows10-1703-x64

10

IO tootls.exe

windows10-2004-x64

10

IO tootls.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    265s
  • max time network
    300s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IO tootls.exe

  • Size

    207KB

  • MD5

    5afd3e0ac701a47f48772af3c5eb54d1

  • SHA1

    ac20c5db48d258c9f00845fb3508e90d4f3187ae

  • SHA256

    6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

  • SHA512

    24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b

  • SSDEEP

    6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score
10/10
umbralxwormpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
    "C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
      #cmd
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Users\Admin\AppData\Local\Temp\systemload.exe
        "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1104
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2148
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\itbufp7z
          4⤵
          • Modifies registry class
          PID:800
      • C:\Users\Admin\AppData\Local\Temp\controllloader.exe
        "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2200
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1772
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:824
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1828
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2996
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:2312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1764
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:2536
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\controllloader.exe
        Filesize

        286KB

        MD5

        e41a0fa0c1e39af92d22090d4df61a1f

        SHA1

        c971a4089b1ab116c34b5ab0dc54d9977f86e834

        SHA256

        c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

        SHA512

        d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\start.cmd
        Filesize

        93B

        MD5

        f960abd9684a879e8eca03b8c864ea96

        SHA1

        fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

        SHA256

        7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

        SHA512

        2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        173efad4a9804844b697d6dd7a09398a

        SHA1

        e9e685803f62442652622af5df3154bae7f32ed1

        SHA256

        922961086f27b1bdbe03c57e069d09ba71dc7772aa185c3098ccacc35591087c

        SHA512

        756a43cb694735ff27f2ad533801bd80bbf68d18a00eca7299261225959869d2a8c5a14ace3b2c305c913b839577e875fd81a96f2e569be2708a2ef7e5a818c1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        25056917c33cc4d1bdfb8d7de80b5728

        SHA1

        8006b0589dbfa8ebaa32f46d9ec3f79d6317d147

        SHA256

        e8cb38e3d4d826d8621ce128a5c1f8fd4fb2e8e50251e1d9acd90a4e418d2824

        SHA512

        fcc867b85ae8d3f61acc12bc16b0f4bc68333a48d188a9464f3e5d72c4856cfff1826b7f949c8d049ac1d6c2b58c0b28109e1744c96b41e554999a15cccb4b22

        Download Submit

      • \Users\Admin\AppData\Local\Temp\systemload.exe
        Filesize

        130KB

        MD5

        352a162df9ca5605e1a1910c7a24cb7c

        SHA1

        4b4ed1c740a03c15eb47d875b65c76941debcaf7

        SHA256

        87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

        SHA512

        0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

        Download Submit

      • memory/824-133-0x0000000002B3B000-0x0000000002BA2000-memory.dmp

        Filesize

        412KB

        Download

      • memory/824-120-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/824-134-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/824-130-0x0000000002B30000-0x0000000002BB0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/824-129-0x0000000002B30000-0x0000000002BB0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/824-128-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/824-127-0x0000000002B30000-0x0000000002BB0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1104-136-0x0000000002C00000-0x0000000002C80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1104-131-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1104-132-0x0000000002C00000-0x0000000002C80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1104-135-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1104-137-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1104-138-0x0000000002C00000-0x0000000002C80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1772-108-0x0000000002E00000-0x0000000002E80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1772-107-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1772-113-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1772-112-0x0000000002E00000-0x0000000002E80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1772-110-0x0000000002E00000-0x0000000002E80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1772-109-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2040-1-0x00000000740E0000-0x00000000747CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2040-3-0x0000000001030000-0x0000000001070000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2040-12-0x00000000740E0000-0x00000000747CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2040-0-0x0000000001120000-0x000000000115A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2164-86-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2164-85-0x000000001B570000-0x000000001B852000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2164-94-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2164-93-0x00000000029B0000-0x0000000002A30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2164-92-0x00000000029B0000-0x0000000002A30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2164-91-0x00000000029B0000-0x0000000002A30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2164-89-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2164-90-0x00000000029B0000-0x0000000002A30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2164-88-0x00000000029B0000-0x0000000002A30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2164-87-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2200-75-0x0000000002A10000-0x0000000002A90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-70-0x000000001B690000-0x000000001B972000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2200-77-0x0000000002A10000-0x0000000002A90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-78-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2200-74-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2200-72-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2200-76-0x0000000002A10000-0x0000000002A90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-73-0x0000000002A10000-0x0000000002A90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-71-0x0000000002290000-0x0000000002298000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2480-59-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2480-119-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2480-53-0x0000000000CF0000-0x0000000000D16000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2528-20-0x0000000002940000-0x0000000002980000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2528-22-0x0000000002940000-0x0000000002980000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2528-23-0x0000000071300000-0x00000000718AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2528-19-0x0000000071300000-0x00000000718AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2528-21-0x0000000071300000-0x00000000718AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2680-65-0x000000001AFD0000-0x000000001B050000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2680-145-0x000000001AFD0000-0x000000001B050000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2680-51-0x0000000000D00000-0x0000000000D4E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2680-57-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2680-111-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2800-13-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2800-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2800-25-0x00000000048E0000-0x0000000004920000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2800-49-0x0000000072C40000-0x000000007332E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2800-18-0x0000000072C40000-0x000000007332E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2800-17-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2800-4-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2800-5-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2800-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2800-6-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2800-7-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2896-58-0x0000000002B30000-0x0000000002B70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2896-63-0x0000000073820000-0x0000000073DCB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-64-0x0000000073820000-0x0000000073DCB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-61-0x0000000002B30000-0x0000000002B70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2896-60-0x0000000073820000-0x0000000073DCB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-62-0x0000000002B30000-0x0000000002B70000-memory.dmp

        Filesize

        256KB

        Download