Malware Analysis Report

2024-10-10 10:09

Sample ID 240427-stmc3adb9t
Target Result.exe
SHA256 c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6
Tags
umbral xworm njrat paxankor evasion rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6

Threat Level: Known bad

The file Result.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm njrat paxankor evasion rat spyware stealer trojan

Xworm family

Umbral

njRAT/Bladabindi

Detect Umbral payload

Xworm

Njrat family

Detect Xworm Payload

Umbral family

Drops file in Drivers directory

Modifies Windows Firewall

Disables Task Manager via registry modification

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Suspicious use of SetWindowsHookEx

Detects videocard installed

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 15:25

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Njrat family

njrat

Umbral family

umbral

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 15:25

Reported

2024-04-27 15:35

Platform

win10-20240404-en

Max time kernel

600s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral3.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explorer.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explorer.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Program Files (x86)\Explorer.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
PID 1412 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
PID 1412 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
PID 1412 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1412 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1412 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2016 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
PID 2016 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
PID 2016 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2016 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4580 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\SYSTEM32\attrib.exe
PID 4580 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\SYSTEM32\attrib.exe
PID 4580 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 3200 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 3200 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 4580 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4580 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4544 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4580 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4580 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4580 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4580 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4580 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4544 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\SYSTEM32\cmd.exe
PID 4580 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\SYSTEM32\cmd.exe
PID 4648 wrote to memory of 4732 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4648 wrote to memory of 4732 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4544 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 4544 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Result.exe

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe

"C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 phentermine-partial.gl.at.ply.gg udp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 8.8.8.8:53 phentermine-partial.gl.at.ply.gg udp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe

MD5 f69924b642ac4b9ef1dfacdfd43759a9
SHA1 95da50564c7cbc3749148419c68a08b0f2869ee1
SHA256 d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
SHA512 2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 ba71f783926cbda30d8ff8f295fdd312
SHA1 bd533cc6457836098ff34d07ab2ef6b04ef144b9
SHA256 c6caa8ccc6ac706820712f93ea3a2541da32ec04542b3b7a85d8d85b0f0e1831
SHA512 19767768012b07f3a13dc3e3652c9c3b6376d3ec6199ad384f7011f6db3c6b2e11bff86979d0475a7b58e84e100126661954a667a8217655439aff73b374d5c9

memory/1412-10-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

MD5 7a902c87a60986f18a6b097712299256
SHA1 2c01906a39faa9d27a41e0d3cd84e92410b9c483
SHA256 e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5
SHA512 c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 3fc932775533f1bcea180de679a902dd
SHA1 3f393d02af4653e34bf5526ec5b6f8d6e4df65e8
SHA256 09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a
SHA512 f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

memory/4580-21-0x000001D56F530000-0x000001D56F570000-memory.dmp

memory/2016-22-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4544-23-0x0000000000F70000-0x0000000000F8A000-memory.dmp

memory/3200-24-0x00000000031B0000-0x00000000031C0000-memory.dmp

memory/4212-30-0x0000013F6E5E0000-0x0000013F6E602000-memory.dmp

memory/4212-33-0x0000013F6E7A0000-0x0000013F6E816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oul5lr4x.ghl.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f4cebace363955b5fb79b606d1252b9e
SHA1 f57eb08ca60074896c6d65c98e2f8b99450f7aee
SHA256 ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a
SHA512 5d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f

memory/4580-123-0x000001D571310000-0x000001D571360000-memory.dmp

memory/4580-124-0x000001D56F9D0000-0x000001D56F9EE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5a9b97538363bc5ab5f3d92352560061
SHA1 70815f2fbacb2fd9a59fadb9110ec2d96b8ef533
SHA256 4e00cb8ba8e2f1b9c9fb7c1af39f1bfcfaf32f9f2e476ff3897ee17bc477b23c
SHA512 7974155b3ea099fee0ac3e12ffe5a3427ef2fdd448b5cfe9c17a4af399db9a84e48abe73b9b7bc6d66e7e5774d1e6c15d3135540aa4085973408b41db6b45ff4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8c5fff2c090f31e158e97938c720ee9f
SHA1 324055be6148591f0928ce320b6c325b3f8bb0a8
SHA256 700f8375b5760e1c4c2eedd335fe3dc1097281424b52a8f9e918d0a78dcb65b5
SHA512 0502bc8345c14c0ced566a9afc8210172f49c48cb1c551fb27105311498e79e03b634fbcbbd4a5ce09490b1ca052e813b68d18e93e215ddae3fb983616a29ea3

memory/4580-188-0x000001D5712C0000-0x000001D5712CA000-memory.dmp

memory/4580-189-0x000001D5712F0000-0x000001D571302000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3bde5dba3f8b6083eec8169823ce3a3
SHA1 1a4581fd14a07f64075d90791a25959e8afae332
SHA256 1266b3e994f64e316900166fd67d5d1bd58b35ed4ef52dda31b9a97cbf482678
SHA512 210670295949ae8733e79e10494f723728cd7bf9560636f397d0f966282d3619b234f2886c2f9eea1f2021b3b7bd28347d813d45915d04bd8269a67df920cea1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59649da1edf059761abb0865a6a4785f
SHA1 142dc13d01a0f4919704e7b42e2bc0b2d80068ff
SHA256 27678235ba9f6202a0788bb00e673ef29c129d1f7ed39c6b3711a9152cd0f8ff
SHA512 b8ca5e8039ad28f11bd4aa674deea7b810bd4934b90ff703a1b89f713bfad1444b82924cda5a0ac0a008294ef72d1dc58c29f1eb809f61f24c59e4b26622ee3a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86145a4983c4d894c0c9dd9e4ff0f009
SHA1 a8e43fd7b070bc11476242e1f2714f54dcbc8276
SHA256 ff54b5d1dc749af3a3d46b39d5feeba746aa89bf3810a093cf5aa8259866a620
SHA512 124159cd441b05d456f38e38329a14503c6cd59d48fffa30c32f71a0fd11b1d820297ade894ec6667ba8460115a05305a7e1aae6004f18f9ca24713cbc98dd0f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d928f90923f5ff9d64502694f33643fd
SHA1 e6b682eda4540554b331988e3d84d41c49084490
SHA256 e72f59277c81b40e98abf39268d6eed8dbbf1c8e092e224df750e8e136a2784a
SHA512 476f2ae43e6a70a0bf92754945b1d757c0d5b421e80d09e3ecdcb80baf3a2a6b9dec226c91f0e0f8cbb23e59197fa734459942116dd59b084353c36438082f50

memory/3200-395-0x00000000031B0000-0x00000000031C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

memory/4544-409-0x0000000001650000-0x000000000165C000-memory.dmp