Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-05-2024 23:34

General

  • Target

    LastActivityView.exe

  • Size

    89KB

  • MD5

    499e35df562563babfff6a1d2ee71743

  • SHA1

    7bece5115d9df1fa43b6a7a69f9574a498388960

  • SHA256

    6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

  • SHA512

    2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

  • SSDEEP

    1536:XQol2xVvTS+KaYKvHUxErb2PPSUF2Q06yG2OklzG2OrSBR27KmhDWP:XQvVqaZsqrbeafQUmklzG2OrUyKdP

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/R8gFU5SX:123456789

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

  • pastebin_url

    https://pastebin.com/raw/R8gFU5SX

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1237145706423123999/BQqwyjXaKt7KqCLA_iWguAde2fiNgpA36IvFL69WoxRB6yoYhMjlc7o80Exvew2DFX8M

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
    "C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:96
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3184
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3960
    • C:\Users\Admin\AppData\Local\Temp\syjcie.exe
      "C:\Users\Admin\AppData\Local\Temp\syjcie.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\syjcie.exe"
        3⤵
        • Views/modifies file attributes
        PID:4400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\syjcie.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2844
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
          PID:2792
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:308
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:352
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4964
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:4952
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\syjcie.exe" && pause
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4908
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • Runs ping.exe
                PID:1096
        • C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
          C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
          1⤵
          • Executes dropped EXE
          PID:3976
        • C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
          C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
          1⤵
          • Executes dropped EXE
          PID:2568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

          Filesize

          89KB

          MD5

          499e35df562563babfff6a1d2ee71743

          SHA1

          7bece5115d9df1fa43b6a7a69f9574a498388960

          SHA256

          6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

          SHA512

          2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          ad5cd538ca58cb28ede39c108acb5785

          SHA1

          1ae910026f3dbe90ed025e9e96ead2b5399be877

          SHA256

          c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

          SHA512

          c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe.log

          Filesize

          654B

          MD5

          16c5fce5f7230eea11598ec11ed42862

          SHA1

          75392d4824706090f5e8907eee1059349c927600

          SHA256

          87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

          SHA512

          153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          12bcbfc36299cc2f49f07e4c89e87029

          SHA1

          3bb2528216e4d71ec44c57398111d40ab3b75bc7

          SHA256

          ef41ffde899433aaedb44745f4d43e1a486cd383c5b662f9c9279ee249335dad

          SHA512

          1ac4211fc339564cb2cb15e990bf3b8f5c7bace629a3f65444f526bf31c9b541bba0c65ac30145c67bac998fa3656b02b154fa9516a323271363e00b28fc68a7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          a4974291e85a04444b7be80b193c8a99

          SHA1

          4322a84e7b2207c02ba3fe6acf1e7ee295c8eba9

          SHA256

          e733390b57c1f323c7349bb6a65e8f4fe0b5b815f40a92897d4f44ac1c9ca871

          SHA512

          35f8976633cbf917dc2609272fc981c736b42371ff1438ce178eb4d42b22bdf6a8aa542d620c6a201d3d7fb6dfbe10f110c5411bf44f2ee6f1cda1a151dc7ba5

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          5477d94aecd44c4e5c1463c1c0847589

          SHA1

          3f3c4f3a75229d0eccaf568c85697060f41bae9a

          SHA256

          d8ea4c44242969f01dd40441b010d844747fec463c229b13c2836854cf7ccfc1

          SHA512

          2bba1edfdc34af16f01d8fdb4c2730ad577a219721b6c8241088ce517334a7309d8d6d246f98851d73b1eeee40a6535ecdd41d517b9b0d207cf5e11762f12375

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          01b8d3a45328a2dff7f64c4bb9747dec

          SHA1

          c33eb4823a32745cdccadb81d34ae9b325ab39c8

          SHA256

          1425ed0a9cccab81ef6493ce8efe445e84e0d8567d8e0f640721c5cc79ac7697

          SHA512

          201f208f52f1eb60ab221da7fef4a7988612123d865eb02cb989073458571785e4e4ece44b2ac95268e177482bdf05c6e435136aee7d71fe0fbb048ef2fcf899

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          5efef7b8b6534cf61adc5a223225b92f

          SHA1

          21c44e23f5b504a2c89e081fd6464bc68007ed0a

          SHA256

          ceb1979a91fa6d97a1ebb6162d01f30d9b9527d1ba93e9dc60165cbfd3d98886

          SHA512

          efc60add9ea6f0f08f824d4a3d5413b8cd50f25274687fdfa466699ab49ac4504005e5b130d2149319960c636ff748e2d1f805bae168d3ef517a84bda7c2e9b7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          640e1e8914a9e4045d7c9331510cd65e

          SHA1

          20dbf3777f4ec696c45304b7e8b1f4ea62bcd9b8

          SHA256

          3d90b754303986173f9e70e82f3d71c453cc3dd8c9effc766bf55004909078d8

          SHA512

          373d84331d97e407a6ce56bae77231b15a1747c9839a27932715c2b9f81cacc41091e9d735faf0df9f228d851be402691dbeb5cf1b5807c075f996d43a723690

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          73af5a2e56e321b85f04f1c431f760ea

          SHA1

          4ffd2aecfe9163cebacf508be261133262d675f9

          SHA256

          5d53260071efea7c61647a6be8c386cd9d4651f92a5d4bd7b0ac8dc72a8f85eb

          SHA512

          0926185823796cc35b263ded5e30d92525453945df09bc34c1dee646d637deded9d6e15a750748f2948ddce4714f17a64da9899fda14f0feb8746b87428ec8b2

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          03c0e5299730d7840dc4ee907c2d7e2a

          SHA1

          ad7731702af04363af05807bdcd034e87073ced2

          SHA256

          f3a484a2fb1e7e859c6d7950be2ebecd667e3f42c244afed7dd2b4477e83861b

          SHA512

          216c32835ba4024985460655c94aee41873285a7ef8b37a88970a552760cd2fd66fef02b594a3ed921433208a275d13421cfdf45bd554123f20c2ab58c2340e9

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqrkwlfb.uup.ps1

          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        • C:\Users\Admin\AppData\Local\Temp\syjcie.exe

          Filesize

          229KB

          MD5

          f94e3703ca371767d93f5a88b74fbee7

          SHA1

          80530e8ffb3fc7d2c36e339b70bcae0d0014b7f5

          SHA256

          954af7a9095306263dce0c4d05eda925de49041ad6ea7c37a23fed8cbc97f1d7

          SHA512

          ca0ba2f5a26a26eeb0e15a5b99be937b7d695411f043b1629ef10f7106f26a1096229f763b0ab86796d8f37efc62f469e399206d7a8c706e4043112269f01066

        • memory/96-51-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

          Filesize

          9.9MB

        • memory/96-13-0x00000228EE4D0000-0x00000228EE546000-memory.dmp

          Filesize

          472KB

        • memory/96-12-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

          Filesize

          9.9MB

        • memory/96-8-0x00000228EE320000-0x00000228EE342000-memory.dmp

          Filesize

          136KB

        • memory/96-9-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

          Filesize

          9.9MB

        • memory/96-7-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

          Filesize

          9.9MB

        • memory/1448-186-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

          Filesize

          4KB

        • memory/1448-188-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

          Filesize

          48KB

        • memory/1448-187-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

          Filesize

          9.9MB

        • memory/1448-0-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

          Filesize

          4KB

        • memory/1448-2-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

          Filesize

          9.9MB

        • memory/1448-1-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

          Filesize

          112KB

        • memory/4668-194-0x0000016E260D0000-0x0000016E26110000-memory.dmp

          Filesize

          256KB

        • memory/4668-269-0x0000016E27E60000-0x0000016E27EB0000-memory.dmp

          Filesize

          320KB

        • memory/4668-270-0x0000016E27E30000-0x0000016E27E4E000-memory.dmp

          Filesize

          120KB

        • memory/4668-334-0x0000016E27E50000-0x0000016E27E5A000-memory.dmp

          Filesize

          40KB

        • memory/4668-335-0x0000016E40620000-0x0000016E40632000-memory.dmp

          Filesize

          72KB