dcrat | a61ecbd90edbc5cc26ed5bc4ab6064ed7ae966cbf517674458d1823746df2bfd

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
Size

19.8MB
MD5

3969991942bb5b6130977411ae258ab8
SHA1

c391e670488d73dc79c2acfab1e845d9c3e5227e
SHA256

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28
SHA512

ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a
SSDEEP

393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score

10^/10

dcrat umbral xworm execution infostealer rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0035000000013a46-17.dat	family_umbral
behavioral1/memory/2640-19-0x0000000000D90000-0x0000000000DD0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000014826-36.dat	family_xworm
behavioral1/memory/2444-38-0x0000000000EA0000-0x0000000000EB6000-memory.dmp	family_xworm

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2788	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2788	schtasks.exe	37

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0035000000013a3a-12.dat	dcrat
behavioral1/files/0x0007000000014186-51.dat	dcrat
behavioral1/memory/1852-55-0x0000000000B10000-0x0000000000BE6000-memory.dmp	dcrat
behavioral1/memory/2424-88-0x00000000013D0000-0x00000000014A6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe
1676	powershell.exe
1868	powershell.exe
2844	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe

Executes dropped EXE 7 IoCs

pid	Process
1612	Nursultan (17).exe
2572	t.bat
2640	Umbral.exe
1800	Nursultan.exe
2444	LoaderMas.exe
1852	Chainprovider.exe
2424	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1612	Nursultan (17).exe
2816	cmd.exe
2816	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\images\b75386f1303e64	Chainprovider.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	Chainprovider.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\6cb0b6c459d5d3	Chainprovider.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\42af1c969fbb7b	Chainprovider.exe
File created	C:\Program Files\Internet Explorer\images\taskhost.exe	Chainprovider.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\smss.exe	Chainprovider.exe
File created	C:\Windows\AppCompat\69ddcba757bf72	Chainprovider.exe
File created	C:\Windows\LiveKernelReports\wininit.exe	Chainprovider.exe
File created	C:\Windows\LiveKernelReports\56085415360792	Chainprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2248	schtasks.exe
2892	schtasks.exe
1768	schtasks.exe
2608	schtasks.exe
1628	schtasks.exe
988	schtasks.exe
1476	schtasks.exe
1200	schtasks.exe
1536	schtasks.exe
2020	schtasks.exe
1532	schtasks.exe
664	schtasks.exe
3064	schtasks.exe
2332	schtasks.exe
932	schtasks.exe
784	schtasks.exe
2500	schtasks.exe
2420	schtasks.exe
2092	schtasks.exe
1988	schtasks.exe
1052	schtasks.exe
1804	schtasks.exe
1636	schtasks.exe
2616	schtasks.exe
2860	schtasks.exe
2596	schtasks.exe
840	schtasks.exe
1172	schtasks.exe
1936	schtasks.exe
1956	schtasks.exe
2080	schtasks.exe
688	schtasks.exe
1444	schtasks.exe
2872	schtasks.exe
1472	schtasks.exe
2508	schtasks.exe
1796	schtasks.exe
452	schtasks.exe
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1800	Nursultan.exe
1852	Chainprovider.exe
2424	cmd.exe
2920	powershell.exe
1676	powershell.exe
1868	powershell.exe
2844	powershell.exe
2444	LoaderMas.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	LoaderMas.exe
Token: SeDebugPrivilege	2640	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: SeDebugPrivilege	1852	Chainprovider.exe
Token: SeDebugPrivilege	2424	cmd.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2444	LoaderMas.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2444	LoaderMas.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1612	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 2176 wrote to memory of 1612	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 2176 wrote to memory of 1612	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 2176 wrote to memory of 2572	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 2176 wrote to memory of 2572	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 2176 wrote to memory of 2572	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 2176 wrote to memory of 2572	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	29
PID 2176 wrote to memory of 2640	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2176 wrote to memory of 2640	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2176 wrote to memory of 2640	2176	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2572 wrote to memory of 2436	2572	t.bat	31
PID 2572 wrote to memory of 2436	2572	t.bat	31
PID 2572 wrote to memory of 2436	2572	t.bat	31
PID 2572 wrote to memory of 2436	2572	t.bat	31
PID 1612 wrote to memory of 1800	1612	Nursultan (17).exe	32
PID 1612 wrote to memory of 1800	1612	Nursultan (17).exe	32
PID 1612 wrote to memory of 1800	1612	Nursultan (17).exe	32
PID 1612 wrote to memory of 2444	1612	Nursultan (17).exe	34
PID 1612 wrote to memory of 2444	1612	Nursultan (17).exe	34
PID 1612 wrote to memory of 2444	1612	Nursultan (17).exe	34
PID 2640 wrote to memory of 2644	2640	Umbral.exe	35
PID 2640 wrote to memory of 2644	2640	Umbral.exe	35
PID 2640 wrote to memory of 2644	2640	Umbral.exe	35
PID 2436 wrote to memory of 2816	2436	WScript.exe	38
PID 2436 wrote to memory of 2816	2436	WScript.exe	38
PID 2436 wrote to memory of 2816	2436	WScript.exe	38
PID 2436 wrote to memory of 2816	2436	WScript.exe	38
PID 2816 wrote to memory of 1852	2816	cmd.exe	40
PID 2816 wrote to memory of 1852	2816	cmd.exe	40
PID 2816 wrote to memory of 1852	2816	cmd.exe	40
PID 2816 wrote to memory of 1852	2816	cmd.exe	40
PID 1852 wrote to memory of 2424	1852	Chainprovider.exe	80
PID 1852 wrote to memory of 2424	1852	Chainprovider.exe	80
PID 1852 wrote to memory of 2424	1852	Chainprovider.exe	80
PID 2444 wrote to memory of 2920	2444	LoaderMas.exe	81
PID 2444 wrote to memory of 2920	2444	LoaderMas.exe	81
PID 2444 wrote to memory of 2920	2444	LoaderMas.exe	81
PID 2444 wrote to memory of 1676	2444	LoaderMas.exe	83
PID 2444 wrote to memory of 1676	2444	LoaderMas.exe	83
PID 2444 wrote to memory of 1676	2444	LoaderMas.exe	83
PID 2444 wrote to memory of 1868	2444	LoaderMas.exe	85
PID 2444 wrote to memory of 1868	2444	LoaderMas.exe	85
PID 2444 wrote to memory of 1868	2444	LoaderMas.exe	85
PID 2444 wrote to memory of 2844	2444	LoaderMas.exe	87
PID 2444 wrote to memory of 2844	2444	LoaderMas.exe	87
PID 2444 wrote to memory of 2844	2444	LoaderMas.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Nursultan.exe
    "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
- - C:\Users\Admin\AppData\Roaming\LoaderMas.exe
    "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
- C:\Users\Admin\AppData\Roaming\t.bat
  "C:\Users\Admin\AppData\Roaming\t.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\perfdhcpSvc\Chainprovider.exe
        
        "C:\perfdhcpSvc\Chainprovider.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\perfdhcpSvc\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\perfdhcpSvc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\perfdhcpSvc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 11 /tr "'C:\Nurik\Nursultan.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\Nurik\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 8 /tr "'C:\Nurik\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppCompat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Nurik\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Nurik\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Nurik\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LoaderMas.exe

Filesize
63KB

MD5
a0dbdf3af38ead2237ccb781a098a431

SHA1
1434296af6c5530eb036718e860490e0adc3321a

SHA256
6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

SHA512
dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
56f317391a611d8dc997d594012a3c5d

SHA1
1623bbcd445d6299cad4b19e87ac77ccc52ffb7f

SHA256
0bea959750e230358aa4ea7e725f1a84776e35bb6d9f8926d840715cd5c68179

SHA512
4e9d2d0f6a9d471e0059318109f56268b7030403555a966e7ae2fe289fc50eac9ac3b8d98321085ebeade5868eb1cf9ed60dc5a17941937f162e1335ebfff718

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

Filesize
18.2MB

MD5
ed965403e795c3b563d67c734472ad93

SHA1
6b8b929239d5ef8f1f546c591c67acaf560de4dc

SHA256
6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

SHA512
bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
229KB

MD5
f48ef033300ec9fd3c77afff5c20e95f

SHA1
22d6125b980474b3f54937003a765cdd5352f9a8

SHA256
72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

SHA512
847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

Download Submit
C:\Users\Admin\AppData\Roaming\t.bat

Filesize
1.1MB

MD5
d85bd59cf0808fb894f60773e1594a0a

SHA1
84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

SHA256
f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

SHA512
225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

Download Submit
C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

Filesize
200B

MD5
00b53f3e200522631227cac1a07e0646

SHA1
a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

SHA256
486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

SHA512
22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

Download Submit
C:\perfdhcpSvc\mStUjP0ksX5N.bat

Filesize
34B

MD5
a9330c6da12d90d5d956ae2bbcf017d7

SHA1
7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

SHA256
b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

SHA512
557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

Download Submit
\Users\Admin\AppData\Roaming\Nursultan.exe

Filesize
17.9MB

MD5
e504e3fc36fe4d6f182c98923979a779

SHA1
3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

SHA256
70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

SHA512
63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

Download Submit
\perfdhcpSvc\Chainprovider.exe

Filesize
827KB

MD5
d2ec227ddac047e735393e58e742fd44

SHA1
7aae5c76378f7cfcff8bb983695fa4c2577a20e2

SHA256
0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

SHA512
5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

Download Submit
memory/1612-9-0x0000000000A80000-0x0000000001CBA000-memory.dmp

Filesize
18.2MB

Download
memory/1612-39-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1676-100-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1676-101-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/1800-45-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/1800-43-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/1800-41-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/1800-47-0x0000000140000000-0x0000000142153000-memory.dmp

Filesize
33.3MB

Download
memory/1852-55-0x0000000000B10000-0x0000000000BE6000-memory.dmp

Filesize
856KB

Download
memory/2176-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000D90000-0x0000000002160000-memory.dmp

Filesize
19.8MB

Download
memory/2424-88-0x00000000013D0000-0x00000000014A6000-memory.dmp

Filesize
856KB

Download
memory/2444-38-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

Filesize
88KB

Download
memory/2640-19-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/2920-93-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2920-94-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download