Analysis
-
max time kernel
47s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
Nezure.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Nezure.exe
Resource
win11-20240419-en
General
-
Target
Nezure.exe
-
Size
8.3MB
-
MD5
4efce9b6099fa6bfc272b5e192fe16cc
-
SHA1
d5495d7d0593a0258bb50325eb0381cec5decd19
-
SHA256
185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1
-
SHA512
0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f
-
SSDEEP
196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000a0000000232fd-23.dat family_umbral behavioral1/memory/4844-34-0x000002085BF70000-0x000002085BFB0000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\MicrosoftSecurity.exe" Client.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3508 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Nezure.exe -
Executes dropped EXE 3 IoCs
pid Process 4568 Nezur.exe 1668 Client.exe 4844 Umbral.exe -
Loads dropped DLL 12 IoCs
pid Process 2564 Process not Found 3916 Process not Found 1936 Process not Found 3444 WmiApSrv.exe 2536 Process not Found 2476 Process not Found 1940 Process not Found 3680 Process not Found 3540 Process not Found 3736 Process not Found 1664 Process not Found 3152 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Chrome.exe" Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 33 discord.com 34 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\xdwd.dll Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3940 schtasks.exe 4492 schtasks.exe 1200 schtasks.exe 4152 schtasks.exe 3940 schtasks.exe 4492 schtasks.exe 3484 schtasks.exe 1692 schtasks.exe 2924 schtasks.exe 896 schtasks.exe 4512 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5096 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2836 PING.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4844 Umbral.exe 4844 Umbral.exe 3508 powershell.exe 3508 powershell.exe 3508 powershell.exe 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 2124 powershell.exe 2124 powershell.exe 2124 powershell.exe 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 4512 powershell.exe 4512 powershell.exe 4512 powershell.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 1668 Client.exe 3444 WmiApSrv.exe 3444 WmiApSrv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1668 Client.exe Token: SeDebugPrivilege 4844 Umbral.exe Token: SeIncreaseQuotaPrivilege 1596 wmic.exe Token: SeSecurityPrivilege 1596 wmic.exe Token: SeTakeOwnershipPrivilege 1596 wmic.exe Token: SeLoadDriverPrivilege 1596 wmic.exe Token: SeSystemProfilePrivilege 1596 wmic.exe Token: SeSystemtimePrivilege 1596 wmic.exe Token: SeProfSingleProcessPrivilege 1596 wmic.exe Token: SeIncBasePriorityPrivilege 1596 wmic.exe Token: SeCreatePagefilePrivilege 1596 wmic.exe Token: SeBackupPrivilege 1596 wmic.exe Token: SeRestorePrivilege 1596 wmic.exe Token: SeShutdownPrivilege 1596 wmic.exe Token: SeDebugPrivilege 1596 wmic.exe Token: SeSystemEnvironmentPrivilege 1596 wmic.exe Token: SeRemoteShutdownPrivilege 1596 wmic.exe Token: SeUndockPrivilege 1596 wmic.exe Token: SeManageVolumePrivilege 1596 wmic.exe Token: 33 1596 wmic.exe Token: 34 1596 wmic.exe Token: 35 1596 wmic.exe Token: 36 1596 wmic.exe Token: SeIncreaseQuotaPrivilege 1596 wmic.exe Token: SeSecurityPrivilege 1596 wmic.exe Token: SeTakeOwnershipPrivilege 1596 wmic.exe Token: SeLoadDriverPrivilege 1596 wmic.exe Token: SeSystemProfilePrivilege 1596 wmic.exe Token: SeSystemtimePrivilege 1596 wmic.exe Token: SeProfSingleProcessPrivilege 1596 wmic.exe Token: SeIncBasePriorityPrivilege 1596 wmic.exe Token: SeCreatePagefilePrivilege 1596 wmic.exe Token: SeBackupPrivilege 1596 wmic.exe Token: SeRestorePrivilege 1596 wmic.exe Token: SeShutdownPrivilege 1596 wmic.exe Token: SeDebugPrivilege 1596 wmic.exe Token: SeSystemEnvironmentPrivilege 1596 wmic.exe Token: SeRemoteShutdownPrivilege 1596 wmic.exe Token: SeUndockPrivilege 1596 wmic.exe Token: SeManageVolumePrivilege 1596 wmic.exe Token: 33 1596 wmic.exe Token: 34 1596 wmic.exe Token: 35 1596 wmic.exe Token: 36 1596 wmic.exe Token: SeDebugPrivilege 3508 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeIncreaseQuotaPrivilege 2368 wmic.exe Token: SeSecurityPrivilege 2368 wmic.exe Token: SeTakeOwnershipPrivilege 2368 wmic.exe Token: SeLoadDriverPrivilege 2368 wmic.exe Token: SeSystemProfilePrivilege 2368 wmic.exe Token: SeSystemtimePrivilege 2368 wmic.exe Token: SeProfSingleProcessPrivilege 2368 wmic.exe Token: SeIncBasePriorityPrivilege 2368 wmic.exe Token: SeCreatePagefilePrivilege 2368 wmic.exe Token: SeBackupPrivilege 2368 wmic.exe Token: SeRestorePrivilege 2368 wmic.exe Token: SeShutdownPrivilege 2368 wmic.exe Token: SeDebugPrivilege 2368 wmic.exe Token: SeSystemEnvironmentPrivilege 2368 wmic.exe Token: SeRemoteShutdownPrivilege 2368 wmic.exe Token: SeUndockPrivilege 2368 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4056 wrote to memory of 4568 4056 Nezure.exe 96 PID 4056 wrote to memory of 4568 4056 Nezure.exe 96 PID 4056 wrote to memory of 1668 4056 Nezure.exe 98 PID 4056 wrote to memory of 1668 4056 Nezure.exe 98 PID 4056 wrote to memory of 4844 4056 Nezure.exe 99 PID 4056 wrote to memory of 4844 4056 Nezure.exe 99 PID 4844 wrote to memory of 1596 4844 Umbral.exe 102 PID 4844 wrote to memory of 1596 4844 Umbral.exe 102 PID 4844 wrote to memory of 1508 4844 Umbral.exe 105 PID 4844 wrote to memory of 1508 4844 Umbral.exe 105 PID 4844 wrote to memory of 3508 4844 Umbral.exe 107 PID 4844 wrote to memory of 3508 4844 Umbral.exe 107 PID 4844 wrote to memory of 2416 4844 Umbral.exe 109 PID 4844 wrote to memory of 2416 4844 Umbral.exe 109 PID 4844 wrote to memory of 2124 4844 Umbral.exe 111 PID 4844 wrote to memory of 2124 4844 Umbral.exe 111 PID 4844 wrote to memory of 1676 4844 Umbral.exe 114 PID 4844 wrote to memory of 1676 4844 Umbral.exe 114 PID 4844 wrote to memory of 2368 4844 Umbral.exe 116 PID 4844 wrote to memory of 2368 4844 Umbral.exe 116 PID 4844 wrote to memory of 3092 4844 Umbral.exe 118 PID 4844 wrote to memory of 3092 4844 Umbral.exe 118 PID 4844 wrote to memory of 2028 4844 Umbral.exe 120 PID 4844 wrote to memory of 2028 4844 Umbral.exe 120 PID 4844 wrote to memory of 4512 4844 Umbral.exe 122 PID 4844 wrote to memory of 4512 4844 Umbral.exe 122 PID 4844 wrote to memory of 5096 4844 Umbral.exe 124 PID 4844 wrote to memory of 5096 4844 Umbral.exe 124 PID 4844 wrote to memory of 3872 4844 Umbral.exe 128 PID 4844 wrote to memory of 3872 4844 Umbral.exe 128 PID 3872 wrote to memory of 2836 3872 cmd.exe 130 PID 3872 wrote to memory of 2836 3872 cmd.exe 130 PID 1668 wrote to memory of 2860 1668 Client.exe 131 PID 1668 wrote to memory of 2860 1668 Client.exe 131 PID 2860 wrote to memory of 1692 2860 CMD.exe 133 PID 2860 wrote to memory of 1692 2860 CMD.exe 133 PID 1668 wrote to memory of 3972 1668 Client.exe 134 PID 1668 wrote to memory of 3972 1668 Client.exe 134 PID 3972 wrote to memory of 2924 3972 CMD.exe 136 PID 3972 wrote to memory of 2924 3972 CMD.exe 136 PID 1668 wrote to memory of 4656 1668 Client.exe 137 PID 1668 wrote to memory of 4656 1668 Client.exe 137 PID 4656 wrote to memory of 3940 4656 CMD.exe 139 PID 4656 wrote to memory of 3940 4656 CMD.exe 139 PID 1668 wrote to memory of 2712 1668 Client.exe 141 PID 1668 wrote to memory of 2712 1668 Client.exe 141 PID 2712 wrote to memory of 896 2712 CMD.exe 143 PID 2712 wrote to memory of 896 2712 CMD.exe 143 PID 1668 wrote to memory of 2220 1668 Client.exe 146 PID 1668 wrote to memory of 2220 1668 Client.exe 146 PID 2220 wrote to memory of 4492 2220 CMD.exe 148 PID 2220 wrote to memory of 4492 2220 CMD.exe 148 PID 1668 wrote to memory of 432 1668 Client.exe 150 PID 1668 wrote to memory of 432 1668 Client.exe 150 PID 432 wrote to memory of 1200 432 CMD.exe 152 PID 432 wrote to memory of 1200 432 CMD.exe 152 PID 1668 wrote to memory of 4836 1668 Client.exe 153 PID 1668 wrote to memory of 4836 1668 Client.exe 153 PID 4836 wrote to memory of 4512 4836 CMD.exe 155 PID 4836 wrote to memory of 4512 4836 CMD.exe 155 PID 1668 wrote to memory of 2924 1668 Client.exe 157 PID 1668 wrote to memory of 2924 1668 Client.exe 157 PID 2924 wrote to memory of 4152 2924 CMD.exe 159 PID 2924 wrote to memory of 4152 2924 CMD.exe 159 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1508 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezure.exe"C:\Users\Admin\AppData\Local\Temp\Nezure.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"2⤵
- Executes dropped EXE
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"4⤵
- Creates scheduled task(s)
PID:1692
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2924
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3940
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:896
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4492
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1200
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4512
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4152
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:3056
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3940
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:4888
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4492
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:728
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:3092
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:5096
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:2836
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:81⤵PID:2164
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5567d7fef99fd45b4def9fa7b093384e2
SHA1e6a0a4657276cca5142193ad980e34d1ed382f41
SHA2567ec7b5f3f860f6b4a326dcc883a2bd3f57bac0a5774418b48e3ef54c2cd2893c
SHA512f45b7876ae0e3eac9dee187f2b901da361caf20e2aebc545408a95f6926a2b3a13233392d085487a76e6972784877637576bf8f9b644c0d59cea02f9177aa711
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
948B
MD574a6b79d36b4aae8b027a218bc6e1af7
SHA10350e46c1df6934903c4820a00b0bc4721779e5f
SHA25660c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04
SHA51260e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
578KB
MD51984de1def2a649295eb4683cef7b145
SHA1b3772c1d98f1d18bafd8cf4781f65fc17f20811a
SHA256ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2
SHA5128b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65
-
Filesize
7.9MB
MD5754c5ad19cb3bc21a58bccf028bc2b86
SHA166fe0f66d80023b347707248abe6e44e5f9d98ce
SHA2568445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b
SHA512fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790
-
Filesize
230KB
MD59e9bbff99af7ac67d8bd79f854bd569c
SHA1cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6
SHA256e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c
SHA5127b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6