Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 02:11

General

  • Target

    4efce9b6099fa6bfc272b5e192fe16cc.exe

  • Size

    8.3MB

  • MD5

    4efce9b6099fa6bfc272b5e192fe16cc

  • SHA1

    d5495d7d0593a0258bb50325eb0381cec5decd19

  • SHA256

    185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1

  • SHA512

    0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f

  • SSDEEP

    196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1244715424420069449/GTIFnC19DnPwT_RfLQ395m4ILCbNzqdjl2fE6jLwJomWdfGuqMipwhUem4c7oUOG5y7l

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Modifies AppInit DLL entries 2 TTPs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 41 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4efce9b6099fa6bfc272b5e192fe16cc.exe
    "C:\Users\Admin\AppData\Local\Temp\4efce9b6099fa6bfc272b5e192fe16cc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\Nezur.exe
      "C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
      2⤵
      • Executes dropped EXE
      PID:2868
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\system32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"
          4⤵
          • Creates scheduled task(s)
          PID:2820
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:312
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Chrome.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Chrome.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1728
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:576
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1204
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:776
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2876
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2496
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2648
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2552
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1428
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2084
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:808
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1104
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1648
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1316
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:836
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:792
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2288
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2744
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2800
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2980
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2240
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2636
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2192
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2796
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1724
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:908
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1028
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:788
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2280
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:952
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1088
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1788
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2284
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2084
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1348
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1604
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1944
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1376
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2408
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2664
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:2348
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2532
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1796
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1148
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1172
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2052
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:972
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
        3⤵
          PID:1156
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:1924
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
          3⤵
            PID:2284
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
              4⤵
              • Creates scheduled task(s)
              PID:844
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
            3⤵
              PID:2656
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                4⤵
                • Creates scheduled task(s)
                PID:2804
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
              3⤵
                PID:2808
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                  4⤵
                  • Creates scheduled task(s)
                  PID:2888
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                3⤵
                  PID:2384
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                    4⤵
                    • Creates scheduled task(s)
                    PID:2972
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                  3⤵
                    PID:1664
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                      4⤵
                      • Creates scheduled task(s)
                      PID:1724
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                    3⤵
                      PID:2680
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                        4⤵
                        • Creates scheduled task(s)
                        PID:2424
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                      3⤵
                        PID:1036
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                          4⤵
                          • Creates scheduled task(s)
                          PID:2224
                      • C:\Windows\system32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                        3⤵
                          PID:2028
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                            4⤵
                            • Creates scheduled task(s)
                            PID:1700
                        • C:\Windows\system32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                          3⤵
                            PID:1924
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                              4⤵
                              • Creates scheduled task(s)
                              PID:320
                          • C:\Windows\system32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                            3⤵
                              PID:1360
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                                4⤵
                                • Creates scheduled task(s)
                                PID:1996
                            • C:\Windows\system32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit
                              3⤵
                                PID:1512
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST
                                  4⤵
                                  • Creates scheduled task(s)
                                  PID:3012
                            • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                              "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2912
                              • C:\Windows\System32\Wbem\wmic.exe
                                "wmic.exe" csproduct get uuid
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2436
                          • C:\Windows\system32\wbem\WmiApSrv.exe
                            C:\Windows\system32\wbem\WmiApSrv.exe
                            1⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1576

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\Client.exe

                            Filesize

                            578KB

                            MD5

                            1984de1def2a649295eb4683cef7b145

                            SHA1

                            b3772c1d98f1d18bafd8cf4781f65fc17f20811a

                            SHA256

                            ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2

                            SHA512

                            8b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65

                          • C:\Users\Admin\AppData\Local\Temp\Umbral.exe

                            Filesize

                            230KB

                            MD5

                            9e9bbff99af7ac67d8bd79f854bd569c

                            SHA1

                            cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6

                            SHA256

                            e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c

                            SHA512

                            7b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8

                          • C:\Windows\xdwd.dll

                            Filesize

                            136KB

                            MD5

                            16e5a492c9c6ae34c59683be9c51fa31

                            SHA1

                            97031b41f5c56f371c28ae0d62a2df7d585adaba

                            SHA256

                            35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                            SHA512

                            20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                          • \Users\Admin\AppData\Local\Temp\Nezur.exe

                            Filesize

                            7.9MB

                            MD5

                            754c5ad19cb3bc21a58bccf028bc2b86

                            SHA1

                            66fe0f66d80023b347707248abe6e44e5f9d98ce

                            SHA256

                            8445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b

                            SHA512

                            fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790

                          • memory/576-93-0x000007FEF2170000-0x000007FEF2192000-memory.dmp

                            Filesize

                            136KB

                          • memory/776-158-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/788-608-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/792-415-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/808-321-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/836-384-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/844-961-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/908-579-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/952-642-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/972-897-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/1028-577-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/1088-641-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/1104-350-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1148-866-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1156-928-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1172-865-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1204-127-0x000007FEF2170000-0x000007FEF2192000-memory.dmp

                            Filesize

                            136KB

                          • memory/1316-386-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/1348-129-0x000007FEF2170000-0x000007FEF2192000-memory.dmp

                            Filesize

                            136KB

                          • memory/1348-705-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/1376-771-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/1428-284-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1576-130-0x000007FEF2170000-0x000007FEF2192000-memory.dmp

                            Filesize

                            136KB

                          • memory/1604-736-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1648-347-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1724-540-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1728-64-0x000007FEF7730000-0x000007FEF7752000-memory.dmp

                            Filesize

                            136KB

                          • memory/1740-65-0x000007FEF7730000-0x000007FEF7752000-memory.dmp

                            Filesize

                            136KB

                          • memory/1788-674-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1796-833-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/1924-927-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/1944-735-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2052-898-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2084-706-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2084-322-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2124-94-0x000007FEF2170000-0x000007FEF2192000-memory.dmp

                            Filesize

                            136KB

                          • memory/2192-512-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2240-479-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2252-223-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2280-607-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2284-963-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2284-673-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2288-414-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2348-799-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2408-770-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2496-222-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2532-834-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2552-286-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2636-514-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2648-256-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2656-994-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2664-800-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2688-16-0x0000000000090000-0x0000000000126000-memory.dmp

                            Filesize

                            600KB

                          • memory/2740-194-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2744-450-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2756-20-0x000000013FEB0000-0x0000000141209000-memory.dmp

                            Filesize

                            19.3MB

                          • memory/2756-1-0x0000000000CA0000-0x00000000014EC000-memory.dmp

                            Filesize

                            8.3MB

                          • memory/2756-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

                            Filesize

                            4KB

                          • memory/2756-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/2756-23-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/2776-258-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2796-541-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2800-449-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2804-993-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2808-1027-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2840-159-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB

                          • memory/2868-22-0x000000013FEB0000-0x0000000141209000-memory.dmp

                            Filesize

                            19.3MB

                          • memory/2868-25-0x000000013FEB0000-0x0000000141209000-memory.dmp

                            Filesize

                            19.3MB

                          • memory/2876-192-0x000007FEF6600000-0x000007FEF6622000-memory.dmp

                            Filesize

                            136KB

                          • memory/2888-1026-0x000007FEF6940000-0x000007FEF6962000-memory.dmp

                            Filesize

                            136KB

                          • memory/2912-21-0x0000000001300000-0x0000000001340000-memory.dmp

                            Filesize

                            256KB

                          • memory/2980-481-0x000007FEFAF60000-0x000007FEFAF82000-memory.dmp

                            Filesize

                            136KB