Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-06-2024 10:28
General
-
Target
SolaroB.exe
-
Size
315KB
-
MD5
ded6899acd90f3b7a2a65ac7adf41c9f
-
SHA1
1d696bcfcc10fa05d7a69ce7782ebd0006efb367
-
SHA256
a3b28c9c105887943acef8ae6e70bb79a3db83a7bcdd4307bde10e72c3394268
-
SHA512
fb7986ec47d65412bdda2e25b6b77866bc5dac8d8c51756ba5129e09f5ceb39b4ffc2c4c76536c20ff7dcc23f150f2dde4ba80f08681e53e8e3867b2dda5ab15
-
SSDEEP
6144:gtYtxQIeHKPxA20MTbe61lWTLF21cUWF0ryP7iynfap2d3zN9BeOaJs/C2vQG1yt:gtYt7poMPP1le0y+y7iynypQxb5aJ2+
Score
10/10
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 57 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 41 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Spybot - Search & Destroy" /tr "C:\Program Files\xdwdSkype.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Spybot - Search & Destroy" /tr "C:\Program Files\xdwdSkype.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeca12ab58,0x7ffeca12ab68,0x7ffeca12ab782⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4792 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4588 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2428 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1332 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1568 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:22⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.0.1828979728\1919367302" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b1b1123-1eae-4fdd-928b-2b99816aa05a} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 1836 2b9a9c0d358 gpu3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.1.1315284023\1780381257" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {172ebe2d-3800-4d47-94df-5ec78e589285} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 2400 2b995989058 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.2.1887130961\1157736587" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {202c697e-5b3c-4a09-bf9b-aaae88af5797} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 3192 2b9aca04458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.3.896427616\1818787698" -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2caaec5d-5483-4641-8045-f9af44108d80} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 4064 2b995940f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.4.1425474836\635350413" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcc9c706-14e3-4dc2-a0ab-03730bbde95b} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 4896 2b9b0273458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.5.226799178\1314096882" -childID 4 -isForBrowser -prefsHandle 4996 -prefMapHandle 5000 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d372bc-ba99-4128-a937-7a762ec37de6} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 4960 2b9b0273d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.6.1110262859\224323783" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d576924f-d924-4c5b-96d4-500bc613b9f5} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 5176 2b9b0275858 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD55f92437cca0579e419089906ae3bab3e
SHA16bfbd7ee8da978d09bfcd523a5afe3190bb9f187
SHA256b7271576d59102114f10061fb2018703f011786afbafdd53f301ca06809cea20
SHA51286b01894be05dbcfdee39acff12cdc24a66427b48704a698124e22a4430f8290f30c788da1facdb6340c5cef2bd5550833f00fe5cbcd029fe909cdbe90a311c3
-
Filesize
7KB
MD52009d77647c384bfc7207f498a273da7
SHA155319048e979cd44a6667418fae096ec0afec0fc
SHA256505cd558aed0d2d01c04dabafa59f8263bf202bde884a0a8d2b52754a024b413
SHA512a5c5cb44acc5c1b1665c1e89d01d6898c9f24493acb6fba641b25d975332112538bc1ea9a954d2e76176d26f6eaad9e69c49e2a8aecd571aea324813c61a3a1d
-
Filesize
7KB
MD59eda37b10ea7ceb8fe14a4a8a3637a7e
SHA110015e6c8657c5b0f8f9fd1a44d8533102f3776e
SHA25603814a6dd37d01faf1f75b0787d540f4ec16008d0425c1eb227e82ccb10746e5
SHA51271299c2fa0b0251aca7d7625701f2cf48d15dfd31d58e7bb8434ab23f414ec2c1e0032861002067e1886056fa886e3ef28deeb2a791fbc3334815dfc1e354193
-
Filesize
257KB
MD50de9b7fa53b9f453b2a805347b45c92a
SHA18ae14efcbed9672ffd5a76b5a2216dfd939976ca
SHA25668755966296fd110ecf4e2083a1eb9d20d81b929743cfb9f58f9932697c2e824
SHA5121f7da0cb0901e49c65631d32cdc34ee198a3d522d50fbe6b93455573f98e138ae7ebd13773018a6344f6aca8a828ce100f71a0abc9cf13238556b12b76c4a4f8
-
Filesize
257KB
MD52f7d396a088a48083476a555e3591988
SHA1a8f6118a47791a71ba16ccb8eb53b5403808ed25
SHA256dfc73a14e525d0d05b712b9de71dc93e7ec1ee83d732deb24134688a0ad411c0
SHA5124f640d7069359fe06f24b509f16592728492cb6204f2988b829ca77fe5f58053e174e4ce2ab322ebf8e1a4825d73e27fbb39b84cffd16bf027829a73c497ef18
-
Filesize
91KB
MD510325457e3594a1b21b52bcc72d16638
SHA13224ed6648a484d9cab78d51b3a4d153c4306058
SHA25690e480b23a4d3ac1f00d5aa85f6b20b0c8802cab255d376e0f20b9ef87882c25
SHA5126ef9dfef07ee211acaa10629cb627e6add96ff79d09fba264e903c3d1474371cd7bc87beb638740f34ee9eb4360f3d13fe576fa25c7a62f2a8c86b01d57eb1e6
-
Filesize
88KB
MD50aa1923441762fff58d4a063f3f46e11
SHA16195223db8268e72aafcc330465e3eb52561f7f7
SHA256a91269333c20ef2b2616f562579285687b713e7e7d0f6265b6536616e3075b23
SHA512382d1989e70bda67cd5bd911660c28c91fe985a7a832cfa15707c0d559a722066f3be8b95f701fa997cac205bdc4a1095d67bacbc441151a1ff8fa00d15960e4
-
Filesize
27KB
MD50cffff6e312deaa9d3794f6eb1576bcc
SHA1df81d8e28278e02a4906abe22165f15ff92aa2b1
SHA256baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc
SHA512e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8
-
Filesize
434KB
MD56787e0a40d568fa795d5f161b6643319
SHA1f2a25997405ae299f1f0b79a14b428576c2222cb
SHA256c48fdb6d13f7a2a778a646aaaf2cba2ddf9f2cf523ff1f700185213057116ee6
SHA51266eaa3d8b524e3cb9d3f3d40034f8321f24c1b5ed77e8039f5682116776edfd59519f2aefa7cb8b35e5939dfaf744197abf0c0a85067ac98ff6cb4d289e38a91
-
Filesize
231KB
MD5dc8cfe903cd39191e93c5003568f75e9
SHA18406d466aba0fa4dcd59ae3059d8dc393e77e25d
SHA2564068e0955554c872492cb955ae63e983a57db97c43966af5e73feb5618c44486
SHA512a55117aa65c1bb4a5230da4aa4661e99a1c80163938230d752c3442173c90f6e5f2abd630fc8b09b9f14eb75da9f355c19f3bd37845fa8efc0f625b2b1506407
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
344KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
256KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
456KB