dcrat | 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bdf60ce1391ccc1a829a41c8b531dd5.exe
Size

46.0MB
MD5

2bdf60ce1391ccc1a829a41c8b531dd5
SHA1

8fecb37b06dd016f820cbc55c1446aa34666bf12
SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
SHA512

0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359
SSDEEP

24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

Score

10^/10

dcrat umbral execution infostealer rat spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1253005353222668289/_twANrdJlJok9NDlMWHxe2qUewe11QbdTTPK9sqVpjZ9uRjyV2p28YwCPVaWlpRMyL50

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015043-12.dat	family_umbral
behavioral1/memory/2468-21-0x0000000000400000-0x0000000000562000-memory.dmp	family_umbral
behavioral1/memory/1736-24-0x0000000000D90000-0x0000000000DD0000-memory.dmp	family_umbral

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2884	schtasks.exe	34

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015612-18.dat	dcrat
behavioral1/memory/2468-21-0x0000000000400000-0x0000000000562000-memory.dmp	dcrat
behavioral1/files/0x0006000000015d70-49.dat	dcrat
behavioral1/memory/2020-53-0x00000000002A0000-0x0000000000376000-memory.dmp	dcrat
behavioral1/memory/2172-122-0x0000000000E20000-0x0000000000EF6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 5 IoCs

pid	Process
1640	X8Checker 2.6.exe
1736	Umbral.exe
2204	8XChecker.exe
2020	bridgefont.exe
2172	csrss.exe

Loads dropped DLL 6 IoCs

pid	Process
2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe
2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe
2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe
2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe
1256	cmd.exe
1256	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\Idle.exe	bridgefont.exe
File created	C:\Windows\es-ES\6ccacd8608530f	bridgefont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1252	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2768	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
868	schtasks.exe
2936	schtasks.exe
2216	schtasks.exe
2720	schtasks.exe
1480	schtasks.exe
1568	schtasks.exe
844	schtasks.exe
568	schtasks.exe
1560	schtasks.exe
1672	schtasks.exe
1136	schtasks.exe
2776	schtasks.exe
2468	schtasks.exe
1004	schtasks.exe
2920	schtasks.exe
1524	schtasks.exe
984	schtasks.exe
1924	schtasks.exe
2924	schtasks.exe
1784	schtasks.exe
2008	schtasks.exe
2148	schtasks.exe
2340	schtasks.exe
1188	schtasks.exe
2820	schtasks.exe
616	schtasks.exe
1496	schtasks.exe
2892	schtasks.exe
1724	schtasks.exe
2184	schtasks.exe
2040	schtasks.exe
2012	schtasks.exe
536	schtasks.exe
2480	schtasks.exe
1280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1736	Umbral.exe
2508	powershell.exe
2992	powershell.exe
1772	powershell.exe
2020	bridgefont.exe
1748	powershell.exe
2020	bridgefont.exe
2020	bridgefont.exe
2020	bridgefont.exe
2020	bridgefont.exe
316	powershell.exe
2172	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1424	wmic.exe
Token: SeSecurityPrivilege	1424	wmic.exe
Token: SeTakeOwnershipPrivilege	1424	wmic.exe
Token: SeLoadDriverPrivilege	1424	wmic.exe
Token: SeSystemProfilePrivilege	1424	wmic.exe
Token: SeSystemtimePrivilege	1424	wmic.exe
Token: SeProfSingleProcessPrivilege	1424	wmic.exe
Token: SeIncBasePriorityPrivilege	1424	wmic.exe
Token: SeCreatePagefilePrivilege	1424	wmic.exe
Token: SeBackupPrivilege	1424	wmic.exe
Token: SeRestorePrivilege	1424	wmic.exe
Token: SeShutdownPrivilege	1424	wmic.exe
Token: SeDebugPrivilege	1424	wmic.exe
Token: SeSystemEnvironmentPrivilege	1424	wmic.exe
Token: SeRemoteShutdownPrivilege	1424	wmic.exe
Token: SeUndockPrivilege	1424	wmic.exe
Token: SeManageVolumePrivilege	1424	wmic.exe
Token: 33	1424	wmic.exe
Token: 34	1424	wmic.exe
Token: 35	1424	wmic.exe
Token: SeIncreaseQuotaPrivilege	1424	wmic.exe
Token: SeSecurityPrivilege	1424	wmic.exe
Token: SeTakeOwnershipPrivilege	1424	wmic.exe
Token: SeLoadDriverPrivilege	1424	wmic.exe
Token: SeSystemProfilePrivilege	1424	wmic.exe
Token: SeSystemtimePrivilege	1424	wmic.exe
Token: SeProfSingleProcessPrivilege	1424	wmic.exe
Token: SeIncBasePriorityPrivilege	1424	wmic.exe
Token: SeCreatePagefilePrivilege	1424	wmic.exe
Token: SeBackupPrivilege	1424	wmic.exe
Token: SeRestorePrivilege	1424	wmic.exe
Token: SeShutdownPrivilege	1424	wmic.exe
Token: SeDebugPrivilege	1424	wmic.exe
Token: SeSystemEnvironmentPrivilege	1424	wmic.exe
Token: SeRemoteShutdownPrivilege	1424	wmic.exe
Token: SeUndockPrivilege	1424	wmic.exe
Token: SeManageVolumePrivilege	1424	wmic.exe
Token: 33	1424	wmic.exe
Token: 34	1424	wmic.exe
Token: 35	1424	wmic.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2020	bridgefont.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2788	wmic.exe
Token: SeSecurityPrivilege	2788	wmic.exe
Token: SeTakeOwnershipPrivilege	2788	wmic.exe
Token: SeLoadDriverPrivilege	2788	wmic.exe
Token: SeSystemProfilePrivilege	2788	wmic.exe
Token: SeSystemtimePrivilege	2788	wmic.exe
Token: SeProfSingleProcessPrivilege	2788	wmic.exe
Token: SeIncBasePriorityPrivilege	2788	wmic.exe
Token: SeCreatePagefilePrivilege	2788	wmic.exe
Token: SeBackupPrivilege	2788	wmic.exe
Token: SeRestorePrivilege	2788	wmic.exe
Token: SeShutdownPrivilege	2788	wmic.exe
Token: SeDebugPrivilege	2788	wmic.exe
Token: SeSystemEnvironmentPrivilege	2788	wmic.exe
Token: SeRemoteShutdownPrivilege	2788	wmic.exe
Token: SeUndockPrivilege	2788	wmic.exe
Token: SeManageVolumePrivilege	2788	wmic.exe
Token: 33	2788	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1640	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	28
PID 2468 wrote to memory of 1640	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	28
PID 2468 wrote to memory of 1640	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	28
PID 2468 wrote to memory of 1640	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	28
PID 2468 wrote to memory of 1736	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	29
PID 2468 wrote to memory of 1736	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	29
PID 2468 wrote to memory of 1736	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	29
PID 2468 wrote to memory of 1736	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	29
PID 2468 wrote to memory of 2204	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	30
PID 2468 wrote to memory of 2204	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	30
PID 2468 wrote to memory of 2204	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	30
PID 2468 wrote to memory of 2204	2468	2bdf60ce1391ccc1a829a41c8b531dd5.exe	30
PID 2204 wrote to memory of 2084	2204	8XChecker.exe	31
PID 2204 wrote to memory of 2084	2204	8XChecker.exe	31
PID 2204 wrote to memory of 2084	2204	8XChecker.exe	31
PID 2204 wrote to memory of 2084	2204	8XChecker.exe	31
PID 1736 wrote to memory of 1424	1736	Umbral.exe	32
PID 1736 wrote to memory of 1424	1736	Umbral.exe	32
PID 1736 wrote to memory of 1424	1736	Umbral.exe	32
PID 1736 wrote to memory of 2472	1736	Umbral.exe	35
PID 1736 wrote to memory of 2472	1736	Umbral.exe	35
PID 1736 wrote to memory of 2472	1736	Umbral.exe	35
PID 1736 wrote to memory of 2508	1736	Umbral.exe	37
PID 1736 wrote to memory of 2508	1736	Umbral.exe	37
PID 1736 wrote to memory of 2508	1736	Umbral.exe	37
PID 1736 wrote to memory of 2992	1736	Umbral.exe	39
PID 1736 wrote to memory of 2992	1736	Umbral.exe	39
PID 1736 wrote to memory of 2992	1736	Umbral.exe	39
PID 2084 wrote to memory of 1256	2084	WScript.exe	41
PID 2084 wrote to memory of 1256	2084	WScript.exe	41
PID 2084 wrote to memory of 1256	2084	WScript.exe	41
PID 2084 wrote to memory of 1256	2084	WScript.exe	41
PID 1256 wrote to memory of 2020	1256	cmd.exe	43
PID 1256 wrote to memory of 2020	1256	cmd.exe	43
PID 1256 wrote to memory of 2020	1256	cmd.exe	43
PID 1256 wrote to memory of 2020	1256	cmd.exe	43
PID 1736 wrote to memory of 1772	1736	Umbral.exe	44
PID 1736 wrote to memory of 1772	1736	Umbral.exe	44
PID 1736 wrote to memory of 1772	1736	Umbral.exe	44
PID 1736 wrote to memory of 1748	1736	Umbral.exe	46
PID 1736 wrote to memory of 1748	1736	Umbral.exe	46
PID 1736 wrote to memory of 1748	1736	Umbral.exe	46
PID 1736 wrote to memory of 2788	1736	Umbral.exe	82
PID 1736 wrote to memory of 2788	1736	Umbral.exe	82
PID 1736 wrote to memory of 2788	1736	Umbral.exe	82
PID 2020 wrote to memory of 2628	2020	bridgefont.exe	86
PID 2020 wrote to memory of 2628	2020	bridgefont.exe	86
PID 2020 wrote to memory of 2628	2020	bridgefont.exe	86
PID 1736 wrote to memory of 2572	1736	Umbral.exe	88
PID 1736 wrote to memory of 2572	1736	Umbral.exe	88
PID 1736 wrote to memory of 2572	1736	Umbral.exe	88
PID 2628 wrote to memory of 3052	2628	cmd.exe	90
PID 2628 wrote to memory of 3052	2628	cmd.exe	90
PID 2628 wrote to memory of 3052	2628	cmd.exe	90
PID 1736 wrote to memory of 2692	1736	Umbral.exe	91
PID 1736 wrote to memory of 2692	1736	Umbral.exe	91
PID 1736 wrote to memory of 2692	1736	Umbral.exe	91
PID 1736 wrote to memory of 316	1736	Umbral.exe	93
PID 1736 wrote to memory of 316	1736	Umbral.exe	93
PID 1736 wrote to memory of 316	1736	Umbral.exe	93
PID 1736 wrote to memory of 1252	1736	Umbral.exe	95
PID 1736 wrote to memory of 1252	1736	Umbral.exe	95
PID 1736 wrote to memory of 1252	1736	Umbral.exe	95
PID 1736 wrote to memory of 760	1736	Umbral.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe
"C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
  "C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2572
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1252
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:760
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2768
- C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Reviewwinbrokernet\bridgefont.exe
        
        "C:\Reviewwinbrokernet\bridgefont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0q4LGMmrb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3052
        
        C:\Reviewwinbrokernet\csrss.exe
        
        "C:\Reviewwinbrokernet\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\bridgefont.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgefont" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\bridgefont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\bridgefont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Reviewwinbrokernet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Reviewwinbrokernet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Reviewwinbrokernet\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Reviewwinbrokernet\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\bridgefont.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgefont" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\bridgefont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\bridgefont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

Filesize
224B

MD5
d0546d4e82d204a215d2202b8122bebf

SHA1
b4b1c33b5104d1d003670c341908a01cc0a4a09b

SHA256
6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756

SHA512
91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

Download Submit
C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

Filesize
38B

MD5
5ca65390126e266243ff3881f9cfb3f2

SHA1
228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6

SHA256
ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54

SHA512
4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0q4LGMmrb.bat

Filesize
196B

MD5
8c9823789ef6bed94dc6f045520a40a9

SHA1
eef28100e703e77d36ba1b728519d7ad7d7cb4b4

SHA256
48269edd55a44b52ed4311dc05a630120ae63db6e71813883098265526e5d9cf

SHA512
882ca56757be48411a6fb24d0a9002ae455fbd081bffa8b1da78513fefc4e5ffdbed4626b631059f620146809604555a1402bfca34a0855f6d227f6a6c28198a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f86159ae4d125d2a7f100300010fe72

SHA1
a6ef0643996e4c97112849167647ea79d1eecc84

SHA256
32a0580101c3f39ed5020bd019f41a07d4dc4b2576d7f8a98806e954ddd651ef

SHA512
3ae22ef6402b6f0e99aa699001b26e99a7ad3ecd80e0e29bfa5589d2bc60692a5ecf821c0e2f9ddc79452a1783923d2ba03f3e99b55b80d0f3224a3bf0ab1976

Download Submit
\Reviewwinbrokernet\bridgefont.exe

Filesize
828KB

MD5
b5c2e9124dfa9d37f7b2032b94127a37

SHA1
3f162c1dff58ff017d4a95540a220b7355765eb6

SHA256
15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876

SHA512
edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

Download Submit
\Users\Admin\AppData\Local\Temp\8XChecker.exe

Filesize
1.1MB

MD5
562a032b64898a5f86890120f1a6872b

SHA1
2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a

SHA256
bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3

SHA512
871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

Download Submit
\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
ec2aed743841885a579338921df5073b

SHA1
8167b69da03e79cc4d013f2b1e2c972a9fa15296

SHA256
f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b

SHA512
aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

Download Submit
\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

Filesize
9KB

MD5
26abb9e459e5976f658ce80d6433f1b1

SHA1
3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

SHA256
60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

SHA512
c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

Download Submit
memory/316-115-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/316-114-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1640-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1736-24-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/1748-75-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1748-78-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1772-62-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1772-65-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2020-53-0x00000000002A0000-0x0000000000376000-memory.dmp

Filesize
856KB

Download
memory/2172-122-0x0000000000E20000-0x0000000000EF6000-memory.dmp

Filesize
856KB

Download
memory/2468-21-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/2508-38-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/2508-37-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2992-44-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2992-45-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download