umbral | 36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079

Analysis

max time kernel
149s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-07-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

254KB
MD5

ce298bde4b5d1231f937e3c434275dc0
SHA1

8dc7b79f0c7abd7c11fdddd6d102bcf5cf11e4f7
SHA256

36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079
SHA512

79ea7640fb1abc8ad4d36a28cbb342fc0be563f9fc5fc9ad07dd5ca3cde24f5d5c4d1d2c09f0bfb6e8206cef6bff9ebfd626d020527ad8e7754afc1fc2f0ea1a
SSDEEP

6144:K4oZoAeVHPtHgTIAaZgCwDx7axHU0unC28ejI877:xoZyHPvWCwjXCsIa

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1256062934485045258/Q_bRzRUen92KeGVBFc6B5Dg9OremPYs3ocgIoMQC8M0kLh5sIrj8beRvj7lBOtwcwCDV

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/4144-0-0x000001A6CDF30000-0x000001A6CDF76000-memory.dmp	family_umbral
behavioral1/files/0x000900000001ad24-608.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2944	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
97	camo.githubusercontent.com
98	camo.githubusercontent.com
112	raw.githubusercontent.com
114	raw.githubusercontent.com
95	camo.githubusercontent.com
96	camo.githubusercontent.com
109	raw.githubusercontent.com
110	raw.githubusercontent.com
111	raw.githubusercontent.com
113	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\loader.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	loader.exe
Token: SeIncreaseQuotaPrivilege	4024	wmic.exe
Token: SeSecurityPrivilege	4024	wmic.exe
Token: SeTakeOwnershipPrivilege	4024	wmic.exe
Token: SeLoadDriverPrivilege	4024	wmic.exe
Token: SeSystemProfilePrivilege	4024	wmic.exe
Token: SeSystemtimePrivilege	4024	wmic.exe
Token: SeProfSingleProcessPrivilege	4024	wmic.exe
Token: SeIncBasePriorityPrivilege	4024	wmic.exe
Token: SeCreatePagefilePrivilege	4024	wmic.exe
Token: SeBackupPrivilege	4024	wmic.exe
Token: SeRestorePrivilege	4024	wmic.exe
Token: SeShutdownPrivilege	4024	wmic.exe
Token: SeDebugPrivilege	4024	wmic.exe
Token: SeSystemEnvironmentPrivilege	4024	wmic.exe
Token: SeRemoteShutdownPrivilege	4024	wmic.exe
Token: SeUndockPrivilege	4024	wmic.exe
Token: SeManageVolumePrivilege	4024	wmic.exe
Token: 33	4024	wmic.exe
Token: 34	4024	wmic.exe
Token: 35	4024	wmic.exe
Token: 36	4024	wmic.exe
Token: SeIncreaseQuotaPrivilege	4024	wmic.exe
Token: SeSecurityPrivilege	4024	wmic.exe
Token: SeTakeOwnershipPrivilege	4024	wmic.exe
Token: SeLoadDriverPrivilege	4024	wmic.exe
Token: SeSystemProfilePrivilege	4024	wmic.exe
Token: SeSystemtimePrivilege	4024	wmic.exe
Token: SeProfSingleProcessPrivilege	4024	wmic.exe
Token: SeIncBasePriorityPrivilege	4024	wmic.exe
Token: SeCreatePagefilePrivilege	4024	wmic.exe
Token: SeBackupPrivilege	4024	wmic.exe
Token: SeRestorePrivilege	4024	wmic.exe
Token: SeShutdownPrivilege	4024	wmic.exe
Token: SeDebugPrivilege	4024	wmic.exe
Token: SeSystemEnvironmentPrivilege	4024	wmic.exe
Token: SeRemoteShutdownPrivilege	4024	wmic.exe
Token: SeUndockPrivilege	4024	wmic.exe
Token: SeManageVolumePrivilege	4024	wmic.exe
Token: 33	4024	wmic.exe
Token: 34	4024	wmic.exe
Token: 35	4024	wmic.exe
Token: 36	4024	wmic.exe
Token: SeDebugPrivilege	2424	firefox.exe
Token: SeDebugPrivilege	2424	firefox.exe
Token: SeDebugPrivilege	2944	loader.exe
Token: SeIncreaseQuotaPrivilege	960	wmic.exe
Token: SeSecurityPrivilege	960	wmic.exe
Token: SeTakeOwnershipPrivilege	960	wmic.exe
Token: SeLoadDriverPrivilege	960	wmic.exe
Token: SeSystemProfilePrivilege	960	wmic.exe
Token: SeSystemtimePrivilege	960	wmic.exe
Token: SeProfSingleProcessPrivilege	960	wmic.exe
Token: SeIncBasePriorityPrivilege	960	wmic.exe
Token: SeCreatePagefilePrivilege	960	wmic.exe
Token: SeBackupPrivilege	960	wmic.exe
Token: SeRestorePrivilege	960	wmic.exe
Token: SeShutdownPrivilege	960	wmic.exe
Token: SeDebugPrivilege	960	wmic.exe
Token: SeSystemEnvironmentPrivilege	960	wmic.exe
Token: SeRemoteShutdownPrivilege	960	wmic.exe
Token: SeUndockPrivilege	960	wmic.exe
Token: SeManageVolumePrivilege	960	wmic.exe
Token: SeImpersonatePrivilege	960	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe
3552	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4024	4144	loader.exe	74
PID 4144 wrote to memory of 4024	4144	loader.exe	74
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 96 wrote to memory of 2424	96	firefox.exe	79
PID 2424 wrote to memory of 2176	2424	firefox.exe	80
PID 2424 wrote to memory of 2176	2424	firefox.exe	80
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 4320	2424	firefox.exe	81
PID 2424 wrote to memory of 1436	2424	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:96
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.0.1046318290\496168136" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {488f1b25-71ee-4490-9ac2-e3c11acd3ba7} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 1764 1c51cdd7458 gpu
    3⤵
    PID:2176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.1.711458890\937251860" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e6a45b1-5237-49b0-b17c-cfb5a3504631} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2120 1c51c93e858 socket
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.2.2112167012\963008803" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb1f133-f050-403f-ba54-6db167904018} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2888 1c52109cb58 tab
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.3.1797431857\955568705" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c5c0846-2aa6-47c6-bce3-0700e962694c} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3532 1c51c93ee58 tab
    3⤵
    PID:3076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.4.1752315966\585360503" -childID 3 -isForBrowser -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fcd76bd-536a-49f1-bf7d-4b93daea129f} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4264 1c5230d0258 tab
    3⤵
    PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.5.1322618298\1919425634" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4988 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {899165bb-4efa-41ee-a96d-52d36057163e} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4996 1c50a930858 tab
    3⤵
    PID:1564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.6.1295047573\817540739" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f27f7c-626f-4206-af98-d0d9c9ee605c} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5144 1c521e5cf58 tab
    3⤵
    PID:3736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.7.756028665\1240859595" -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e5bd68-495a-437d-bcf1-e2c5038b6bf4} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5340 1c5234cf858 tab
    3⤵
    PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.8.1853970031\154176432" -childID 7 -isForBrowser -prefsHandle 5568 -prefMapHandle 5564 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e4fc285-f3d5-4e4c-b3df-2f51bf8afdf4} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5684 1c525320e58 tab
    3⤵
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.9.1646820280\1671615300" -parentBuildID 20221007134813 -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a340faaf-5502-4527-aa6a-50384db4c678} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3956 1c525482e58 rdd
    3⤵
    PID:3036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.10.1804078007\1244921613" -childID 8 -isForBrowser -prefsHandle 4360 -prefMapHandle 4816 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c38ba282-d973-4198-8d38-439e176608cf} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2824 1c525e1ca58 tab
    3⤵
    PID:592
- - C:\Users\Admin\Downloads\loader.exe
    "C:\Users\Admin\Downloads\loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
1KB

MD5
53ea0a2251276ba7ae39b07e6116d841

SHA1
5f591af152d71b2f04dfc3353a1c96fd4153117d

SHA256
3f7b0412c182cbdefb3eedafe30233d209d734b1087234ac15409636006b3302

SHA512
cf63abfe61389f241755eef4b8ed0f41701568b79d1263e885f8989ce3eca6bf9f8d5805b4cc7304aaaa5c7e14122b0d15bd9948e47108107bbb7219fd498306

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\26418

Filesize
9KB

MD5
547f4ac52ba64968946acbbe5eea725a

SHA1
13e17a99df3d08d1e1ff89cc95eb9effafe439af

SHA256
c1023063e03b7d13e07b3c3a49ce88d973b61be250fb554e1f3f132a8b688639

SHA512
6a36c9b93906eda7cd38ed2fed32ef6895b194e28e3b7344fb8b625d220dbfc127a1ddd71917d06c73e746289628d96a377d6f9ce7ae166df96c5c6f6ae772cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\21235C60DB68B39BE5D5AAFD7CFDA8EB241CAC6D

Filesize
93KB

MD5
842da0a8eb3d263bd9c02f8be95bf5f8

SHA1
826bbdea9cb223986889451fdb126f53c5afbd5b

SHA256
809298c349f7f8495fbd92e5107ec01e50ef4a709115eb9125928be85795166c

SHA512
7e5f7971a60d78776b04a7802b8b832441df1e422bdf58727bcffe9eb4b80b4c714a401a982872b3437315ae55512946a3df33cddac5b35ba69a85f331a0f324

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\462E5FADCC82A134C10A828C114C5F747964CF3D

Filesize
121KB

MD5
df9ee898f2de1649381b7a0748b46b9c

SHA1
d5044122b74bdc4352fc6a6f94bb5b2927430a4e

SHA256
3e2c1ba41c6e6b553e08c131e8e46c9fbdd2248b9b45d6cf77722ee0522dd980

SHA512
07c0528c63a1b899878612ce4acec473d6a53911994e9107b029dc33ae5e24b7147eb9d9e90cfcade7669ec6f3a242df8aeee7e01876504788a1167d6ac50501

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\4D3373C611DE638ED6CA0F7AB92AED0C904A3795

Filesize
89KB

MD5
ad64f83c2e8c8e9f9f0ae18e7506b65d

SHA1
5890ca757d0f0f3ed04b1f6c0df9bd766078e463

SHA256
6af0aae847d7ae2655b8d6a8350fa0931d62659ef29e8f1a480944714d0e4c23

SHA512
a93e3e97186f89346215e3ebe11dfa4e5c3533799887b48553ebd73ce04b7773375606690d3155cf4f73704a7a3f50c01da53e91f60e02c57761b4e2935cddb0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\88D2DD145122466A8C6F39785D5A392BF5E86A0D

Filesize
81KB

MD5
b3cfa3e9f6886041f0fe9c4768660bc1

SHA1
e5d443b3bf2cf8618bd30df7a2ff6e21d9d3312d

SHA256
a89d2ec0bcb1aaa8758fba7a791e321fa56950f268feac7ac460082c5f808937

SHA512
0abc1197618185d0d125b607b42611a11b61236129ac2355c8142e1008d37375620c30dcc349e9b07b85e6d82ff129bd0b2a6714d1dadd0d949678c5527f3181

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\92B7809CBCCEC32F8AA6B585CB23104E10E55D53

Filesize
774KB

MD5
634d36df4895097be1dfd7cdd5595815

SHA1
fa022af6dd72068d7625ae965a64b66dd3aa296c

SHA256
eda803902ce8a4d15e6dfe7c5ff84c3234501be910155bc4f21da85f0adb4760

SHA512
1152a72339f8d0b906ed5efd8853f13a5c6d3f7a3ebe37b1872cb4620cde4da3ac8f6a9020b1f86333c9fc06bb3fa2a7a4f4a1a6166811c48bedeae4c0563ce1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\97B10BC4D7847C8AE893CE9BC8685F05EBFA5B05

Filesize
2.0MB

MD5
41946cb540e48c773f798db0d8a6575c

SHA1
8efd860307a66a56208a83c6456a58956e6e5965

SHA256
d267fa9c09166140e980da544a8654bf1882e86acc4241387b02339fd65ee154

SHA512
7b10f6b58eca1038a2a239ab796d31118c1311cce5d3dccba09fce9f3b7919531436593b0ca05354febf59d167f3cbb4e6fa8b4a7b35d980cfc4f53acae0bb0c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\D911690572EFF44BA9B379A93A81EA65D99204DB

Filesize
85KB

MD5
88df6e714c960143b4f0ea221caaabbd

SHA1
35002f9021adb5476240f9d45ead3f32331f6e45

SHA256
44f7eb6be5b0ead2309fb8969af3f6b513c462d139ab12e4d2765d910ac6600f

SHA512
dfe071a7b939a65b4dbd1371d1570d8b5e66ead164c0f63c54aa704d29fc5724d3626747489b745c5e35a209075ef2d1f0dcc6549c88ff9156336deca495f3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
7d5d031cf4f3385342dc49e63cb90356

SHA1
f1cf0111e35b4d3a9a9cebbd9662c4adcb331dc8

SHA256
34626f564cc72bee9d72ac497aaabcb649e54206007dd8b349e59705a66fcf08

SHA512
ed129234597095962ae0f00fdb8918c99498b8bd29649e507bf6d01b7a05bfcd546691e9c611ca4e1aa4bb632fb2af53ba8667fb4fc2b27f7cf7607aa6eaf7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\1eba927c-e643-48e3-a20f-875d4efb4963

Filesize
746B

MD5
393939d0340942488ac7369fd29449e6

SHA1
8c09a51376f797886a9d5e740905a8d460dafd22

SHA256
ce581377f5d6659f1fdcd86df4202045708da9853313148b9264dcb340e3adb2

SHA512
35a09f168f0def3aeda361a227deb5eebc1000aee839fc02c3ff2f4ccd6b26f13885a2ec1c81dfd3ff706ecfbd6a551fd9df656bc2594f94f675c01d0fd05bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\334866b8-04f9-4a9c-9397-19c56797703b

Filesize
10KB

MD5
07068b28736d651a52c7c7935de30106

SHA1
8f849941c7e65ca0a1c9a0c4162e0fc5a554a7a7

SHA256
90f2e94b646e508a93a93a694487bea6e876af6d60ff3e3cd434bc50152b0b73

SHA512
427b6a3db66855a64ab223e908c85757fdff6e76d73dba1ad3f12286112e9011142c3f38bddf1b5b612ad76b5e52805c2baf31bc247647a56ad17d911b7119d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
9d48d11de91bac4addc74db133c940be

SHA1
acd948ed53afc225235aff4315e2a925dd4472b8

SHA256
7dc9d583216cf08c0e408a9f3b0316f629f153f2c9c9273496b92c18fb86ce39

SHA512
d289e1bbc0a93bf77a8a16edfac90b0da9cd061e1e1bd9988a697264fd9e1177eb533b7164304db1778b96d39d68c9b2bcc70117198c929bcf808f094b6120cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
7e9ab6ae3b835a5f1ede2e263fb76b76

SHA1
7cc9247298f047436bde82d86b76aa4a8059031a

SHA256
bdde0d31c4c61d4ca8d7e416a0e6f5be3565c740fdf3c5a8b859cd56ff60f952

SHA512
5f3dfa5fdaf354bd6d184fc85b583ac9091eee9c3bad35959c23cf7778691841b1de87bc5757f79c8282fcf42ec46398a76b270cd853f71df079853241e23e1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
73dfeea07e5efa42897ee445fea29a87

SHA1
ba0a266e7c422938b0ac26dbb1b6029524177728

SHA256
2bc0126f5a1a24d7e916ff8d905f99f5630d0e2398f520651b7d059ba2c8085e

SHA512
42d1e90c11ce407bc24880595b2c15e2bb022288414e38afa970b5fd030c379afc0dede769ba044ede1bc543799eb370a6d240dd34d08a6a71d0b4d735f63d04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e2a5603c27820c173785e48e07cfe058

SHA1
599bc588d16aef8a85406a87739d03067908c2d1

SHA256
15a9977de2b3af821bc2ccc64343f95d1dca462ef2bb476db850b09bcd8ef582

SHA512
3c16db19163ad9612cd53e504a9871558458b0738f394308bbf35bff03653c95b15aeac2b628232e4a61b6fbf196b557cc25e75a9bb7c5135862a39e8181cf3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
1a37eb7012dc9cab5d5fd61b97efba66

SHA1
3fadcdc9b701d18d89eb1d1b2d3ed3376a4e84e4

SHA256
0efbf4f0484c434245c6d8e589d60235dd6895a0a54fd8c275134c65301f9cd9

SHA512
15c8ea3d74e8c800a56f2c577a472d4fb8299a5d7a590816d4afc87b998390c1948f72acb835b1735dc569e958e64bdbf9a0d83be2b18da3ddaf82d426482cbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f72b612f7d0c9d7935c376960c9d4d20

SHA1
669f33d1a9b0734df4c74f9646027d3713ddf766

SHA256
48d3c9d6a917c19057d59deba2943d685e00b3a698760aad7910ea3eeb038202

SHA512
48dec1aba44c411db2a89060ff4437eefeda4f18aadaf906e67dacc6ae718d806fb6f36c02c9ff88560b2938ab0d845100fe04c43c2593bb6573db925226adc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
43b4d64d8316dfdf9905dcac410104ee

SHA1
2090b1b779a116a23a2cdcc1a9bfcef5d6b9c933

SHA256
1a4d2d348083008a4db689b791e7de5e5e9f5d6d8dc22d31114c0b64149c8038

SHA512
86351e9e54f1cacd3f2db73ac35f3052b1277c672b388dc5d084b2db84e24d3881d852f87ffb2c5d0cd87069f01ecbb165d6adc2a77801d1200b18db01aa5e3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
be691fe51c18e432d78741ff614abb4d

SHA1
882bf195a0db757e6c21113f4e3751908e0c4ec9

SHA256
4b300a315de91eb27f727325e9c2281bda1f431e292bc3b215901da31e44bf89

SHA512
6a5707974eef1424413255bc63ef67aa78e5963b7b752c517bc3f4260d2bfeffd590776f034bb0676dfdb32b08e2304b9ea31992810b61b8f04e5b4ec1d6339b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a1822454595bd938b5d852af81fc8b18

SHA1
7a98d731f56ba7ab658d592bdfabefbe73bfce68

SHA256
323103317e70f9e854d831519bd0681ba62d49453d4c557bc0c3ec257f31005b

SHA512
60cc59a96550bdcbb28c7de6e1682e6ec791d002e93dc8d15e33b6cb82efd5995f2ee5d473faba1dc958aeab6b42068c79c39fc788169035653c954e8746cc1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
ad095954894b6fa8355358d6b48cf0a8

SHA1
aa108dfc3868179b901380b8ef4bf752f6764692

SHA256
50cb6f2c08b28b868cb6a99425e3be8dc2d107d5f08acc441a0649367cff4750

SHA512
2683e1c47b322809413a2a6d8167de2d9d349fe437971a004de0ef6620c3f3e553c8f1745706f7302a4591a5b1aff9659499fed1c75ce9cebb01a2f36ba3e1eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
1fdc13de64cfdb8ba3fcd71aad9d33d3

SHA1
b7649cfd66d751435fa56a4b4b20daace452c692

SHA256
fa890605b23aecfebe4300d159f10096cfaba982a942c8ce829617b3de36a783

SHA512
3c9dc261a1f0a96d4433d60de03423d58f0bd63dbf5db48962372658103f16991f6da06c1670deea1e51efd2a15aae699d1d287ee377e0a457299a7dd9f691a7

Download Submit
C:\Users\Admin\Downloads\loader.Mg9RXoYB.exe.part

Filesize
20KB

MD5
bbd15b1037845c0863e29357fb48ee29

SHA1
426a7448d37e1921d8112972d8541369f0a725af

SHA256
594999a215642b9336e990b192793b96f985659fcd89341ced176c6d44a30a07

SHA512
a8e6bb760c10f35d62092fdabeed3d2795b5c44ece441430fe82bf1dfb695e6a027de061f8cc4613226dd33b3a406cf447bf2cc2ffae381689d6d3d46e30d873

Download Submit
C:\Users\Admin\Downloads\loader.exe

Filesize
254KB

MD5
ce298bde4b5d1231f937e3c434275dc0

SHA1
8dc7b79f0c7abd7c11fdddd6d102bcf5cf11e4f7

SHA256
36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079

SHA512
79ea7640fb1abc8ad4d36a28cbb342fc0be563f9fc5fc9ad07dd5ca3cde24f5d5c4d1d2c09f0bfb6e8206cef6bff9ebfd626d020527ad8e7754afc1fc2f0ea1a

Download Submit
memory/2944-611-0x00007FFD59D13000-0x00007FFD59D14000-memory.dmp

Filesize
4KB

Download
memory/2944-621-0x00007FFD59D10000-0x00007FFD5A6FC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-622-0x00007FFD59D10000-0x00007FFD5A6FC000-memory.dmp

Filesize
9.9MB

Download
memory/4144-0-0x000001A6CDF30000-0x000001A6CDF76000-memory.dmp

Filesize
280KB

Download
memory/4144-1-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

Filesize
4KB

Download
memory/4144-2-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

Filesize
9.9MB

Download
memory/4144-4-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

Filesize
9.9MB

Download