umbral | hxxps://updown[.]link/file/b62j02

Resubmissions

06-07-2024 00:02

240706-abqzessckb 10

05-07-2024 22:21

240705-19zbkazekf 10

Analysis

max time kernel
53s
max time network
54s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-07-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://updown.link/file/b62j02

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ac52-61.dat	family_umbral
behavioral1/memory/1908-86-0x000001D3F8750000-0x000001D3F87CE000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1908	betaloader.exe
4904	betaloader.exe
4084	betaloader.exe
1896	betaloader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133646917183068557"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeDebugPrivilege	1908	betaloader.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeIncreaseQuotaPrivilege	4648	wmic.exe
Token: SeSecurityPrivilege	4648	wmic.exe
Token: SeTakeOwnershipPrivilege	4648	wmic.exe
Token: SeLoadDriverPrivilege	4648	wmic.exe
Token: SeSystemProfilePrivilege	4648	wmic.exe
Token: SeSystemtimePrivilege	4648	wmic.exe
Token: SeProfSingleProcessPrivilege	4648	wmic.exe
Token: SeIncBasePriorityPrivilege	4648	wmic.exe
Token: SeCreatePagefilePrivilege	4648	wmic.exe
Token: SeBackupPrivilege	4648	wmic.exe
Token: SeRestorePrivilege	4648	wmic.exe
Token: SeShutdownPrivilege	4648	wmic.exe
Token: SeDebugPrivilege	4648	wmic.exe
Token: SeSystemEnvironmentPrivilege	4648	wmic.exe
Token: SeRemoteShutdownPrivilege	4648	wmic.exe
Token: SeUndockPrivilege	4648	wmic.exe
Token: SeManageVolumePrivilege	4648	wmic.exe
Token: 33	4648	wmic.exe
Token: 34	4648	wmic.exe
Token: 35	4648	wmic.exe
Token: 36	4648	wmic.exe
Token: SeIncreaseQuotaPrivilege	4648	wmic.exe
Token: SeSecurityPrivilege	4648	wmic.exe
Token: SeTakeOwnershipPrivilege	4648	wmic.exe
Token: SeLoadDriverPrivilege	4648	wmic.exe
Token: SeSystemProfilePrivilege	4648	wmic.exe
Token: SeSystemtimePrivilege	4648	wmic.exe
Token: SeProfSingleProcessPrivilege	4648	wmic.exe
Token: SeIncBasePriorityPrivilege	4648	wmic.exe
Token: SeCreatePagefilePrivilege	4648	wmic.exe
Token: SeBackupPrivilege	4648	wmic.exe
Token: SeRestorePrivilege	4648	wmic.exe
Token: SeShutdownPrivilege	4648	wmic.exe
Token: SeDebugPrivilege	4648	wmic.exe
Token: SeSystemEnvironmentPrivilege	4648	wmic.exe
Token: SeRemoteShutdownPrivilege	4648	wmic.exe
Token: SeUndockPrivilege	4648	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4672	4240	chrome.exe	72
PID 4240 wrote to memory of 4672	4240	chrome.exe	72
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 836	4240	chrome.exe	74
PID 4240 wrote to memory of 2732	4240	chrome.exe	75
PID 4240 wrote to memory of 2732	4240	chrome.exe	75
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76
PID 4240 wrote to memory of 768	4240	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://updown.link/file/b62j02
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe3c0a9758,0x7ffe3c0a9768,0x7ffe3c0a9778
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:2
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5616 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Users\Admin\Downloads\betaloader.exe
  "C:\Users\Admin\Downloads\betaloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- C:\Users\Admin\Downloads\betaloader.exe
  "C:\Users\Admin\Downloads\betaloader.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5064 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1764,i,16680256435287899503,1503830455239776420,131072 /prefetch:8
  2⤵
  PID:4836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1780

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5016

C:\Users\Admin\Downloads\betaloader.exe
"C:\Users\Admin\Downloads\betaloader.exe"
1⤵
- Executes dropped EXE
PID:4084
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4260

C:\Users\Admin\Downloads\betaloader.exe
"C:\Users\Admin\Downloads\betaloader.exe"
1⤵
- Executes dropped EXE
PID:1896
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1964

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
ca450a3718e23a4d0e951de23bbc32ee

SHA1
27ef56140e8e5b3f0e77087d87c04fe3722d305a

SHA256
98672fd07d27d418899b5f86f96af1e859cd59a63118853676607a43c893e395

SHA512
920af0eebef8818a7c1c2c354dd0e64ac8d1085baca0b9016cecd57e73abb29f8efb2f32a85b8b220473a611255c6ef586caf5c569b1fe3e1b8e6b55cd3fa3f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
a65ecbd25c8df6dfc41b44de4028f557

SHA1
534842af4694daa6839e45dca144d10575ade927

SHA256
f74ef8152e71cb10174814d091c6cc07f4852e39d226246cb3152e24df737fb8

SHA512
2af56dbb3855e3ff0b549d172cf5f00187153d5e050e67f9ee20ab20739dd669f95824bc6a9524e299bb9ecfb3e9249787dcf36e06c18b0e45ae68ec6a583ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bc05cf30dd6a9113115080a99f63a9c0

SHA1
c3544cdfa8804595ef8707ab2634b68dd6c7b5f9

SHA256
bb54ae37a38bd1f49f62040929127bf9f12cd04ab22d357482a47b71c68d299a

SHA512
65a9c7df18ea2997589dc31773595763723e63e30c63c78bf51b0d9db98b23a7661e919e4d1bc27b274c5343780032a5c789b58f9b08ce0c828265965830bafb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b836a942ecb7a30ced7102b6da640e8b

SHA1
c14d07020b9863d1b4c01cbd85597b814e5515fc

SHA256
1df2cb3dd791d2c00929441fd9f441354bc279b63ec3508d8c68af72ce58940f

SHA512
ad7a7c60c138bbae5d1345a9729beef2c4819ed92beff2d9fe91b1544eef70525ecac89cbd5026075c2d9435cfc189c3a4604280acd9e8f715008cf672d09939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
419651d58f47372af43ba93f2665ab29

SHA1
61df276d6b638ef86c584360eba61b1b26b78b58

SHA256
dfe2363e83c0314eeb45a718d7fa2e82aa34501c13bfdbda319f9ede4669ace3

SHA512
6837a4dfba35cfa806bd9b82906c07ae104e3dfafde99b5895a72f6eb7196a723a6345935fa4d94294fcd0b1ac11cf21ef6166936ca76d22179f77ef87b88d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
0f83ed945bbf96cee869fbd1a466d58f

SHA1
d267daff539fa79ae459926f1e3d051311391e3b

SHA256
4584f3dd5eb0b8e10704e5deb8a7636a61730188d8fa90910f1d6434b29ec5f7

SHA512
1302bee0c2c587666f594e56613b493880d9c1dd4511c9df34b994f9abac08bd5ef4e3391851382629b32320d8037de72638e9a44b8c9796bab1a7bad631cb2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
9bb877c0bc871bcc4bd0c6dcb9943da1

SHA1
efe7a447966d274d7813cf205e64c44edf524145

SHA256
7d9926433a7f1087cc55964f1279c85ddd75741a582f7a216e8824822598b7a9

SHA512
a1c02ee1aa6bbbe05d11594609cd280350d8f9567a1e0be6737f7401eb22d37e6623b0f31ebc90b624eaccd40d96ae4a5456497a93573add6d70582169c8cf88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f82b.TMP

Filesize
111KB

MD5
34dfc185b77dd6b5fe1bb00ad60e7abc

SHA1
770519d2523577809051ac240a488d4dd9bb3cbe

SHA256
14baabad8ec5634f95784c2876e61bc6b4274de96dc4b6f152c3fb3dacb60d6a

SHA512
d32bb49414262826a2002516d7406b706c5cf3d32a7da1ea00575a7220eb8459f3a67fce9596593a04ff69559588c049310b6abfea53ffdbaa42437e7d76007f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\betaloader.exe.log

Filesize
1KB

MD5
53ea0a2251276ba7ae39b07e6116d841

SHA1
5f591af152d71b2f04dfc3353a1c96fd4153117d

SHA256
3f7b0412c182cbdefb3eedafe30233d209d734b1087234ac15409636006b3302

SHA512
cf63abfe61389f241755eef4b8ed0f41701568b79d1263e885f8989ce3eca6bf9f8d5805b4cc7304aaaa5c7e14122b0d15bd9948e47108107bbb7219fd498306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\Downloads\betaloader.exe

Filesize
482KB

MD5
f0463e89e4d196f296afb160224f63b0

SHA1
1ada6bf36121d08f96f4a09402774d3d5a065a7d

SHA256
d891136336eb391236b2cc2f6749440d9eb4dc8fc517eb1262cf739276657073

SHA512
8aacfd6f7c745d41bc639d90cb841652541ec17f7f745bd3ee9f2d24458b3b0c1a5d6b9d50a1e9a50a3e583841e4a443f8d930e626365bc729bff93d19528e34

Download Submit
memory/1908-89-0x00007FFE272E0000-0x00007FFE27CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-87-0x00007FFE272E0000-0x00007FFE27CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-86-0x000001D3F8750000-0x000001D3F87CE000-memory.dmp

Filesize
504KB

Download
memory/1908-85-0x00007FFE272E3000-0x00007FFE272E4000-memory.dmp

Filesize
4KB

Download