umbral | 48fa7c81eedbd5766d91bf8794b21a925e31a5d153a23acdec9138cf4781a540

Analysis

max time kernel
119s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FATALITY crack/FATALITY.exe
Size

2.5MB
MD5

4320dae0d20c88ceb6f28b623a916dd2
SHA1

c1218c51804a602115462ea8259578fdbb280468
SHA256

441d4439cd72a239077d97895571804711356f1e1ded396c229635adf3c80ea4
SHA512

ee32e90d021835d608d43d3ee6d2d107fcfb15fa174c179ed4ae7dd47ec0dd45baadd1c73158c73d5e4fd7b89f5925ae505a6df66bb81e9d5693216316622fcf
SSDEEP

49152:U14vPsUk84QgsmsQgt/KOQtLvwnQ/7syEL+mZ1TxrYgHZfr2gsNS1zb9cVg1Z2U/:JPtmLgtTGTwQAyY3TdYCsI1zAgb27wh

Score

10^/10

umbral execution persistence spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1262023513791795210/lh7elYm8P8VO-5cJhytgrq0ctoq8aDKbmp8g53xHgib8khvCb3mkeM8KrmYRaSRrsa45

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195c2-12.dat	family_umbral
behavioral1/memory/2064-23-0x0000000000A80000-0x0000000000AC0000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\", \"C:\\PortFontnetCommon\\smss.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\", \"C:\\PortFontnetCommon\\smss.exe\", \"C:\\Windows\\Fonts\\System.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\", \"C:\\PortFontnetCommon\\smss.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\", \"C:\\PortFontnetCommon\\smss.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\it\\lsass.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\", \"C:\\PortFontnetCommon\\smss.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\it\\lsass.exe\", \"C:\\PortFontnetCommon\\ComBroker.exe\""	ComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2660	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2660	schtasks.exe	34

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1804	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 5 IoCs

pid	Process
2448	FATALITY.exe
2064	Umbral.exe
2292	Windows Defender.exe
1700	ComBroker.exe
2956	smss.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	FATALITY.exe
1948	FATALITY.exe
1948	FATALITY.exe
2416	cmd.exe
2416	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\it\\lsass.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComBroker = "\"C:\\PortFontnetCommon\\ComBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PortFontnetCommon\\smss.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PortFontnetCommon\\smss.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Fonts\\System.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Fonts\\System.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\it\\lsass.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComBroker = "\"C:\\PortFontnetCommon\\ComBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\audiodg.exe\""	ComBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB25195FF1C03441F9877AE207685ABDC.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\lsass.exe	ComBroker.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\lsass.exe	ComBroker.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6203df4a6bafc7	ComBroker.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe	ComBroker.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\42af1c969fbb7b	ComBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\System.exe	ComBroker.exe
File created	C:\Windows\Fonts\27d1bcfc3c54e0	ComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2096	wmic.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
556	PING.EXE
2276	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
2508	schtasks.exe
2352	schtasks.exe
2448	schtasks.exe
2240	schtasks.exe
2232	schtasks.exe
1508	schtasks.exe
2056	schtasks.exe
2816	schtasks.exe
2872	schtasks.exe
908	schtasks.exe
1484	schtasks.exe
1552	schtasks.exe
580	schtasks.exe
2000	schtasks.exe
276	schtasks.exe
2920	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	Umbral.exe
1804	powershell.exe
2884	powershell.exe
3020	powershell.exe
1340	powershell.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe
1700	ComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1864	wmic.exe
Token: SeSecurityPrivilege	1864	wmic.exe
Token: SeTakeOwnershipPrivilege	1864	wmic.exe
Token: SeLoadDriverPrivilege	1864	wmic.exe
Token: SeSystemProfilePrivilege	1864	wmic.exe
Token: SeSystemtimePrivilege	1864	wmic.exe
Token: SeProfSingleProcessPrivilege	1864	wmic.exe
Token: SeIncBasePriorityPrivilege	1864	wmic.exe
Token: SeCreatePagefilePrivilege	1864	wmic.exe
Token: SeBackupPrivilege	1864	wmic.exe
Token: SeRestorePrivilege	1864	wmic.exe
Token: SeShutdownPrivilege	1864	wmic.exe
Token: SeDebugPrivilege	1864	wmic.exe
Token: SeSystemEnvironmentPrivilege	1864	wmic.exe
Token: SeRemoteShutdownPrivilege	1864	wmic.exe
Token: SeUndockPrivilege	1864	wmic.exe
Token: SeManageVolumePrivilege	1864	wmic.exe
Token: 33	1864	wmic.exe
Token: 34	1864	wmic.exe
Token: 35	1864	wmic.exe
Token: SeIncreaseQuotaPrivilege	1864	wmic.exe
Token: SeSecurityPrivilege	1864	wmic.exe
Token: SeTakeOwnershipPrivilege	1864	wmic.exe
Token: SeLoadDriverPrivilege	1864	wmic.exe
Token: SeSystemProfilePrivilege	1864	wmic.exe
Token: SeSystemtimePrivilege	1864	wmic.exe
Token: SeProfSingleProcessPrivilege	1864	wmic.exe
Token: SeIncBasePriorityPrivilege	1864	wmic.exe
Token: SeCreatePagefilePrivilege	1864	wmic.exe
Token: SeBackupPrivilege	1864	wmic.exe
Token: SeRestorePrivilege	1864	wmic.exe
Token: SeShutdownPrivilege	1864	wmic.exe
Token: SeDebugPrivilege	1864	wmic.exe
Token: SeSystemEnvironmentPrivilege	1864	wmic.exe
Token: SeRemoteShutdownPrivilege	1864	wmic.exe
Token: SeUndockPrivilege	1864	wmic.exe
Token: SeManageVolumePrivilege	1864	wmic.exe
Token: 33	1864	wmic.exe
Token: 34	1864	wmic.exe
Token: 35	1864	wmic.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1700	ComBroker.exe
Token: SeIncreaseQuotaPrivilege	1144	wmic.exe
Token: SeSecurityPrivilege	1144	wmic.exe
Token: SeTakeOwnershipPrivilege	1144	wmic.exe
Token: SeLoadDriverPrivilege	1144	wmic.exe
Token: SeSystemProfilePrivilege	1144	wmic.exe
Token: SeSystemtimePrivilege	1144	wmic.exe
Token: SeProfSingleProcessPrivilege	1144	wmic.exe
Token: SeIncBasePriorityPrivilege	1144	wmic.exe
Token: SeCreatePagefilePrivilege	1144	wmic.exe
Token: SeBackupPrivilege	1144	wmic.exe
Token: SeRestorePrivilege	1144	wmic.exe
Token: SeShutdownPrivilege	1144	wmic.exe
Token: SeDebugPrivilege	1144	wmic.exe
Token: SeSystemEnvironmentPrivilege	1144	wmic.exe
Token: SeRemoteShutdownPrivilege	1144	wmic.exe
Token: SeUndockPrivilege	1144	wmic.exe
Token: SeManageVolumePrivilege	1144	wmic.exe
Token: 33	1144	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2448	1948	FATALITY.exe	30
PID 1948 wrote to memory of 2448	1948	FATALITY.exe	30
PID 1948 wrote to memory of 2448	1948	FATALITY.exe	30
PID 1948 wrote to memory of 2448	1948	FATALITY.exe	30
PID 1948 wrote to memory of 2064	1948	FATALITY.exe	31
PID 1948 wrote to memory of 2064	1948	FATALITY.exe	31
PID 1948 wrote to memory of 2064	1948	FATALITY.exe	31
PID 1948 wrote to memory of 2064	1948	FATALITY.exe	31
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 1948 wrote to memory of 2292	1948	FATALITY.exe	32
PID 2448 wrote to memory of 2932	2448	FATALITY.exe	33
PID 2448 wrote to memory of 2932	2448	FATALITY.exe	33
PID 2448 wrote to memory of 2932	2448	FATALITY.exe	33
PID 2448 wrote to memory of 2932	2448	FATALITY.exe	33
PID 2064 wrote to memory of 1864	2064	Umbral.exe	35
PID 2064 wrote to memory of 1864	2064	Umbral.exe	35
PID 2064 wrote to memory of 1864	2064	Umbral.exe	35
PID 2064 wrote to memory of 2232	2064	Umbral.exe	37
PID 2064 wrote to memory of 2232	2064	Umbral.exe	37
PID 2064 wrote to memory of 2232	2064	Umbral.exe	37
PID 2064 wrote to memory of 1804	2064	Umbral.exe	39
PID 2064 wrote to memory of 1804	2064	Umbral.exe	39
PID 2064 wrote to memory of 1804	2064	Umbral.exe	39
PID 2064 wrote to memory of 2884	2064	Umbral.exe	41
PID 2064 wrote to memory of 2884	2064	Umbral.exe	41
PID 2064 wrote to memory of 2884	2064	Umbral.exe	41
PID 2064 wrote to memory of 3020	2064	Umbral.exe	43
PID 2064 wrote to memory of 3020	2064	Umbral.exe	43
PID 2064 wrote to memory of 3020	2064	Umbral.exe	43
PID 2064 wrote to memory of 1340	2064	Umbral.exe	45
PID 2064 wrote to memory of 1340	2064	Umbral.exe	45
PID 2064 wrote to memory of 1340	2064	Umbral.exe	45
PID 2932 wrote to memory of 2416	2932	WScript.exe	47
PID 2932 wrote to memory of 2416	2932	WScript.exe	47
PID 2932 wrote to memory of 2416	2932	WScript.exe	47
PID 2932 wrote to memory of 2416	2932	WScript.exe	47
PID 2416 wrote to memory of 1700	2416	cmd.exe	49
PID 2416 wrote to memory of 1700	2416	cmd.exe	49
PID 2416 wrote to memory of 1700	2416	cmd.exe	49
PID 2416 wrote to memory of 1700	2416	cmd.exe	49
PID 2064 wrote to memory of 1144	2064	Umbral.exe	50
PID 2064 wrote to memory of 1144	2064	Umbral.exe	50
PID 2064 wrote to memory of 1144	2064	Umbral.exe	50
PID 2064 wrote to memory of 1052	2064	Umbral.exe	52
PID 2064 wrote to memory of 1052	2064	Umbral.exe	52
PID 2064 wrote to memory of 1052	2064	Umbral.exe	52
PID 2064 wrote to memory of 2572	2064	Umbral.exe	54
PID 2064 wrote to memory of 2572	2064	Umbral.exe	54
PID 2064 wrote to memory of 2572	2064	Umbral.exe	54
PID 2064 wrote to memory of 1364	2064	Umbral.exe	56
PID 2064 wrote to memory of 1364	2064	Umbral.exe	56
PID 2064 wrote to memory of 1364	2064	Umbral.exe	56
PID 1700 wrote to memory of 304	1700	ComBroker.exe	61
PID 1700 wrote to memory of 304	1700	ComBroker.exe	61
PID 1700 wrote to memory of 304	1700	ComBroker.exe	61
PID 2064 wrote to memory of 2096	2064	Umbral.exe	63
PID 2064 wrote to memory of 2096	2064	Umbral.exe	63
PID 2064 wrote to memory of 2096	2064	Umbral.exe	63
PID 304 wrote to memory of 328	304	csc.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FATALITY crack\FATALITY.exe
"C:\Users\Admin\AppData\Local\Temp\FATALITY crack\FATALITY.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\FATALITY.exe
  "C:\Users\Admin\AppData\Local\Temp\FATALITY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\PortFontnetCommon\jnh1y.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\PortFontnetCommon\IOEmPpqly1DOIlscl2iPO8G0g.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\PortFontnetCommon\ComBroker.exe
        
        "C:\PortFontnetCommon/ComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vp2qybo\4vp2qybo.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA9F.tmp" "c:\Windows\System32\CSCB25195FF1C03441F9877AE207685ABDC.TMP"
        7⤵
        
        PID:328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zf5YGXZrWE.bat"
        6⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2276
        
        C:\PortFontnetCommon\smss.exe
        
        "C:\PortFontnetCommon\smss.exe"
        7⤵
        Executes dropped EXE
        
        PID:2956
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1052
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:1364
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2096
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:1692
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:556
- C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
  2⤵
  - Executes dropped EXE
  PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\PortFontnetCommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PortFontnetCommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\PortFontnetCommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComBrokerC" /sc MINUTE /mo 13 /tr "'C:\PortFontnetCommon\ComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComBroker" /sc ONLOGON /tr "'C:\PortFontnetCommon\ComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComBrokerC" /sc MINUTE /mo 14 /tr "'C:\PortFontnetCommon\ComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortFontnetCommon\IOEmPpqly1DOIlscl2iPO8G0g.bat

Filesize
77B

MD5
8a8897cb275aec7987c9fea337dbb5d7

SHA1
cacad156f59892d6070327926560ab0a5fc737da

SHA256
41ec477f48bcce425a660de22536aa3b0fde43560f13158e91d00732185d46a6

SHA512
0c2e8d66062b525a766545f82cf96808b40b307c2b8e478afd2fc1bb5ea8535a83b0b00bafb10af467bd937513d8713e6672b21955551beb33e62d45984092cc

Download Submit
C:\PortFontnetCommon\jnh1y.vbe

Filesize
220B

MD5
8bd8bfc27a2ccc45fc9bb7c3908de480

SHA1
40190bcef75e208709fabdac52efdfea410a6fa9

SHA256
0b6cb03c8b7f3adc721771d9b0f2453f7c983851d3621a6a620b8dbd76f9ba43

SHA512
2ce7ce7525bde10656c8539d1fb1fcbe3d8db693e05efaf6d24017766d623abd2414e7469df9b2d43aef3e4f24584628b7f0060efa51bbb42b0e9e270e76449a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA9F.tmp

Filesize
1KB

MD5
1233c440d6d9c3e72aaf51ea07cb728e

SHA1
a431ed648c3ec4cae848b939112d3ffe1f74d956

SHA256
dd18450f22c872be7942683465131c42c17fb8b44ad92101519db3eb919ccf97

SHA512
7d8a2b86ed7d46d51b93c251ab5e15235d4b731463fa15b02daf08dc90357cf881b17b38dc07413eb0ae9e81b5f7903550103c99d889bdd9a3d701341f1bf76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
227KB

MD5
e7452f59f2853220a6db8b98e26a81d1

SHA1
730e6e1f5a6ee671b4be097843b08c242ef4e8fb

SHA256
a9f45987c45143e6c198ebb530c0df131cf1ce8d6b40f07128d22ed30a698f21

SHA512
22ac9f0951e0a7f32012b20335b464eb0b41609f5fbf8bc7ecacfbc3dcad73bfdaeac5695632b9f8005edd2066b2b79a01a743ce04f5847c76e4faff7b1291b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

Filesize
490KB

MD5
fa3f84d3150dab7b7d8e35efbb8d02db

SHA1
5b690c0be18426633a1954844f49cee2b1e09cb7

SHA256
a42d5a457ee0d90dee5cb5ba969687a83ba5626abf040a2f3ed496f83456c162

SHA512
a4dd554461e167c6a272f8ca90bcde729c319a115419b2a8874af34241116afadf9e6a4dec7db5e145f7e5a1d98827f0a50861c862abb89de81c3f4703247f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zf5YGXZrWE.bat

Filesize
157B

MD5
f7ccae6774d576f2b82e68dc9da0be33

SHA1
a54189b2978662bd5451c7af9f37709d5e281e04

SHA256
9d4f76b566a687bdae43c3a34e4042ac0194887f55a2acb192e4ebee440fa194

SHA512
ec8bd2ced69bbe0bbef792f6103a03c5766b85482017759b29e488c631c842f33a74f4e77275775f6fd48932f44862fa502ff71f2e84de0793c36132d3e201a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6973d42dd875bfd26666c1eb31c48a51

SHA1
c25467f241d2ecfae9ed81503b49b3bb88a20108

SHA256
2b3548683b1fab1c6a09dba70f83f1a6a961e014cdaabe59c5394e47bb11a1c2

SHA512
fded315361316071e7bf592f933d47e39e0306b9be88b8fbbff48108a4bb983a0045946b860023fccd1c3520e33141791f7012b5fe169b919b4e4452979bd38f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vp2qybo\4vp2qybo.0.cs

Filesize
411B

MD5
9d4b4cf6659e300822afde132c086ac5

SHA1
fa79c73c63a148c377a0109ebbdaf8991d1dd569

SHA256
0b995a0fc2f1fc90aaecc057bfbb8f6a498734b48bbb6be9f90600dffb3041fd

SHA512
1a029821cc3877a5151454b8f9194f4e075230b9cd454416f4c0407c66772bc2b6876c08ce4136ee51f4276cfc20f0fb441f9fc61cc85e5299387f73bd48136e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vp2qybo\4vp2qybo.cmdline

Filesize
235B

MD5
e164f372e66c30482f0e989853307eff

SHA1
7e03ede7f7b420cccc893c333cc7127180975e7a

SHA256
17a188b8c711accc0bc994da26f453bc6b6277454d58ffd63b64a19753fee217

SHA512
29794cd7fc8404439f43b3494e6b6eec5086d3a6ea1ce612e25b95c901c9ea46e42ef90b204e8be4abafef982efbe0b8561bdadb4b58eda8e90048e67c25cf47

Download Submit
\??\c:\Windows\System32\CSCB25195FF1C03441F9877AE207685ABDC.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
\PortFontnetCommon\ComBroker.exe

Filesize
2.0MB

MD5
2af56288ae70824c48341954c6817df4

SHA1
36a4df878adc348e12ab01d8cee1b730f234158f

SHA256
08cd9bdbfd747ca0b60186b1c6d8a27c892cb6e3ee1e7e857302b881e8a6d125

SHA512
9469cec69704dccad5c6648af3722c98b2aa3e63ff549b4dd821470c6624e6aee1ddecfc4f4e0feb5f967c8110439b347717f98fc09f8664cef4e4f179199dcb

Download Submit
\Users\Admin\AppData\Local\Temp\FATALITY.exe

Filesize
2.5MB

MD5
835f86f98a133e8bebd227594e9aff76

SHA1
3ebb6890c3f47ab0c906d958895a0d7db2de13d3

SHA256
73354fe6381e7678e3ee478c2c1e8bb21917c8de19e7218e5c4d241345831b29

SHA512
89f5a6a28794b4e414a9f95c44cdaf8e1b3998f668214de30716abd75dc32e526fe001aa5294bae5a44ae5e6274493191f3c2da8ba92fac1ab9f421cedecccc4

Download Submit
memory/1364-106-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1364-105-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1700-88-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1700-74-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/1700-78-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/1700-80-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/1700-82-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1700-84-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1700-86-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/1700-76-0x00000000006B0000-0x00000000006CC000-memory.dmp

Filesize
112KB

Download
memory/1700-69-0x00000000013A0000-0x00000000015A0000-memory.dmp

Filesize
2.0MB

Download
memory/1804-38-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1804-37-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2064-23-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/2292-24-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2884-45-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2884-44-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2956-129-0x0000000000FA0000-0x00000000011A0000-memory.dmp

Filesize
2.0MB

Download