umbral | hxxps://krampus[.]pages[.]dev/

Analysis

max time kernel
75s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://krampus.pages.dev/

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1225264880039235738/46bNxRt60w9YjuGcjqkvDLT2Saa0gXhoe7P2-CbuUHwdxfwONEkNG92CHxRK6S67a3Bd

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023515-159.dat	family_umbral
behavioral1/memory/5844-161-0x000001DBA8630000-0x000001DBA8670000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3184	powershell.exe
3000	powershell.exe
4580	powershell.exe
5784	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b5uEJHZB6Rl.exe

Executes dropped EXE 2 IoCs

pid	Process
5844	b5uEJHZB6Rl.exe
5940	b5uEJHZB6Rl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
80	discord.com
81	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4272	cmd.exe
928	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6052	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
928	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
2052	msedge.exe
2052	msedge.exe
2168	msedge.exe
2168	msedge.exe
3960	identity_helper.exe
3960	identity_helper.exe
5940	b5uEJHZB6Rl.exe
5940	b5uEJHZB6Rl.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe
3000	powershell.exe
3000	powershell.exe
3000	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	5456	7zG.exe
Token: 35	5456	7zG.exe
Token: SeSecurityPrivilege	5456	7zG.exe
Token: SeSecurityPrivilege	5456	7zG.exe
Token: SeDebugPrivilege	5940	b5uEJHZB6Rl.exe
Token: SeIncreaseQuotaPrivilege	6036	wmic.exe
Token: SeSecurityPrivilege	6036	wmic.exe
Token: SeTakeOwnershipPrivilege	6036	wmic.exe
Token: SeLoadDriverPrivilege	6036	wmic.exe
Token: SeSystemProfilePrivilege	6036	wmic.exe
Token: SeSystemtimePrivilege	6036	wmic.exe
Token: SeProfSingleProcessPrivilege	6036	wmic.exe
Token: SeIncBasePriorityPrivilege	6036	wmic.exe
Token: SeCreatePagefilePrivilege	6036	wmic.exe
Token: SeBackupPrivilege	6036	wmic.exe
Token: SeRestorePrivilege	6036	wmic.exe
Token: SeShutdownPrivilege	6036	wmic.exe
Token: SeDebugPrivilege	6036	wmic.exe
Token: SeSystemEnvironmentPrivilege	6036	wmic.exe
Token: SeRemoteShutdownPrivilege	6036	wmic.exe
Token: SeUndockPrivilege	6036	wmic.exe
Token: SeManageVolumePrivilege	6036	wmic.exe
Token: 33	6036	wmic.exe
Token: 34	6036	wmic.exe
Token: 35	6036	wmic.exe
Token: 36	6036	wmic.exe
Token: SeIncreaseQuotaPrivilege	6036	wmic.exe
Token: SeSecurityPrivilege	6036	wmic.exe
Token: SeTakeOwnershipPrivilege	6036	wmic.exe
Token: SeLoadDriverPrivilege	6036	wmic.exe
Token: SeSystemProfilePrivilege	6036	wmic.exe
Token: SeSystemtimePrivilege	6036	wmic.exe
Token: SeProfSingleProcessPrivilege	6036	wmic.exe
Token: SeIncBasePriorityPrivilege	6036	wmic.exe
Token: SeCreatePagefilePrivilege	6036	wmic.exe
Token: SeBackupPrivilege	6036	wmic.exe
Token: SeRestorePrivilege	6036	wmic.exe
Token: SeShutdownPrivilege	6036	wmic.exe
Token: SeDebugPrivilege	6036	wmic.exe
Token: SeSystemEnvironmentPrivilege	6036	wmic.exe
Token: SeRemoteShutdownPrivilege	6036	wmic.exe
Token: SeUndockPrivilege	6036	wmic.exe
Token: SeManageVolumePrivilege	6036	wmic.exe
Token: 33	6036	wmic.exe
Token: 34	6036	wmic.exe
Token: 35	6036	wmic.exe
Token: 36	6036	wmic.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
5456	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 756	2052	msedge.exe	85
PID 2052 wrote to memory of 756	2052	msedge.exe	85
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 224	2052	msedge.exe	86
PID 2052 wrote to memory of 4312	2052	msedge.exe	87
PID 2052 wrote to memory of 4312	2052	msedge.exe	87
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88
PID 2052 wrote to memory of 1884	2052	msedge.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6104	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://krampus.pages.dev/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a60746f8,0x7ff8a6074708,0x7ff8a6074718
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9984946553559499755,3275969122462821361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:64

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Krampus\" -ad -an -ai#7zMap24124:76:7zEvent28745
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5456

C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe
"C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe"
1⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe
"C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5940
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6036
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe"
  2⤵
  - Views/modifies file attributes
  PID:6104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:3492
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3588
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:848
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5784
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:6052
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4272
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b5uEJHZB6Rl.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7bb79fc55fdf11826e490d6f467e3378

SHA1
e6eb0d9e230b4ab73ff0cc13b5e2cd60508ec432

SHA256
842d46c7c343b399032411b4851e1db3db84796d943edc974db992a092d4e534

SHA512
7c38bb6562eacf96bfe826b5bff272b15a9116873adc7f9eb8dd3d55437ba7060b3cf4da5adccf44f840e9904182ddec324dca3108fef5447860443c1b23865e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
8d51ec4539e329532ec97ab434e4e1a3

SHA1
e738ecac30f487f63d925f70ba95ab566f6f30f4

SHA256
b1870a980c98135915dd6e77e77d893d961eb9ae2cc24f131263e08cd905dd00

SHA512
bcb5baad8439036526f742f36aa297ace346a83dbe8331419ebb0dc69099d328205e9cf5d91accc0fd977f6632b8a50917e2ab3ad3bf787bfc05c2e44e4ee597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f558273ccb95c1754ff62457df2471a

SHA1
049822ecb007f64042e716117c3ac431995ba173

SHA256
a6c3cef6bff4efb00ca888fdf0fa0856b77c7c3ba5979be20419e24b7b3416c4

SHA512
f48cc9a2ecdc5e679b685b006b686c6162ff293bb26c187d9c29d18b349c4c86b4a1a2f5a41abea1701db67efe182e23eeb50002a9199fc9199abbc46bef1b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c059bd2c6d8cb83305613930173232c

SHA1
83525dc0ffc2a703323260d18195a8733c281339

SHA256
2b20991f29461f361f3fd4a5b5009fbaa563e10c93ac1b0643a9ac6aa045c5e1

SHA512
f9d284051a510ce1344a899c420dda27da2d0302e8501dc6bc2b424fb5c69646100c4ab3c8eaa6131faac87f4b25a141e0d00b04186223f5c21e78f07ceeeec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cd0ab659-0bd9-44be-be88-b1b3d432e165.tmp

Filesize
546B

MD5
6a52d1471cd1808cf708171aa99a6c11

SHA1
dc1da9331cc11f46b75f7b9f3b7f9a3e73b81818

SHA256
a87af196154da642019f4c6f83d70712da156e851387998838f7fcdec4fea7fb

SHA512
8361de2dedff2b6db34df7a2e0c7cae19bb72eebb737820a32cfc0ab7a1fdef56a716445593ce023519ae8b650b6b38e3859e48a545c83bee415aab2b1a7c5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
25a6c722736b0435ded24d06ec829332

SHA1
d296b62d2923c6e90c03832d214604782d695746

SHA256
de4830af46c934720b07f6cd337610645de5ce2e79231458b5eb98fd07cdaf90

SHA512
17c96ef02fbc7a7bfc924bb96f36b6a8af6e387e94a39b921e2a299027bddbf544333899323cfff17021196ab59a030ddc446c63e75d77d0c834b2afd5036e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
518595714bcde191e2a0b6ebc13e2488

SHA1
c0288dd6f02d33989a0c01cec16b81a95e2a256d

SHA256
e1387218a6f509dde96c14ab62ae8983944e8dc6a3e8e6ae746e423a2320c549

SHA512
5228c20504501b3f7c8108032a0ff0b4b0b142e6920f5eaf6f32bea85bdab34f174088e267cc48e029ce0f4864a0b530fb2ececd1655f15060488b0cb50dcb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3b5972a839d862d1388c2af64d974c88

SHA1
c597a4e34e8d118e69a0e8f7d62aaaa170459b62

SHA256
982c0e753b76f848058e8aaa96baeb98008891c7e6bc8f1ab4ea21dfc52a3cca

SHA512
bed76b19816f59969463405af7196373682efdce7afa75b11d16cc6ac9ca2769c64e0fab85efb7435470e48c64ffbe3f46827f2af846c3d345cd3ee4c019fa28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef916851945b31b5a28592cf94d5ad66

SHA1
a9b3adafcb838438d4428b5500088d77798885c6

SHA256
f66a57dcc4e0439b8ea98f4c90820546e026aad7b9103fbdfacd6b09f6687325

SHA512
3f3bc3ad64060f0f2b48b6cf276f9cff6087ea7bdf6721056f2e9c997c41aeadc1f0996073e73e2575440495430045a87909e98ba52505e32b13ed917d296abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
482fbb6ef0984159551ed81307d94b26

SHA1
6a9f978244f9217b29df57012c67d7795d86caee

SHA256
1aefb52c8ad4f5d652ce79efcbbcdbbc9718e80454b588155f7fd4957b45b5d6

SHA512
5bfe1471fdd77dfd053d9f72898822f07b13ebc6a411b62e3784b1f08b9f452cd39efdf7a34c0f8949b8860736a49a23d0b0a84a2411c8316bc7f92749cb1a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
876068b2fd29dc0c375d16aa4963bc2c

SHA1
ecfec3c3b20deea522f456b490e87af51dbd406c

SHA256
eb95f5a37335b29c18100977989aef955307b6a0c1d1dacdcda6ca00f7878907

SHA512
8061369b52206a75f3e3306cbb030c31a8579469ef7279a526d1c3fe82e95cc6b086da9fdc02e22c3169fc464e2cb756a34e8902b0cd734d0fe5c1873bb4be52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
403be982ce1e5b0afda202d43ed94d53

SHA1
6dc0c47575bfc43398b67ad8978815bd13ace9cb

SHA256
b747d9514309c9a07a6321fd35d0828d29975e06107aab4d995c61f214eaba34

SHA512
c4fa8f643f459db2bc758ffa5e181c36c4cbdba30a979fbbd492c0a3000c077c756ce99e98c8b4e969348e562c5c45d1a532551d70e54b27f5f83e3260a77005

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkpzuwaz.0sw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Krampus\Krampus\b5uEJHZB6Rl.exe

Filesize
231KB

MD5
438289fb9c72ed39bf5497f9af21ec7a

SHA1
8120391ecb41ed6a4c6ef0b259776e59311d6997

SHA256
ea4cb7c7b4cfb2fcc04d1c3f96b20c26638e69a97b15cae14659f0d6afb78f85

SHA512
3647907fa2d503a242ef07cb20b081444b75e0c618a91232c8e77903b4b6aa823b8a7cbe07a45e02591fe48fdd23b5eae88565006b85863c0a5f6e42d7589fe0

Download Submit
C:\Users\Admin\Downloads\e9a4e830-eeed-4734-9f0d-89ef48650fb4.tmp

Filesize
79KB

MD5
75feae218b03a45d1be3f932f353db7b

SHA1
2eef6e858b38c3c5fece824be164debe55e66f2c

SHA256
ed5fe58c45c8b0e48c4c9405ba8065234090e19e145465117e0d2342f43fd872

SHA512
f13949102f6d6117af5f976cd60dc95315b2be20379d2f7bf4606feffa795a69238d1a84f30288d7e1b45fb407dca583bd17cc9cae3bf129feeb4c2526a0a831

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3184-173-0x00000268798E0000-0x0000026879902000-memory.dmp

Filesize
136KB

Download
memory/5844-161-0x000001DBA8630000-0x000001DBA8670000-memory.dmp

Filesize
256KB

Download
memory/5940-200-0x000001A051C70000-0x000001A051CE6000-memory.dmp

Filesize
472KB

Download
memory/5940-201-0x000001A051BF0000-0x000001A051C40000-memory.dmp

Filesize
320KB

Download
memory/5940-203-0x000001A039270000-0x000001A03928E000-memory.dmp

Filesize
120KB

Download
memory/5940-254-0x000001A0392A0000-0x000001A0392AA000-memory.dmp

Filesize
40KB

Download
memory/5940-255-0x000001A051C40000-0x000001A051C52000-memory.dmp

Filesize
72KB

Download