umbral | 52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
18-08-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Byte_Guard_Cracked.exe
Size

4.3MB
MD5

d7936c64138b924d63901cedb2c6cd09
SHA1

b525dd212eac4c808b5166880976b1817caf826b
SHA256

52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339
SHA512

3c2e8b6b1de63baeda4fb714ab3f4104f820cf81d2bbe9d4177631246b7627ac1e76c709a57504ca777dfdbcc74aab95602184a270120f653832f37e4965d3f7
SSDEEP

98304:dnsmtk2a2052wnEFsuU8agxdazsYXhDqgAdXt2:BL4n7uB8zpXcnb2

Score

10^/10

umbral xred backdoor defense_evasion discovery execution persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023458-102.dat	family_umbral
behavioral2/memory/2932-112-0x000002BC58A60000-0x000002BC58AA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4976	powershell.exe
3860	powershell.exe
392	powershell.exe
4456	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Byte_Guard_Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	._cache_Byte_Guard_Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Byte Guard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Byte Guard.exe

Executes dropped EXE 9 IoCs

pid	Process
4496	._cache_Byte_Guard_Cracked.exe
2932	Umbral.exe
4048	Synaptics.exe
4636	Byte Guard.exe
4536	._cache_Synaptics.exe
4916	._cache_Byte Guard.exe
2240	Umbral.exe
3452	Byte Guard.exe
1900	._cache_Byte Guard.exe

Loads dropped DLL 2 IoCs

pid	Process
3452	Byte Guard.exe
3452	Byte Guard.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Byte_Guard_Cracked.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	discord.com
50	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte_Guard_Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Byte_Guard_Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Byte Guard.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
940	cmd.exe
2112	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4812	wmic.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Byte Guard.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Byte_Guard_Cracked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Byte Guard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Byte Guard.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2112	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4164	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2528	powershell.exe
2528	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
2932	Umbral.exe
2932	Umbral.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
464	powershell.exe
464	powershell.exe
392	powershell.exe
392	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	Umbral.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeIncreaseQuotaPrivilege	2180	wmic.exe
Token: SeSecurityPrivilege	2180	wmic.exe
Token: SeTakeOwnershipPrivilege	2180	wmic.exe
Token: SeLoadDriverPrivilege	2180	wmic.exe
Token: SeSystemProfilePrivilege	2180	wmic.exe
Token: SeSystemtimePrivilege	2180	wmic.exe
Token: SeProfSingleProcessPrivilege	2180	wmic.exe
Token: SeIncBasePriorityPrivilege	2180	wmic.exe
Token: SeCreatePagefilePrivilege	2180	wmic.exe
Token: SeBackupPrivilege	2180	wmic.exe
Token: SeRestorePrivilege	2180	wmic.exe
Token: SeShutdownPrivilege	2180	wmic.exe
Token: SeDebugPrivilege	2180	wmic.exe
Token: SeSystemEnvironmentPrivilege	2180	wmic.exe
Token: SeRemoteShutdownPrivilege	2180	wmic.exe
Token: SeUndockPrivilege	2180	wmic.exe
Token: SeManageVolumePrivilege	2180	wmic.exe
Token: 33	2180	wmic.exe
Token: 34	2180	wmic.exe
Token: 35	2180	wmic.exe
Token: 36	2180	wmic.exe
Token: SeIncreaseQuotaPrivilege	2180	wmic.exe
Token: SeSecurityPrivilege	2180	wmic.exe
Token: SeTakeOwnershipPrivilege	2180	wmic.exe
Token: SeLoadDriverPrivilege	2180	wmic.exe
Token: SeSystemProfilePrivilege	2180	wmic.exe
Token: SeSystemtimePrivilege	2180	wmic.exe
Token: SeProfSingleProcessPrivilege	2180	wmic.exe
Token: SeIncBasePriorityPrivilege	2180	wmic.exe
Token: SeCreatePagefilePrivilege	2180	wmic.exe
Token: SeBackupPrivilege	2180	wmic.exe
Token: SeRestorePrivilege	2180	wmic.exe
Token: SeShutdownPrivilege	2180	wmic.exe
Token: SeDebugPrivilege	2180	wmic.exe
Token: SeSystemEnvironmentPrivilege	2180	wmic.exe
Token: SeRemoteShutdownPrivilege	2180	wmic.exe
Token: SeUndockPrivilege	2180	wmic.exe
Token: SeManageVolumePrivilege	2180	wmic.exe
Token: 33	2180	wmic.exe
Token: 34	2180	wmic.exe
Token: 35	2180	wmic.exe
Token: 36	2180	wmic.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeIncreaseQuotaPrivilege	3732	wmic.exe
Token: SeSecurityPrivilege	3732	wmic.exe
Token: SeTakeOwnershipPrivilege	3732	wmic.exe
Token: SeLoadDriverPrivilege	3732	wmic.exe
Token: SeSystemProfilePrivilege	3732	wmic.exe
Token: SeSystemtimePrivilege	3732	wmic.exe
Token: SeProfSingleProcessPrivilege	3732	wmic.exe
Token: SeIncBasePriorityPrivilege	3732	wmic.exe
Token: SeCreatePagefilePrivilege	3732	wmic.exe
Token: SeBackupPrivilege	3732	wmic.exe
Token: SeRestorePrivilege	3732	wmic.exe
Token: SeShutdownPrivilege	3732	wmic.exe
Token: SeDebugPrivilege	3732	wmic.exe
Token: SeSystemEnvironmentPrivilege	3732	wmic.exe
Token: SeRemoteShutdownPrivilege	3732	wmic.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4496	4828	Byte_Guard_Cracked.exe	86
PID 4828 wrote to memory of 4496	4828	Byte_Guard_Cracked.exe	86
PID 4828 wrote to memory of 4496	4828	Byte_Guard_Cracked.exe	86
PID 4496 wrote to memory of 2528	4496	._cache_Byte_Guard_Cracked.exe	88
PID 4496 wrote to memory of 2528	4496	._cache_Byte_Guard_Cracked.exe	88
PID 4496 wrote to memory of 2528	4496	._cache_Byte_Guard_Cracked.exe	88
PID 4496 wrote to memory of 2932	4496	._cache_Byte_Guard_Cracked.exe	91
PID 4496 wrote to memory of 2932	4496	._cache_Byte_Guard_Cracked.exe	91
PID 4828 wrote to memory of 4048	4828	Byte_Guard_Cracked.exe	90
PID 4828 wrote to memory of 4048	4828	Byte_Guard_Cracked.exe	90
PID 4828 wrote to memory of 4048	4828	Byte_Guard_Cracked.exe	90
PID 4496 wrote to memory of 4636	4496	._cache_Byte_Guard_Cracked.exe	92
PID 4496 wrote to memory of 4636	4496	._cache_Byte_Guard_Cracked.exe	92
PID 4496 wrote to memory of 4636	4496	._cache_Byte_Guard_Cracked.exe	92
PID 2932 wrote to memory of 2180	2932	Umbral.exe	93
PID 2932 wrote to memory of 2180	2932	Umbral.exe	93
PID 4048 wrote to memory of 4536	4048	Synaptics.exe	95
PID 4048 wrote to memory of 4536	4048	Synaptics.exe	95
PID 4048 wrote to memory of 4536	4048	Synaptics.exe	95
PID 4636 wrote to memory of 4916	4636	Byte Guard.exe	96
PID 4636 wrote to memory of 4916	4636	Byte Guard.exe	96
PID 4636 wrote to memory of 4916	4636	Byte Guard.exe	96
PID 4536 wrote to memory of 1364	4536	._cache_Synaptics.exe	129
PID 4536 wrote to memory of 1364	4536	._cache_Synaptics.exe	129
PID 4536 wrote to memory of 1364	4536	._cache_Synaptics.exe	129
PID 4536 wrote to memory of 2240	4536	._cache_Synaptics.exe	100
PID 4536 wrote to memory of 2240	4536	._cache_Synaptics.exe	100
PID 4536 wrote to memory of 3452	4536	._cache_Synaptics.exe	101
PID 4536 wrote to memory of 3452	4536	._cache_Synaptics.exe	101
PID 4536 wrote to memory of 3452	4536	._cache_Synaptics.exe	101
PID 3452 wrote to memory of 1900	3452	Byte Guard.exe	103
PID 3452 wrote to memory of 1900	3452	Byte Guard.exe	103
PID 3452 wrote to memory of 1900	3452	Byte Guard.exe	103
PID 2932 wrote to memory of 2740	2932	Umbral.exe	104
PID 2932 wrote to memory of 2740	2932	Umbral.exe	104
PID 2932 wrote to memory of 4456	2932	Umbral.exe	106
PID 2932 wrote to memory of 4456	2932	Umbral.exe	106
PID 2932 wrote to memory of 4976	2932	Umbral.exe	109
PID 2932 wrote to memory of 4976	2932	Umbral.exe	109
PID 2932 wrote to memory of 3860	2932	Umbral.exe	112
PID 2932 wrote to memory of 3860	2932	Umbral.exe	112
PID 2932 wrote to memory of 464	2932	Umbral.exe	114
PID 2932 wrote to memory of 464	2932	Umbral.exe	114
PID 2932 wrote to memory of 3732	2932	Umbral.exe	116
PID 2932 wrote to memory of 3732	2932	Umbral.exe	116
PID 2932 wrote to memory of 4856	2932	Umbral.exe	118
PID 2932 wrote to memory of 4856	2932	Umbral.exe	118
PID 2932 wrote to memory of 448	2932	Umbral.exe	120
PID 2932 wrote to memory of 448	2932	Umbral.exe	120
PID 2932 wrote to memory of 392	2932	Umbral.exe	122
PID 2932 wrote to memory of 392	2932	Umbral.exe	122
PID 2932 wrote to memory of 4812	2932	Umbral.exe	124
PID 2932 wrote to memory of 4812	2932	Umbral.exe	124
PID 2932 wrote to memory of 940	2932	Umbral.exe	128
PID 2932 wrote to memory of 940	2932	Umbral.exe	128
PID 940 wrote to memory of 2112	940	cmd.exe	130
PID 940 wrote to memory of 2112	940	cmd.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Byte_Guard_Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Byte_Guard_Cracked.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\._cache_Byte_Guard_Cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Byte_Guard_Cracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAaABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBhACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Users\Admin\AppData\Local\Umbral.exe
    "C:\Users\Admin\AppData\Local\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3732
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4856
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:392
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4812
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1364
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
- - C:\Users\Admin\AppData\Local\Byte Guard.exe
    "C:\Users\Admin\AppData\Local\Byte Guard.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4916
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAaABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBhACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1364
  - - C:\Users\Admin\AppData\Local\Umbral.exe
      "C:\Users\Admin\AppData\Local\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:2240
  - - C:\Users\Admin\AppData\Local\Byte Guard.exe
      "C:\Users\Admin\AppData\Local\Byte Guard.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1900

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.3MB

MD5
d7936c64138b924d63901cedb2c6cd09

SHA1
b525dd212eac4c808b5166880976b1817caf826b

SHA256
52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339

SHA512
3c2e8b6b1de63baeda4fb714ab3f4104f820cf81d2bbe9d4177631246b7627ac1e76c709a57504ca777dfdbcc74aab95602184a270120f653832f37e4965d3f7

Download Submit
C:\Users\Admin\AppData\Local\Byte Guard.exe

Filesize
3.2MB

MD5
7ea9fbcf5b737365ff4ad08f7fca0aeb

SHA1
de3e974d43c058e74f20f67d2d5b781852264226

SHA256
6ef4c90c8d8bf9d1b96fecb2d8a49820bac15d0f9c3628e101f24994ebd2b2f3

SHA512
2d0a117207bd2510ff6ee872e5f4d3ec471705c0f3d3a52cf113376306110491702c09d477026b0bda45a7b105f8aab9ec1c0a57d0a8e9c2be014eca3da402e1

Download Submit
C:\Users\Admin\AppData\Local\Byte Guard.exe

Filesize
3.2MB

MD5
5d317aa06f8daf4558eb1a48f20a67bd

SHA1
e574b2144d7e64ad354074460eb10d6a8d55ef7b

SHA256
d76287c021bc3320cd53e42b62a86e3064f56f80158066381d57dfadd64b5a79

SHA512
8576d946d69cfbea20b5d4bba7e2620c78017de38cb4fdd6e7d8b768c7e3f21291314aa2b27eb9939c7ddeea08e44e36bb828e53ace370f52ee28ecb6e90ad24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
8bbd6908e148d61010a3130cb6aae4a0

SHA1
e74bcc1b0f762fcd7469d0621b9c7fe50b0c365d

SHA256
79c8ed7085737723dbc7c40b32d01ea400171787259b7458561cd5db60401023

SHA512
38057edb5f2ce86329f558bf34224c6110443635756b1b26da99f89b13e3f971bf602939f40d3fce8459cfdab4ad4fa4928ecb933ff045173535fcc46fe4855f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24fdf77ade79ee785f0d9f33298843b5

SHA1
aeed1be8325820f196816b73a1305e20294e4ef0

SHA256
eed92fc7f6c9f9f65adbb55563fac59b68dc7c70fcf3494b4c8c2ac6caf00795

SHA512
67a35d546bf8886b5cca49522b55c1be84721a180a1969f98b93f0a184a8efa18f195ec2d975f3cc75e35c43ab7cc22118ae7a64357e7fe3aa34b7f54cdfb63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe

Filesize
2.5MB

MD5
068b2d1729ce3ea43aca321d35983886

SHA1
1f0265d64f80734687a5abff64163f735933ba40

SHA256
7d356312b37eac1a8c175c3b715b650ef881ba83096d242a87dee1439e14aaa3

SHA512
01241980cbf6d6a2f8935790e7d509e487c541590766a290b7dab889bcea6c367170d2d5c56bead75693b78e596af72b00ee22241c2c5b51e8f5384e393af0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Byte_Guard_Cracked.exe

Filesize
3.6MB

MD5
c53c9140b7d6c214c6d168d34365418c

SHA1
72144ae7d77432b217f73be33eae773f7cc0dcf7

SHA256
8d0405c5776efbedc678af7096a129fea77d1df352a23bf87a9fa3485d2ea143

SHA512
f4f912b5784eacfecbf3fcf6876ed573df519070a2d663eb7985a8544a28b03fade339c2eca93b2da7f1240cec60ae1929b81f217c711e575e2d2908ddb80910

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA875E00

Filesize
26KB

MD5
37aec68cd38b58aaddcba66442ebe9f8

SHA1
f67052774fbac2bc6d6148a1067984108fbf5fac

SHA256
90707ddd1e668816534663d3bb2a1cf1ed147d17181165eb21a7fc2e8bfc84d6

SHA512
62a29e1d5c854b836334ea399eedfc81595eab999817d3cdb96c818eac3fe307e3c676f56e28fd372cffb437e472442690a7bb699ffbde75ab6054de5a681f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grzt10c2.ybn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aImcvHrr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
229KB

MD5
06b38b4286ab07b09e34030a13893cf8

SHA1
1741b0fec5104f2237c84f86e400b34ee457f510

SHA256
426f84b164f029d25bd87377d930c1532dd9fb1f490f0ddb2906f2c8006a2f8f

SHA512
e752bfa062a46682209dc8d5685b583a523af9a594ed92cb1ce97fda652ded92cffa032b1b69110ca04d7f52a7532aaa3011facfdd90baaeec91515424573df4

Download Submit
memory/392-449-0x00000112705D0000-0x00000112707EC000-memory.dmp

Filesize
2.1MB

Download
memory/1364-326-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/2528-227-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2528-203-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/2528-201-0x0000000004AD0000-0x0000000004B06000-memory.dmp

Filesize
216KB

Download
memory/2528-202-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/2528-204-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/2528-205-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/2528-215-0x0000000005A60000-0x0000000005DB4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-229-0x0000000006630000-0x000000000667C000-memory.dmp

Filesize
304KB

Download
memory/2528-337-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/2528-336-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/2528-314-0x0000000007620000-0x0000000007634000-memory.dmp

Filesize
80KB

Download
memory/2528-313-0x0000000007610000-0x000000000761E000-memory.dmp

Filesize
56KB

Download
memory/2528-312-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/2528-293-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/2528-283-0x0000000007280000-0x000000000729E000-memory.dmp

Filesize
120KB

Download
memory/2528-284-0x00000000072A0000-0x0000000007343000-memory.dmp

Filesize
652KB

Download
memory/2528-273-0x000000006F610000-0x000000006F65C000-memory.dmp

Filesize
304KB

Download
memory/2528-272-0x0000000007240000-0x0000000007272000-memory.dmp

Filesize
200KB

Download
memory/2528-292-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/2528-290-0x0000000007A20000-0x000000000809A000-memory.dmp

Filesize
6.5MB

Download
memory/2528-291-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/2932-376-0x000002BC73280000-0x000002BC732F6000-memory.dmp

Filesize
472KB

Download
memory/2932-112-0x000002BC58A60000-0x000002BC58AA0000-memory.dmp

Filesize
256KB

Download
memory/2932-424-0x000002BC730C0000-0x000002BC730D2000-memory.dmp

Filesize
72KB

Download
memory/2932-423-0x000002BC73090000-0x000002BC7309A000-memory.dmp

Filesize
40KB

Download
memory/2932-378-0x000002BC58F30000-0x000002BC58F4E000-memory.dmp

Filesize
120KB

Download
memory/2932-377-0x000002BC5A820000-0x000002BC5A870000-memory.dmp

Filesize
320KB

Download
memory/3452-289-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/4048-479-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/4048-455-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/4048-454-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/4164-434-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-436-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-237-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-248-0x00007FF8ACF30000-0x00007FF8ACF40000-memory.dmp

Filesize
64KB

Download
memory/4164-238-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-260-0x00007FF8ACF30000-0x00007FF8ACF40000-memory.dmp

Filesize
64KB

Download
memory/4164-243-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-239-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-241-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-435-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4164-437-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/4456-324-0x000002D039710000-0x000002D039732000-memory.dmp

Filesize
136KB

Download
memory/4636-234-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/4828-0-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/4828-116-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/4916-245-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/4916-242-0x0000000007240000-0x00000000077E4000-memory.dmp

Filesize
5.6MB

Download
memory/4916-236-0x0000000000CE0000-0x0000000000F68000-memory.dmp

Filesize
2.5MB

Download
memory/4916-240-0x0000000006A30000-0x0000000006C8C000-memory.dmp

Filesize
2.4MB

Download
memory/4916-249-0x0000000006F70000-0x0000000007182000-memory.dmp

Filesize
2.1MB

Download
memory/4916-244-0x0000000006D30000-0x0000000006DC2000-memory.dmp

Filesize
584KB

Download