umbral | fa737d8c1b29cc13fa645ea33300e76438ed0601016554475c3d258cf2a1217f

Analysis

max time kernel
130s
max time network
124s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-08-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

427KB
MD5

fa1fd1fb9ab5b24cd1f3cedcbd239c1c
SHA1

8177b3bc63bccfe739fcf402070877b0e1f1ee75
SHA256

fa737d8c1b29cc13fa645ea33300e76438ed0601016554475c3d258cf2a1217f
SHA512

cf8eca2b4bddd4e128b2941b0e7c96b2f036567e418592058607b42c5c1ec376735026ecd2675243883623c61b1245e7836febc645b0ff34f30df07d4153010e
SSDEEP

12288:zKgs2X/gDiVBQTB2zI6sJJFvn4yF8LU5:9sygDOBg3VFvTF8Lo

Score

10^/10

umbral xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1274621175464464444/z5B03cRE18EaExC0Pa7er7KKDqXyeufniHWPLcP9yxj5Vb4iu_NEpMlNJCFlmCqUoyTr

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/1448-22-0x0000018A46130000-0x0000018A46170000-memory.dmp	family_umbral
behavioral1/files/0x000800000001ac12-21.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ac10-18.dat	family_xworm
behavioral1/memory/3760-24-0x0000000000E80000-0x0000000000E9C000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1084	powershell.exe
4976	powershell.exe
2376	powershell.exe
2896	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Solara.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Solara.exe

Executes dropped EXE 5 IoCs

pid	Process
1444	Bootstrapper-1.exe
3760	Solara.exe
1448	StartMenu.exe
2684	XClient.exe
4100	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Solara.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Bootstrapper.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
3760	Solara.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	Solara.exe
Token: SeDebugPrivilege	1448	StartMenu.exe
Token: SeDebugPrivilege	1444	Bootstrapper-1.exe
Token: SeIncreaseQuotaPrivilege	2268	wmic.exe
Token: SeSecurityPrivilege	2268	wmic.exe
Token: SeTakeOwnershipPrivilege	2268	wmic.exe
Token: SeLoadDriverPrivilege	2268	wmic.exe
Token: SeSystemProfilePrivilege	2268	wmic.exe
Token: SeSystemtimePrivilege	2268	wmic.exe
Token: SeProfSingleProcessPrivilege	2268	wmic.exe
Token: SeIncBasePriorityPrivilege	2268	wmic.exe
Token: SeCreatePagefilePrivilege	2268	wmic.exe
Token: SeBackupPrivilege	2268	wmic.exe
Token: SeRestorePrivilege	2268	wmic.exe
Token: SeShutdownPrivilege	2268	wmic.exe
Token: SeDebugPrivilege	2268	wmic.exe
Token: SeSystemEnvironmentPrivilege	2268	wmic.exe
Token: SeRemoteShutdownPrivilege	2268	wmic.exe
Token: SeUndockPrivilege	2268	wmic.exe
Token: SeManageVolumePrivilege	2268	wmic.exe
Token: 33	2268	wmic.exe
Token: 34	2268	wmic.exe
Token: 35	2268	wmic.exe
Token: 36	2268	wmic.exe
Token: SeIncreaseQuotaPrivilege	2268	wmic.exe
Token: SeSecurityPrivilege	2268	wmic.exe
Token: SeTakeOwnershipPrivilege	2268	wmic.exe
Token: SeLoadDriverPrivilege	2268	wmic.exe
Token: SeSystemProfilePrivilege	2268	wmic.exe
Token: SeSystemtimePrivilege	2268	wmic.exe
Token: SeProfSingleProcessPrivilege	2268	wmic.exe
Token: SeIncBasePriorityPrivilege	2268	wmic.exe
Token: SeCreatePagefilePrivilege	2268	wmic.exe
Token: SeBackupPrivilege	2268	wmic.exe
Token: SeRestorePrivilege	2268	wmic.exe
Token: SeShutdownPrivilege	2268	wmic.exe
Token: SeDebugPrivilege	2268	wmic.exe
Token: SeSystemEnvironmentPrivilege	2268	wmic.exe
Token: SeRemoteShutdownPrivilege	2268	wmic.exe
Token: SeUndockPrivilege	2268	wmic.exe
Token: SeManageVolumePrivilege	2268	wmic.exe
Token: 33	2268	wmic.exe
Token: 34	2268	wmic.exe
Token: 35	2268	wmic.exe
Token: 36	2268	wmic.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeIncreaseQuotaPrivilege	1084	powershell.exe
Token: SeSecurityPrivilege	1084	powershell.exe
Token: SeTakeOwnershipPrivilege	1084	powershell.exe
Token: SeLoadDriverPrivilege	1084	powershell.exe
Token: SeSystemProfilePrivilege	1084	powershell.exe
Token: SeSystemtimePrivilege	1084	powershell.exe
Token: SeProfSingleProcessPrivilege	1084	powershell.exe
Token: SeIncBasePriorityPrivilege	1084	powershell.exe
Token: SeCreatePagefilePrivilege	1084	powershell.exe
Token: SeBackupPrivilege	1084	powershell.exe
Token: SeRestorePrivilege	1084	powershell.exe
Token: SeShutdownPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeSystemEnvironmentPrivilege	1084	powershell.exe
Token: SeRemoteShutdownPrivilege	1084	powershell.exe
Token: SeUndockPrivilege	1084	powershell.exe
Token: SeManageVolumePrivilege	1084	powershell.exe
Token: 33	1084	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3760	Solara.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 5036	2584	Bootstrapper.exe	73
PID 2584 wrote to memory of 5036	2584	Bootstrapper.exe	73
PID 2584 wrote to memory of 1444	2584	Bootstrapper.exe	74
PID 2584 wrote to memory of 1444	2584	Bootstrapper.exe	74
PID 2584 wrote to memory of 3760	2584	Bootstrapper.exe	76
PID 2584 wrote to memory of 3760	2584	Bootstrapper.exe	76
PID 2584 wrote to memory of 1448	2584	Bootstrapper.exe	77
PID 2584 wrote to memory of 1448	2584	Bootstrapper.exe	77
PID 5036 wrote to memory of 592	5036	WScript.exe	78
PID 5036 wrote to memory of 592	5036	WScript.exe	78
PID 1448 wrote to memory of 2268	1448	StartMenu.exe	80
PID 1448 wrote to memory of 2268	1448	StartMenu.exe	80
PID 3760 wrote to memory of 1084	3760	Solara.exe	85
PID 3760 wrote to memory of 1084	3760	Solara.exe	85
PID 3760 wrote to memory of 4976	3760	Solara.exe	88
PID 3760 wrote to memory of 4976	3760	Solara.exe	88
PID 3760 wrote to memory of 2376	3760	Solara.exe	90
PID 3760 wrote to memory of 2376	3760	Solara.exe	90
PID 3760 wrote to memory of 2896	3760	Solara.exe	92
PID 3760 wrote to memory of 2896	3760	Solara.exe	92
PID 3760 wrote to memory of 1900	3760	Solara.exe	94
PID 3760 wrote to memory of 1900	3760	Solara.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Defender_Settings.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Program Files\Windows Defender\MSASCui.exe
    "C:\Program Files\Windows Defender\MSASCui.exe"
    3⤵
    PID:592
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper-1.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper-1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2896
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1900
- C:\Users\Admin\AppData\Local\Temp\StartMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\StartMenu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec75a995dd901cc5c28bca26d22d0c33

SHA1
1038a8207b4933ac584c2a50d4ffa59ba495057d

SHA256
75ea542965fd4540cd49a1cb6caff8523eec7a240d809a395176d12d1e5cf424

SHA512
a1512d5910d6b126dc65df4152f00d4d47ba77b53d3369ee4c04ec114b3c634e9c02fbd9f4eb43d896ee8c991db1db2ffa5c5c89e203ca03224006bc3a70427a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6da0bbb1e65e2a770e1f7d5e89312a64

SHA1
f87b5245a95bed19079eea5bec514b1b04c9259d

SHA256
6d97a52dab093b9632ab30ce69de78fb52cbcbfc762203bedafa54f87cb2a33b

SHA512
06d93fb16fd9f96571676cd92d3cbfce1b1d730e48c1fe48b6c85e915537b730a8a4a40da34f41f26262b65e3ae7eb46be8c2ff59e7c6d94af83c1ddfddcc74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de5642041d59e0ddf86938075c0691ef

SHA1
f51a2e5e4f1d65e4de80a3da203db81e3b38c1c8

SHA256
43a486bf9ac1b77650d31ef5636a5f39df6a607ba740fa41f6cb9334a790bb00

SHA512
a0b0a5ae2ca7a1044b66fb8f90b45e1b1f1a1b97bd937c8265772b2863d026060f8cc9ed0483b5f72984d14b262c8ca05e8031f0278bcad05b8e06fd4629c4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper-1.exe

Filesize
796KB

MD5
4b94b989b0fe7bec6311153b309dfe81

SHA1
bb50a4bb8a66f0105c5b74f32cd114c672010b22

SHA256
7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

SHA512
fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender_Settings.vbs

Filesize
313B

MD5
b0bf0a477bcca312021177572311e666

SHA1
ea77332d7779938ae8e92ad35d6dea4f4be37a92

SHA256
af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

SHA512
09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
84KB

MD5
32d66fa285a7675247940a88a3e769a7

SHA1
e84adbd91dfeb480cd694e41fbef4beeadfe30ef

SHA256
36cd4e911af166e6b3e72a5fd957c99779cdcd8a86aa5a38788302f02a94dce1

SHA512
15f66dbc0595ca36931860ca769d75f7f56226eeed137a3451d491b3eb8d52850bbff2cd5c7729a5f529850ce4c3cd133958d94bb88a142d4455e1e65ff73453

Download Submit
C:\Users\Admin\AppData\Local\Temp\StartMenu.exe

Filesize
229KB

MD5
46dada61944a20f74ebc3723450a414a

SHA1
0ebfb78421ec8d8e84c4edb14dc9c493d83be78d

SHA256
25c60664ed6534d445c98ae922ad708410f7546a059dd31a38086097c236494c

SHA512
aa40fa81013bb6e9df2e1e0b9c3b06b7afbf85dbb77eaf58ffa8694358a35ee703ffbe761f3241a5df244ce95c9c2d223f101b136c3ba50bc8893e48177550af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bn50ifwd.3lj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1084-34-0x0000022CEE7A0000-0x0000022CEE7C2000-memory.dmp

Filesize
136KB

Download
memory/1084-37-0x0000022CEE950000-0x0000022CEE9C6000-memory.dmp

Filesize
472KB

Download
memory/1444-27-0x000002298B8E0000-0x000002298B9AE000-memory.dmp

Filesize
824KB

Download
memory/1448-22-0x0000018A46130000-0x0000018A46170000-memory.dmp

Filesize
256KB

Download
memory/2584-23-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-0-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmp

Filesize
4KB

Download
memory/2584-7-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-1-0x00000000007C0000-0x0000000000832000-memory.dmp

Filesize
456KB

Download
memory/3760-24-0x0000000000E80000-0x0000000000E9C000-memory.dmp

Filesize
112KB

Download
memory/3760-25-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/3760-209-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download