umbral | 8e3ca6388350b76e63e673c31dc7fea8772156f640c0d76c8ddd8e552c9f8e90

Analysis

max time kernel
50s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xWorm+v5.6.exe
Size

12.0MB
MD5

a97ea9e6786a02d1651e023b8e2b6aa1
SHA1

5614e602de8ef7c1095450f5053ed14c8e17f31e
SHA256

8e3ca6388350b76e63e673c31dc7fea8772156f640c0d76c8ddd8e552c9f8e90
SHA512

894c898d1c1b64353bf4f38cbdb477596d780b137a06c2012932c05dddbba4f4f850b76ba0da930b8b626ae6a3b14013ff319a71cb030332dbb9fbd6859b20b8
SSDEEP

6144:5MaUDc37elZKI7ig55JIuzRt4qDKYrYHsW73:FT3wF5JIKRt4qmBsW7

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G

Extracted

Family

xworm

Version

5.0

japanese-longer.gl.at.ply.gg:28461

Mutex

MDePCKGcpJNC9Aji

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022ab1-23.dat	family_umbral
behavioral1/memory/3700-26-0x000001C6A2CD0000-0x000001C6A2D10000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000001da3a-6.dat	family_xworm
behavioral1/memory/3412-28-0x0000000000C00000-0x0000000000C38000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
2156	powershell.exe
3048	powershell.exe
4864	powershell.exe
4596	powershell.exe
2268	powershell.exe
1268	powershell.exe
4688	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Grabb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	xWorm+v5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Cloner.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Cloner.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Cloner.exe

Executes dropped EXE 3 IoCs

pid	Process
3412	Cloner.exe
3700	Grabb.exe
4540	XClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Cloner.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2764	cmd.exe
2844	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3032	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3700	Grabb.exe
2644	powershell.exe
2644	powershell.exe
1268	powershell.exe
1268	powershell.exe
4688	powershell.exe
4688	powershell.exe
2156	powershell.exe
2156	powershell.exe
4772	powershell.exe
4772	powershell.exe
3048	powershell.exe
3048	powershell.exe
4864	powershell.exe
4864	powershell.exe
4596	powershell.exe
4596	powershell.exe
2268	powershell.exe
2268	powershell.exe
3412	Cloner.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3412	Cloner.exe
3412	Cloner.exe
3412	Cloner.exe
3412	Cloner.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	Cloner.exe
Token: SeDebugPrivilege	3700	Grabb.exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: 36	1764	wmic.exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: 36	1764	wmic.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	wmic.exe
Token: SeSecurityPrivilege	3020	wmic.exe
Token: SeTakeOwnershipPrivilege	3020	wmic.exe
Token: SeLoadDriverPrivilege	3020	wmic.exe
Token: SeSystemProfilePrivilege	3020	wmic.exe
Token: SeSystemtimePrivilege	3020	wmic.exe
Token: SeProfSingleProcessPrivilege	3020	wmic.exe
Token: SeIncBasePriorityPrivilege	3020	wmic.exe
Token: SeCreatePagefilePrivilege	3020	wmic.exe
Token: SeBackupPrivilege	3020	wmic.exe
Token: SeRestorePrivilege	3020	wmic.exe
Token: SeShutdownPrivilege	3020	wmic.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe
3928	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3412	Cloner.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3412	2148	xWorm+v5.6.exe	87
PID 2148 wrote to memory of 3412	2148	xWorm+v5.6.exe	87
PID 2148 wrote to memory of 3700	2148	xWorm+v5.6.exe	88
PID 2148 wrote to memory of 3700	2148	xWorm+v5.6.exe	88
PID 3700 wrote to memory of 1764	3700	Grabb.exe	89
PID 3700 wrote to memory of 1764	3700	Grabb.exe	89
PID 3700 wrote to memory of 3228	3700	Grabb.exe	92
PID 3700 wrote to memory of 3228	3700	Grabb.exe	92
PID 3700 wrote to memory of 2644	3700	Grabb.exe	94
PID 3700 wrote to memory of 2644	3700	Grabb.exe	94
PID 3700 wrote to memory of 1268	3700	Grabb.exe	96
PID 3700 wrote to memory of 1268	3700	Grabb.exe	96
PID 3700 wrote to memory of 4688	3700	Grabb.exe	98
PID 3700 wrote to memory of 4688	3700	Grabb.exe	98
PID 3412 wrote to memory of 2156	3412	Cloner.exe	100
PID 3412 wrote to memory of 2156	3412	Cloner.exe	100
PID 3700 wrote to memory of 4772	3700	Grabb.exe	102
PID 3700 wrote to memory of 4772	3700	Grabb.exe	102
PID 3412 wrote to memory of 3048	3412	Cloner.exe	104
PID 3412 wrote to memory of 3048	3412	Cloner.exe	104
PID 3412 wrote to memory of 4864	3412	Cloner.exe	106
PID 3412 wrote to memory of 4864	3412	Cloner.exe	106
PID 3412 wrote to memory of 4596	3412	Cloner.exe	108
PID 3412 wrote to memory of 4596	3412	Cloner.exe	108
PID 3700 wrote to memory of 3020	3700	Grabb.exe	110
PID 3700 wrote to memory of 3020	3700	Grabb.exe	110
PID 3700 wrote to memory of 644	3700	Grabb.exe	112
PID 3700 wrote to memory of 644	3700	Grabb.exe	112
PID 3700 wrote to memory of 1972	3700	Grabb.exe	114
PID 3700 wrote to memory of 1972	3700	Grabb.exe	114
PID 3700 wrote to memory of 2268	3700	Grabb.exe	116
PID 3700 wrote to memory of 2268	3700	Grabb.exe	116
PID 3412 wrote to memory of 4104	3412	Cloner.exe	118
PID 3412 wrote to memory of 4104	3412	Cloner.exe	118
PID 3700 wrote to memory of 3032	3700	Grabb.exe	120
PID 3700 wrote to memory of 3032	3700	Grabb.exe	120
PID 3700 wrote to memory of 2764	3700	Grabb.exe	126
PID 3700 wrote to memory of 2764	3700	Grabb.exe	126
PID 2764 wrote to memory of 2844	2764	cmd.exe	128
PID 2764 wrote to memory of 2844	2764	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\xWorm+v5.6.exe
"C:\Users\Admin\AppData\Local\Temp\xWorm+v5.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\Cloner.exe
  "C:\Users\Admin\AppData\Local\Temp\Cloner.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cloner.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Cloner.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4104
- C:\Users\Admin\AppData\Local\Temp\Grabb.exe
  "C:\Users\Admin\AppData\Local\Temp\Grabb.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Grabb.exe"
    3⤵
    - Views/modifies file attributes
    PID:3228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Grabb.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:644
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3032
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Grabb.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3928

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8084668a155acd715e33a95409af239b

SHA1
a6e674ed1b20a1fd71f6fea064a6920e2728bfef

SHA256
1e21d1dae32408fbe6772e627caecd4a129f36fac22ed51e064de4c179185da4

SHA512
015081005c3b6134589f09216dc518532df84ca3af540c3fc65e5e39e909376d1e56ef2f28e1ca7d5b11a84291ed0cf7f384d337bde1180be2c0c857160f3dc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cloner.exe

Filesize
204KB

MD5
5f43c0499a7d7947f5feb5db1a8726f0

SHA1
3eb4045f1287531843d11e52423472b54494b02b

SHA256
2824d0b186c90e04ab56e026c018e7f521e2127bd526d9fca008eaa613fe4012

SHA512
c7aaee50c4c13b711a46511611c27eb2d6bd92ef26b0b7627f63f34ee45d1386cad819accfd267e89574eea21a5f752706878824f4996b9a7faa4d742789752a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grabb.exe

Filesize
231KB

MD5
aa72c54d54f7dcef7482efd77fffe5eb

SHA1
76689cf7194fbf0f0deb4ec2e1d29cdddbceecf0

SHA256
bd9152eb61004161c21b7b2af7873a07dddb6e2fb5966b021825ebaf9b7ff9b0

SHA512
3e1e8c6869d5447fe6c154a095981f3fc1d8638154c22b29c6bf68e4269161431b392d143f7c866c7ea7a828c0a225bf6e341465c9e9e6a96e7a5072bc1c91ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1so0jl3.oai.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
5dbcb9223eb84dc9658110c6e7b51f5a

SHA1
cbf0c3e186935d2c9f466cd9b848d2b1701b1a09

SHA256
6d9a5ed7c455e61b6a011235bf9255f27fdd1cd726290d26811abe9a2fbcab81

SHA512
13578dcbd0bbc9e6346f62ee497238da3611e56fc40f01bd9baccbcd4ad768cc104b36f8d57623b592d1a0f32aa3d23edb04188e313ca122210dab4a67855aab

Download Submit
memory/2148-0-0x00007FF9FEBA3000-0x00007FF9FEBA5000-memory.dmp

Filesize
8KB

Download
memory/2148-30-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

Filesize
10.8MB

Download
memory/2148-10-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

Filesize
10.8MB

Download
memory/2148-1-0x0000000000FC0000-0x0000000001000000-memory.dmp

Filesize
256KB

Download
memory/2644-36-0x00000247C6920000-0x00000247C6942000-memory.dmp

Filesize
136KB

Download
memory/3412-180-0x0000000001590000-0x000000000159C000-memory.dmp

Filesize
48KB

Download
memory/3412-163-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

Filesize
10.8MB

Download
memory/3412-27-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

Filesize
10.8MB

Download
memory/3412-28-0x0000000000C00000-0x0000000000C38000-memory.dmp

Filesize
224KB

Download
memory/3700-29-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

Filesize
10.8MB

Download
memory/3700-116-0x000001C6BD4A0000-0x000001C6BD4B2000-memory.dmp

Filesize
72KB

Download
memory/3700-115-0x000001C6BD140000-0x000001C6BD14A000-memory.dmp

Filesize
40KB

Download
memory/3700-59-0x000001C6BD510000-0x000001C6BD52E000-memory.dmp

Filesize
120KB

Download
memory/3700-162-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

Filesize
10.8MB

Download
memory/3700-58-0x000001C6BD3A0000-0x000001C6BD3F0000-memory.dmp

Filesize
320KB

Download
memory/3700-26-0x000001C6A2CD0000-0x000001C6A2D10000-memory.dmp

Filesize
256KB

Download
memory/3700-57-0x000001C6BD420000-0x000001C6BD496000-memory.dmp

Filesize
472KB

Download
memory/3928-170-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-165-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-176-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-175-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-174-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-173-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-172-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-171-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-166-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download
memory/3928-164-0x0000023462390000-0x0000023462391000-memory.dmp

Filesize
4KB

Download