asyncrat | d51154dab49e7c3199cb9fd75aa5c7f9eb58ed74c8ea5eb40601ee484dc0b578

Analysis

max time kernel
30s
max time network
30s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neverlose crack.exe
Size

295KB
MD5

01cc2b2bcef2f12ab9a10905f999027d
SHA1

c62bb9b1532dc3f8638cc1ab5eb3b5f5185c2b40
SHA256

d51154dab49e7c3199cb9fd75aa5c7f9eb58ed74c8ea5eb40601ee484dc0b578
SHA512

025af3ae3fa059e364ef933cff47327436f08fb18379377caf7e71ced86f2c8adb4f56a79a643f3072c21b06e9e9b97f5945b9bdff1d29e798c6d9a5c3360d5c
SSDEEP

6144:DVOuy8Et9vsiTzIpoOhYyC8M4i7jyVvdOe4BWH5Y5/zu4cCGb19e:bFigGOTCz17jy9Yer6dzIpi

Score

10^/10

asyncrat njrat umbral xworm victim credential_access discovery evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

meeting-compound.gl.at.ply.gg:44256

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

asyncrat

Botnet

Victim

127.0.0.1:1504

127.0.0.1:44256

meeting-compound.gl.at.ply.gg:1504

meeting-compound.gl.at.ply.gg:44256

Attributes

delay
1
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

meeting-compound.gl.at.ply.gg:1504

Mutex

f8ff2d3def0ea5927a14148fb1c0ef4a

Attributes

reg_key
f8ff2d3def0ea5927a14148fb1c0ef4a
splitter
Y262SUCZ4UJJ

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00060000000186ef-17.dat	family_umbral
behavioral2/memory/2500-39-0x0000000000FD0000-0x0000000001010000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000120fa-3.dat	family_xworm
behavioral2/memory/3040-37-0x0000000000040000-0x0000000000056000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x00070000000186ed-9.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
2380	powershell.exe
1044	powershell.exe
3016	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2568	attrib.exe
2700	attrib.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8ff2d3def0ea5927a14148fb1c0ef4a.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8ff2d3def0ea5927a14148fb1c0ef4a.exe	dllhost.exe

Executes dropped EXE 8 IoCs

pid	Process
3040	WizClient.exe
1764	INSTALLER1.exe
2500	Umbral.exe
1880	WmZWbh4b.exe
1864	Payload.exe
1416	System.exe
1716	dllhost.exe
2508	$77svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2408	neverlose crack.exe
2408	neverlose crack.exe
2408	neverlose crack.exe
2408	neverlose crack.exe
2408	neverlose crack.exe
1864	Payload.exe
1520	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\Users\\Admin\\AppData\\Roaming\\WizClient.exe"	WizClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\f8ff2d3def0ea5927a14148fb1c0ef4a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8ff2d3def0ea5927a14148fb1c0ef4a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Exec\\$77svchost.exe\""	WmZWbh4b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neverlose crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3012	cmd.exe
2704	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2920	timeout.exe
1388	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2996	wmic.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2784	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WizClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WizClient.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2704	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1104	schtasks.exe
316	schtasks.exe
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	INSTALLER1.exe
1764	INSTALLER1.exe
1764	INSTALLER1.exe
1764	INSTALLER1.exe
1764	INSTALLER1.exe
2500	Umbral.exe
3016	powershell.exe
2008	powershell.exe
3040	WizClient.exe
2380	powershell.exe
1416	System.exe
1956	powershell.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1880	WmZWbh4b.exe
1880	WmZWbh4b.exe
1880	WmZWbh4b.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1044	powershell.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe
1416	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	WizClient.exe
Token: SeDebugPrivilege	2500	Umbral.exe
Token: SeDebugPrivilege	1764	INSTALLER1.exe
Token: SeDebugPrivilege	1764	INSTALLER1.exe
Token: SeIncreaseQuotaPrivilege	1520	wmic.exe
Token: SeSecurityPrivilege	1520	wmic.exe
Token: SeTakeOwnershipPrivilege	1520	wmic.exe
Token: SeLoadDriverPrivilege	1520	wmic.exe
Token: SeSystemProfilePrivilege	1520	wmic.exe
Token: SeSystemtimePrivilege	1520	wmic.exe
Token: SeProfSingleProcessPrivilege	1520	wmic.exe
Token: SeIncBasePriorityPrivilege	1520	wmic.exe
Token: SeCreatePagefilePrivilege	1520	wmic.exe
Token: SeBackupPrivilege	1520	wmic.exe
Token: SeRestorePrivilege	1520	wmic.exe
Token: SeShutdownPrivilege	1520	wmic.exe
Token: SeDebugPrivilege	1520	wmic.exe
Token: SeSystemEnvironmentPrivilege	1520	wmic.exe
Token: SeRemoteShutdownPrivilege	1520	wmic.exe
Token: SeUndockPrivilege	1520	wmic.exe
Token: SeManageVolumePrivilege	1520	wmic.exe
Token: 33	1520	wmic.exe
Token: 34	1520	wmic.exe
Token: 35	1520	wmic.exe
Token: SeIncreaseQuotaPrivilege	1520	wmic.exe
Token: SeSecurityPrivilege	1520	wmic.exe
Token: SeTakeOwnershipPrivilege	1520	wmic.exe
Token: SeLoadDriverPrivilege	1520	wmic.exe
Token: SeSystemProfilePrivilege	1520	wmic.exe
Token: SeSystemtimePrivilege	1520	wmic.exe
Token: SeProfSingleProcessPrivilege	1520	wmic.exe
Token: SeIncBasePriorityPrivilege	1520	wmic.exe
Token: SeCreatePagefilePrivilege	1520	wmic.exe
Token: SeBackupPrivilege	1520	wmic.exe
Token: SeRestorePrivilege	1520	wmic.exe
Token: SeShutdownPrivilege	1520	wmic.exe
Token: SeDebugPrivilege	1520	wmic.exe
Token: SeSystemEnvironmentPrivilege	1520	wmic.exe
Token: SeRemoteShutdownPrivilege	1520	wmic.exe
Token: SeUndockPrivilege	1520	wmic.exe
Token: SeManageVolumePrivilege	1520	wmic.exe
Token: 33	1520	wmic.exe
Token: 34	1520	wmic.exe
Token: 35	1520	wmic.exe
Token: SeBackupPrivilege	600	vssvc.exe
Token: SeRestorePrivilege	600	vssvc.exe
Token: SeAuditPrivilege	600	vssvc.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3040	WizClient.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1416	System.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1416	System.exe
Token: SeDebugPrivilege	1880	WmZWbh4b.exe
Token: SeIncreaseQuotaPrivilege	3048	wmic.exe
Token: SeSecurityPrivilege	3048	wmic.exe
Token: SeTakeOwnershipPrivilege	3048	wmic.exe
Token: SeLoadDriverPrivilege	3048	wmic.exe
Token: SeSystemProfilePrivilege	3048	wmic.exe
Token: SeSystemtimePrivilege	3048	wmic.exe
Token: SeProfSingleProcessPrivilege	3048	wmic.exe
Token: SeIncBasePriorityPrivilege	3048	wmic.exe
Token: SeCreatePagefilePrivilege	3048	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	WizClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3040	2408	neverlose crack.exe	30
PID 2408 wrote to memory of 3040	2408	neverlose crack.exe	30
PID 2408 wrote to memory of 3040	2408	neverlose crack.exe	30
PID 2408 wrote to memory of 3040	2408	neverlose crack.exe	30
PID 2408 wrote to memory of 1764	2408	neverlose crack.exe	31
PID 2408 wrote to memory of 1764	2408	neverlose crack.exe	31
PID 2408 wrote to memory of 1764	2408	neverlose crack.exe	31
PID 2408 wrote to memory of 1764	2408	neverlose crack.exe	31
PID 2408 wrote to memory of 2500	2408	neverlose crack.exe	32
PID 2408 wrote to memory of 2500	2408	neverlose crack.exe	32
PID 2408 wrote to memory of 2500	2408	neverlose crack.exe	32
PID 2408 wrote to memory of 2500	2408	neverlose crack.exe	32
PID 2408 wrote to memory of 1880	2408	neverlose crack.exe	33
PID 2408 wrote to memory of 1880	2408	neverlose crack.exe	33
PID 2408 wrote to memory of 1880	2408	neverlose crack.exe	33
PID 2408 wrote to memory of 1880	2408	neverlose crack.exe	33
PID 2408 wrote to memory of 1864	2408	neverlose crack.exe	34
PID 2408 wrote to memory of 1864	2408	neverlose crack.exe	34
PID 2408 wrote to memory of 1864	2408	neverlose crack.exe	34
PID 2408 wrote to memory of 1864	2408	neverlose crack.exe	34
PID 1764 wrote to memory of 2720	1764	INSTALLER1.exe	36
PID 1764 wrote to memory of 2720	1764	INSTALLER1.exe	36
PID 1764 wrote to memory of 2720	1764	INSTALLER1.exe	36
PID 1764 wrote to memory of 2672	1764	INSTALLER1.exe	38
PID 1764 wrote to memory of 2672	1764	INSTALLER1.exe	38
PID 1764 wrote to memory of 2672	1764	INSTALLER1.exe	38
PID 2720 wrote to memory of 1104	2720	cmd.exe	40
PID 2720 wrote to memory of 1104	2720	cmd.exe	40
PID 2720 wrote to memory of 1104	2720	cmd.exe	40
PID 2672 wrote to memory of 2920	2672	cmd.exe	41
PID 2672 wrote to memory of 2920	2672	cmd.exe	41
PID 2672 wrote to memory of 2920	2672	cmd.exe	41
PID 3040 wrote to memory of 316	3040	WizClient.exe	42
PID 3040 wrote to memory of 316	3040	WizClient.exe	42
PID 3040 wrote to memory of 316	3040	WizClient.exe	42
PID 2500 wrote to memory of 1520	2500	Umbral.exe	46
PID 2500 wrote to memory of 1520	2500	Umbral.exe	46
PID 2500 wrote to memory of 1520	2500	Umbral.exe	46
PID 2500 wrote to memory of 1904	2500	Umbral.exe	50
PID 2500 wrote to memory of 1904	2500	Umbral.exe	50
PID 2500 wrote to memory of 1904	2500	Umbral.exe	50
PID 2500 wrote to memory of 3016	2500	Umbral.exe	52
PID 2500 wrote to memory of 3016	2500	Umbral.exe	52
PID 2500 wrote to memory of 3016	2500	Umbral.exe	52
PID 2500 wrote to memory of 2008	2500	Umbral.exe	54
PID 2500 wrote to memory of 2008	2500	Umbral.exe	54
PID 2500 wrote to memory of 2008	2500	Umbral.exe	54
PID 2672 wrote to memory of 1416	2672	cmd.exe	56
PID 2672 wrote to memory of 1416	2672	cmd.exe	56
PID 2672 wrote to memory of 1416	2672	cmd.exe	56
PID 2500 wrote to memory of 2380	2500	Umbral.exe	57
PID 2500 wrote to memory of 2380	2500	Umbral.exe	57
PID 2500 wrote to memory of 2380	2500	Umbral.exe	57
PID 2500 wrote to memory of 1956	2500	Umbral.exe	59
PID 2500 wrote to memory of 1956	2500	Umbral.exe	59
PID 2500 wrote to memory of 1956	2500	Umbral.exe	59
PID 1864 wrote to memory of 1716	1864	Payload.exe	61
PID 1864 wrote to memory of 1716	1864	Payload.exe	61
PID 1864 wrote to memory of 1716	1864	Payload.exe	61
PID 1864 wrote to memory of 1716	1864	Payload.exe	61
PID 1880 wrote to memory of 2568	1880	WmZWbh4b.exe	62
PID 1880 wrote to memory of 2568	1880	WmZWbh4b.exe	62
PID 1880 wrote to memory of 2568	1880	WmZWbh4b.exe	62
PID 1880 wrote to memory of 2700	1880	WmZWbh4b.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1904	attrib.exe
2568	attrib.exe
2700	attrib.exe
944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\neverlose crack.exe
"C:\Users\Admin\AppData\Local\Temp\neverlose crack.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\WizClient.exe
  "C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\Admin\AppData\Roaming\WizClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:316
- C:\Users\Admin\AppData\Local\Temp\INSTALLER1.exe
  "C:\Users\Admin\AppData\Local\Temp\INSTALLER1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1104
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD5D5.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2920
  - - C:\Users\Admin\AppData\Roaming\System.exe
      "C:\Users\Admin\AppData\Roaming\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1416
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2572
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1044
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2996
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3012
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2704
- C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe
  "C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2568
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec\$77svchost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2700
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:1520
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1388
  - - C:\Users\Admin\Exec\$77svchost.exe
      "C:\Users\Admin\Exec\$77svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2508
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\dllhost.exe
    "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:944
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn CleanSweepCheck /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
54KB

MD5
29527eb6dd3c1e2b8dbc17d70ad1fb20

SHA1
8fafd2e9914b32797c957f58a1254afc7dccf5af

SHA256
dafc09f9798d4c1134845b08749c514a3478ed4a45837e12fd717012ec27c694

SHA512
52e315cd12482d8a147e5d810e7fbb116cc15b4163e3015f5d579b0621980a15195a4354528bce24a3aff1e47766d95dea71f09563da8e43c781020006bb0e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.bat

Filesize
143B

MD5
b705ac94140086ed90e28784ca1b6e90

SHA1
a31d69b069941f681993f78f6760ca5cc3b0940a

SHA256
c2b28a9f443218f2e3cda97cb81c9cb5579413eb7b4761830baa176ea6cc7223

SHA512
de5c888a86d48db3bf3a051e60509c1cce4c10673a2946536833f67cd7724097fd34df2d0f116a1de1708b675176f8a50499d4b6e72c0809d1b77390b28e58be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5D5.tmp.bat

Filesize
150B

MD5
c31134246fd64a2a89ed09212dadc869

SHA1
8fcfc50a78841df2db333cbdfb0d83594d942f2f

SHA256
82850cc7129372f1e831e9b25e7f670cbaa6ad6a8ac92f0a3174b306492b7ddf

SHA512
6590f3d3bc1f84718094b03fadb0a1d2c6e52a68c243d4476fe0e9fffc3248aba10e1311ff2ae6ddd1fa4a3d77bfcea364b9a7fc44fc850be3feb4507786ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GBRWHO5ASGU77MV3TKWM.temp

Filesize
7KB

MD5
55ce723006784e58b8e0f7fcbad072c0

SHA1
874479668107d958f5a1278b1a79f507c06c57d8

SHA256
dd3c9fe76fbfea294afd6731c5c36a333705d0831fbdf577d268846bc18907a6

SHA512
40b8d392c400bf37a32af729f5b39cfb725b216f5814b4aca11faa666dfe85f56908e937b74ebd4e8ca8b0abfa8b4e3afa634d8dcdf6f140fb33f35bf6a52af6

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER1.exe

Filesize
63KB

MD5
6c575ec28ef4f6108f2acf9775938100

SHA1
c3b5d9f59b53768817d3c6dd93a49cef5a40a9e2

SHA256
609d9f9c8da8f777e17ff1a716c07e39e3b2d7fd76086436cf2e2383fe8bcd8c

SHA512
950f48b90492b7f0ac702c2cfd8822eab510819024fbcba2407217280e9d069c39aeae27f4bd6e6ce37efc9de52fad52ad15a07b8ce43c58f43bb5926278ddd5

Download Submit
\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
62099472f40d33f1caf73e36e866b9e7

SHA1
9d1e27b780ba14d0e41d366d79b0f42d4a782e7e

SHA256
f343ca46350a3c48f888be39bf1247fcab2bcd731889fc16828aac5f681edebc

SHA512
3356bd93afdff76dfc995b8bba3fc96d772e371c3ae6f289cbdb58cffef4906a5f8c2755152765c8cc96b5fc61e97186e42eceaa5e8619d15e172441c95f9764

Download Submit
\Users\Admin\AppData\Local\Temp\WizClient.exe

Filesize
61KB

MD5
d63d40b2af636f58cfbabe878e42f0a7

SHA1
3f97fb34eceff4e64cd3adb6f5cb4f1fabaf06ed

SHA256
536699ce7a068f324c719b4f429bf0aefb82602fcc18ca4d99d76aa53fbdb19a

SHA512
e8d771744ad9b2fc85b6f7c655f0e24bd0e42fa4a6575ed4e3301c325750c6e52dbc0b8565b30adf1303986d026d9a4d6a936a9093be8707a8ddbac7933242b4

Download Submit
\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe

Filesize
40KB

MD5
47f267290124f530b9c04563b533db83

SHA1
fccb81909c612554fce4303daeffc750a71ee44e

SHA256
479db498a032418957c1616b13187402d7f626afa32dd4fcf56313d78ec23eeb

SHA512
a81b1ca99fec7a536eabc62f57668e46b832e534ccba43f3ab25a9d33d394745d24bad5f72225244f20be5ddcb44529d72efa31b92bc9e03f34e3b9ddb4f9e3a

Download Submit
memory/1044-111-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/1416-69-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/1764-38-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/1880-36-0x000000013F620000-0x000000013F62E000-memory.dmp

Filesize
56KB

Download
memory/2008-71-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2008-70-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2500-39-0x0000000000FD0000-0x0000000001010000-memory.dmp

Filesize
256KB

Download
memory/2508-129-0x000000013F6F0000-0x000000013F6FE000-memory.dmp

Filesize
56KB

Download
memory/3016-58-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/3016-57-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/3040-37-0x0000000000040000-0x0000000000056000-memory.dmp

Filesize
88KB

Download