umbral | 3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297

Analysis

max time kernel
45s
max time network
46s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 15:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Rust AntiCheat.exe
Size

1.1MB
MD5

9b044bfee63da32d66539cd56741e2d7
SHA1

22b313baac54ea88cb581347d7226073033cb64c
SHA256

3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297
SHA512

f0cf4ef7516a7227a92ad9e098661f2683e07418cce2473851eaa6deb3c1db4859d9ce50f1615288e28c668b69fefb9ba1c2069dc2fe84c54a97616cf7ba7876
SSDEEP

24576:7cM0t9RyT52bxGzz9qshXGFh9jvTXZbX5y4h1ptssmnt:ArRyT529KXgh9btbXJbGsmt

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1271826116721639445/0LTa3NkwRKKJuRNql7cAkLRG6HVFF6qerOeff_MVz-9g28SPb06nhaG45QDZdp1IGvu2

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019465-17.dat	family_umbral
behavioral1/memory/2492-19-0x0000000001030000-0x0000000001070000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001945b-14.dat	family_xworm
behavioral1/memory/2928-16-0x0000000000D50000-0x0000000000D6C000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
440	powershell.exe
1696	powershell.exe
1692	powershell.exe
352	powershell.exe
2936	powershell.exe
1156	powershell.exe
1600	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
1936	Loader (1).exe
2928	RuntimeBroker.exe
2492	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker"	RuntimeBroker.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2684	cmd.exe
1080	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1952	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2492	Umbral.exe
2364	powershell.exe
2936	powershell.exe
1156	powershell.exe
2132	powershell.exe
440	powershell.exe
1696	powershell.exe
1692	powershell.exe
352	powershell.exe
1600	powershell.exe
2928	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	RuntimeBroker.exe
Token: SeDebugPrivilege	2492	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeIncreaseQuotaPrivilege	2020	wmic.exe
Token: SeSecurityPrivilege	2020	wmic.exe
Token: SeTakeOwnershipPrivilege	2020	wmic.exe
Token: SeLoadDriverPrivilege	2020	wmic.exe
Token: SeSystemProfilePrivilege	2020	wmic.exe
Token: SeSystemtimePrivilege	2020	wmic.exe
Token: SeProfSingleProcessPrivilege	2020	wmic.exe
Token: SeIncBasePriorityPrivilege	2020	wmic.exe
Token: SeCreatePagefilePrivilege	2020	wmic.exe
Token: SeBackupPrivilege	2020	wmic.exe
Token: SeRestorePrivilege	2020	wmic.exe
Token: SeShutdownPrivilege	2020	wmic.exe
Token: SeDebugPrivilege	2020	wmic.exe
Token: SeSystemEnvironmentPrivilege	2020	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2928	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1936	2532	Rust AntiCheat.exe	30
PID 2532 wrote to memory of 1936	2532	Rust AntiCheat.exe	30
PID 2532 wrote to memory of 1936	2532	Rust AntiCheat.exe	30
PID 2532 wrote to memory of 1936	2532	Rust AntiCheat.exe	30
PID 2532 wrote to memory of 2928	2532	Rust AntiCheat.exe	31
PID 2532 wrote to memory of 2928	2532	Rust AntiCheat.exe	31
PID 2532 wrote to memory of 2928	2532	Rust AntiCheat.exe	31
PID 2532 wrote to memory of 2492	2532	Rust AntiCheat.exe	32
PID 2532 wrote to memory of 2492	2532	Rust AntiCheat.exe	32
PID 2532 wrote to memory of 2492	2532	Rust AntiCheat.exe	32
PID 2492 wrote to memory of 2572	2492	Umbral.exe	35
PID 2492 wrote to memory of 2572	2492	Umbral.exe	35
PID 2492 wrote to memory of 2572	2492	Umbral.exe	35
PID 2492 wrote to memory of 1272	2492	Umbral.exe	37
PID 2492 wrote to memory of 1272	2492	Umbral.exe	37
PID 2492 wrote to memory of 1272	2492	Umbral.exe	37
PID 2492 wrote to memory of 2364	2492	Umbral.exe	39
PID 2492 wrote to memory of 2364	2492	Umbral.exe	39
PID 2492 wrote to memory of 2364	2492	Umbral.exe	39
PID 2492 wrote to memory of 2936	2492	Umbral.exe	41
PID 2492 wrote to memory of 2936	2492	Umbral.exe	41
PID 2492 wrote to memory of 2936	2492	Umbral.exe	41
PID 2492 wrote to memory of 1156	2492	Umbral.exe	43
PID 2492 wrote to memory of 1156	2492	Umbral.exe	43
PID 2492 wrote to memory of 1156	2492	Umbral.exe	43
PID 2492 wrote to memory of 2132	2492	Umbral.exe	45
PID 2492 wrote to memory of 2132	2492	Umbral.exe	45
PID 2492 wrote to memory of 2132	2492	Umbral.exe	45
PID 2928 wrote to memory of 440	2928	RuntimeBroker.exe	48
PID 2928 wrote to memory of 440	2928	RuntimeBroker.exe	48
PID 2928 wrote to memory of 440	2928	RuntimeBroker.exe	48
PID 2928 wrote to memory of 1696	2928	RuntimeBroker.exe	50
PID 2928 wrote to memory of 1696	2928	RuntimeBroker.exe	50
PID 2928 wrote to memory of 1696	2928	RuntimeBroker.exe	50
PID 2928 wrote to memory of 1692	2928	RuntimeBroker.exe	52
PID 2928 wrote to memory of 1692	2928	RuntimeBroker.exe	52
PID 2928 wrote to memory of 1692	2928	RuntimeBroker.exe	52
PID 2928 wrote to memory of 352	2928	RuntimeBroker.exe	54
PID 2928 wrote to memory of 352	2928	RuntimeBroker.exe	54
PID 2928 wrote to memory of 352	2928	RuntimeBroker.exe	54
PID 2492 wrote to memory of 2020	2492	Umbral.exe	56
PID 2492 wrote to memory of 2020	2492	Umbral.exe	56
PID 2492 wrote to memory of 2020	2492	Umbral.exe	56
PID 2492 wrote to memory of 1056	2492	Umbral.exe	58
PID 2492 wrote to memory of 1056	2492	Umbral.exe	58
PID 2492 wrote to memory of 1056	2492	Umbral.exe	58
PID 2492 wrote to memory of 2456	2492	Umbral.exe	60
PID 2492 wrote to memory of 2456	2492	Umbral.exe	60
PID 2492 wrote to memory of 2456	2492	Umbral.exe	60
PID 2492 wrote to memory of 1600	2492	Umbral.exe	62
PID 2492 wrote to memory of 1600	2492	Umbral.exe	62
PID 2492 wrote to memory of 1600	2492	Umbral.exe	62
PID 2928 wrote to memory of 2036	2928	RuntimeBroker.exe	64
PID 2928 wrote to memory of 2036	2928	RuntimeBroker.exe	64
PID 2928 wrote to memory of 2036	2928	RuntimeBroker.exe	64
PID 2492 wrote to memory of 1952	2492	Umbral.exe	66
PID 2492 wrote to memory of 1952	2492	Umbral.exe	66
PID 2492 wrote to memory of 1952	2492	Umbral.exe	66
PID 2492 wrote to memory of 2684	2492	Umbral.exe	68
PID 2492 wrote to memory of 2684	2492	Umbral.exe	68
PID 2492 wrote to memory of 2684	2492	Umbral.exe	68
PID 2684 wrote to memory of 1080	2684	cmd.exe	70
PID 2684 wrote to memory of 1080	2684	cmd.exe	70
PID 2684 wrote to memory of 1080	2684	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe
"C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Loader (1).exe
  "C:\Users\Admin\AppData\Local\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Local\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2036
- - C:\Windows\system32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:1384
- C:\Users\Admin\AppData\Local\Umbral.exe
  "C:\Users\Admin\AppData\Local\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1056
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1952
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
90KB

MD5
79fef04d806d7916fa1bf6d30358d4de

SHA1
2afb944edcf58c6594c734fbe0c8416b6bc1f447

SHA256
76f2d446e7fc3631f352180c201de9eb139d1acf3daf5dd63fe69502fa253bf1

SHA512
897021db19492ed9cf5ae3d68d840af1f68cf8836b1e5935485e42e569ecf8c95c85fe50b9e25ab13275209ed112906d06ef03a83502a0fa5904e60d3c3dad1e

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
231KB

MD5
2986f5be729cdf63ccb15a204a46d31b

SHA1
a7a733787f7aa226153d4ff693349cd88fc4a96f

SHA256
9242c3d80edfd477acaac2f7037d8fe77395b31c0c923cd65309df09ce2c8403

SHA512
edbb2cb4731d59e92ccf781d25569efa1a9ecd1df116860673898606d5e208e6c39fd8ab2066c902c542bdd61acc6c204eabad30a0d3f1ead82973005cc037f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
430bee5963cf91f74787e390e070a8cd

SHA1
088872ea255866da94f65b73ace78ea49bdfdd90

SHA256
8d89246509d5823ec2f1202a110f00e98b5d6a5fc29a4e80c46a50f6d5df7024

SHA512
a5d0bc70ef4c7c8b0da919fbfcb7f1deaf7fc0a032ceeffe8ea4b9e52e88d455c9f3c90958cbb26a449d6d2eb6a2fe8926a46f4ad7cb5a824690ad7647b85ec0

Download Submit
memory/1936-23-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1936-89-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1936-22-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1936-20-0x0000000001250000-0x0000000001326000-memory.dmp

Filesize
856KB

Download
memory/2364-30-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2364-29-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2492-19-0x0000000001030000-0x0000000001070000-memory.dmp

Filesize
256KB

Download
memory/2532-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000DD0000-0x0000000000EF8000-memory.dmp

Filesize
1.2MB

Download
memory/2928-21-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2928-16-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download
memory/2928-74-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2928-92-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2936-37-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2936-36-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads