umbral | 3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297

Analysis

max time kernel
44s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/09/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Rust AntiCheat.exe
Size

1.1MB
MD5

9b044bfee63da32d66539cd56741e2d7
SHA1

22b313baac54ea88cb581347d7226073033cb64c
SHA256

3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297
SHA512

f0cf4ef7516a7227a92ad9e098661f2683e07418cce2473851eaa6deb3c1db4859d9ce50f1615288e28c668b69fefb9ba1c2069dc2fe84c54a97616cf7ba7876
SSDEEP

24576:7cM0t9RyT52bxGzz9qshXGFh9jvTXZbX5y4h1ptssmnt:ArRyT529KXgh9btbXJbGsmt

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1271826116721639445/0LTa3NkwRKKJuRNql7cAkLRG6HVFF6qerOeff_MVz-9g28SPb06nhaG45QDZdp1IGvu2

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000200000002a9e6-33.dat	family_umbral
behavioral4/memory/2264-36-0x000002ABAD7B0000-0x000002ABAD7F0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000500000002a9a7-16.dat	family_xworm
behavioral4/memory/3672-37-0x0000000000D50000-0x0000000000D6C000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1840	powershell.exe
436	powershell.exe
3396	powershell.exe
3332	powershell.exe
4708	powershell.exe
4072	powershell.exe
3584	powershell.exe
4608	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
2920	Loader (1).exe
3672	RuntimeBroker.exe
2264	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker"	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
428	PING.EXE
2248	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5024	wmic.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "142"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
428	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2264	Umbral.exe
3332	powershell.exe
3332	powershell.exe
4072	powershell.exe
4072	powershell.exe
3584	powershell.exe
3584	powershell.exe
3020	powershell.exe
3020	powershell.exe
4708	powershell.exe
4708	powershell.exe
1840	powershell.exe
1840	powershell.exe
436	powershell.exe
436	powershell.exe
4608	powershell.exe
4608	powershell.exe
3396	powershell.exe
3396	powershell.exe
3672	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	RuntimeBroker.exe
Token: SeDebugPrivilege	2264	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2008	wmic.exe
Token: SeSecurityPrivilege	2008	wmic.exe
Token: SeTakeOwnershipPrivilege	2008	wmic.exe
Token: SeLoadDriverPrivilege	2008	wmic.exe
Token: SeSystemProfilePrivilege	2008	wmic.exe
Token: SeSystemtimePrivilege	2008	wmic.exe
Token: SeProfSingleProcessPrivilege	2008	wmic.exe
Token: SeIncBasePriorityPrivilege	2008	wmic.exe
Token: SeCreatePagefilePrivilege	2008	wmic.exe
Token: SeBackupPrivilege	2008	wmic.exe
Token: SeRestorePrivilege	2008	wmic.exe
Token: SeShutdownPrivilege	2008	wmic.exe
Token: SeDebugPrivilege	2008	wmic.exe
Token: SeSystemEnvironmentPrivilege	2008	wmic.exe
Token: SeRemoteShutdownPrivilege	2008	wmic.exe
Token: SeUndockPrivilege	2008	wmic.exe
Token: SeManageVolumePrivilege	2008	wmic.exe
Token: 33	2008	wmic.exe
Token: 34	2008	wmic.exe
Token: 35	2008	wmic.exe
Token: 36	2008	wmic.exe
Token: SeIncreaseQuotaPrivilege	2008	wmic.exe
Token: SeSecurityPrivilege	2008	wmic.exe
Token: SeTakeOwnershipPrivilege	2008	wmic.exe
Token: SeLoadDriverPrivilege	2008	wmic.exe
Token: SeSystemProfilePrivilege	2008	wmic.exe
Token: SeSystemtimePrivilege	2008	wmic.exe
Token: SeProfSingleProcessPrivilege	2008	wmic.exe
Token: SeIncBasePriorityPrivilege	2008	wmic.exe
Token: SeCreatePagefilePrivilege	2008	wmic.exe
Token: SeBackupPrivilege	2008	wmic.exe
Token: SeRestorePrivilege	2008	wmic.exe
Token: SeShutdownPrivilege	2008	wmic.exe
Token: SeDebugPrivilege	2008	wmic.exe
Token: SeSystemEnvironmentPrivilege	2008	wmic.exe
Token: SeRemoteShutdownPrivilege	2008	wmic.exe
Token: SeUndockPrivilege	2008	wmic.exe
Token: SeManageVolumePrivilege	2008	wmic.exe
Token: 33	2008	wmic.exe
Token: 34	2008	wmic.exe
Token: 35	2008	wmic.exe
Token: 36	2008	wmic.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeIncreaseQuotaPrivilege	2356	wmic.exe
Token: SeSecurityPrivilege	2356	wmic.exe
Token: SeTakeOwnershipPrivilege	2356	wmic.exe
Token: SeLoadDriverPrivilege	2356	wmic.exe
Token: SeSystemProfilePrivilege	2356	wmic.exe
Token: SeSystemtimePrivilege	2356	wmic.exe
Token: SeProfSingleProcessPrivilege	2356	wmic.exe
Token: SeIncBasePriorityPrivilege	2356	wmic.exe
Token: SeCreatePagefilePrivilege	2356	wmic.exe
Token: SeBackupPrivilege	2356	wmic.exe
Token: SeRestorePrivilege	2356	wmic.exe
Token: SeShutdownPrivilege	2356	wmic.exe
Token: SeDebugPrivilege	2356	wmic.exe
Token: SeSystemEnvironmentPrivilege	2356	wmic.exe
Token: SeRemoteShutdownPrivilege	2356	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3672	RuntimeBroker.exe
2644	LogonUI.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2920	4500	Rust AntiCheat.exe	81
PID 4500 wrote to memory of 2920	4500	Rust AntiCheat.exe	81
PID 4500 wrote to memory of 2920	4500	Rust AntiCheat.exe	81
PID 4500 wrote to memory of 3672	4500	Rust AntiCheat.exe	82
PID 4500 wrote to memory of 3672	4500	Rust AntiCheat.exe	82
PID 4500 wrote to memory of 2264	4500	Rust AntiCheat.exe	83
PID 4500 wrote to memory of 2264	4500	Rust AntiCheat.exe	83
PID 2264 wrote to memory of 2008	2264	Umbral.exe	84
PID 2264 wrote to memory of 2008	2264	Umbral.exe	84
PID 2264 wrote to memory of 2524	2264	Umbral.exe	87
PID 2264 wrote to memory of 2524	2264	Umbral.exe	87
PID 2264 wrote to memory of 3332	2264	Umbral.exe	89
PID 2264 wrote to memory of 3332	2264	Umbral.exe	89
PID 2264 wrote to memory of 4072	2264	Umbral.exe	91
PID 2264 wrote to memory of 4072	2264	Umbral.exe	91
PID 2264 wrote to memory of 3584	2264	Umbral.exe	94
PID 2264 wrote to memory of 3584	2264	Umbral.exe	94
PID 2264 wrote to memory of 3020	2264	Umbral.exe	96
PID 2264 wrote to memory of 3020	2264	Umbral.exe	96
PID 3672 wrote to memory of 4708	3672	RuntimeBroker.exe	98
PID 3672 wrote to memory of 4708	3672	RuntimeBroker.exe	98
PID 2264 wrote to memory of 2356	2264	Umbral.exe	100
PID 2264 wrote to memory of 2356	2264	Umbral.exe	100
PID 3672 wrote to memory of 1840	3672	RuntimeBroker.exe	102
PID 3672 wrote to memory of 1840	3672	RuntimeBroker.exe	102
PID 2264 wrote to memory of 1028	2264	Umbral.exe	104
PID 2264 wrote to memory of 1028	2264	Umbral.exe	104
PID 2264 wrote to memory of 4612	2264	Umbral.exe	106
PID 2264 wrote to memory of 4612	2264	Umbral.exe	106
PID 3672 wrote to memory of 436	3672	RuntimeBroker.exe	108
PID 3672 wrote to memory of 436	3672	RuntimeBroker.exe	108
PID 2264 wrote to memory of 4608	2264	Umbral.exe	110
PID 2264 wrote to memory of 4608	2264	Umbral.exe	110
PID 3672 wrote to memory of 3396	3672	RuntimeBroker.exe	112
PID 3672 wrote to memory of 3396	3672	RuntimeBroker.exe	112
PID 2264 wrote to memory of 5024	2264	Umbral.exe	114
PID 2264 wrote to memory of 5024	2264	Umbral.exe	114
PID 3672 wrote to memory of 5064	3672	RuntimeBroker.exe	116
PID 3672 wrote to memory of 5064	3672	RuntimeBroker.exe	116
PID 2264 wrote to memory of 2248	2264	Umbral.exe	118
PID 2264 wrote to memory of 2248	2264	Umbral.exe	118
PID 2248 wrote to memory of 428	2248	cmd.exe	120
PID 2248 wrote to memory of 428	2248	cmd.exe	120
PID 3672 wrote to memory of 484	3672	RuntimeBroker.exe	121
PID 3672 wrote to memory of 484	3672	RuntimeBroker.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe
"C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Loader (1).exe
  "C:\Users\Admin\AppData\Local\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3396
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Local\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5064
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:484
- C:\Users\Admin\AppData\Local\Umbral.exe
  "C:\Users\Admin\AppData\Local\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1028
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5024
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
991e8f3bdc04acca98024f7311752070

SHA1
76005ee90a2772414bc7231d6192a942dde9d499

SHA256
788799ff1be9e0abccbadc1d574ed7f36e7bc6833d942b5c177ed4e50c6dae44

SHA512
b7ecfcc910ecf00694e1b65ff4aa34caeb8f05db2aa10ca032885d1262efe74dee874abaa1399297144259f3ce2a7e48301c79477c51c5369c5911742c4fc326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2bc937bb6b899217f6922c3a5dda964

SHA1
70831071e72e3edc48c886e0b1652555fb546459

SHA256
d3c31cc22b41f39f68893a11523f30ad007944c41ab46717b04111bc000a1c1c

SHA512
ff1d23e33d10ec9517388ae6daf1715d958bddd8b1b4deaff7f5fd2e502ab8934d460479074ce6f264477d0a4357398b47b1a983bbafdf024011ab2c4425a678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7f81c3ba861f1a722421cc95d105fecd

SHA1
1e6e9a67f190deb407c6fdbd224ce90b833490e0

SHA256
cebaa9795b2039a5784a0edcbf89cb298259a34c5aa7f89ba31344203ea37a81

SHA512
1d44780b537d2797aaa636d913e2fb5dc00484d3bf9cbf42a67c7cd7988ff756326e9725b832df85c0c2fb1bc7c25f1ffa66e9b3ae5127868f38a88546a7555d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fa21dd50b4e64421076f843031c8ccf7

SHA1
2c56e94f130c0d8d77116e939ffee4e37cf982bd

SHA256
e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

SHA512
b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
90KB

MD5
79fef04d806d7916fa1bf6d30358d4de

SHA1
2afb944edcf58c6594c734fbe0c8416b6bc1f447

SHA256
76f2d446e7fc3631f352180c201de9eb139d1acf3daf5dd63fe69502fa253bf1

SHA512
897021db19492ed9cf5ae3d68d840af1f68cf8836b1e5935485e42e569ecf8c95c85fe50b9e25ab13275209ed112906d06ef03a83502a0fa5904e60d3c3dad1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlzgnw45.yfz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
231KB

MD5
2986f5be729cdf63ccb15a204a46d31b

SHA1
a7a733787f7aa226153d4ff693349cd88fc4a96f

SHA256
9242c3d80edfd477acaac2f7037d8fe77395b31c0c923cd65309df09ce2c8403

SHA512
edbb2cb4731d59e92ccf781d25569efa1a9ecd1df116860673898606d5e208e6c39fd8ab2066c902c542bdd61acc6c204eabad30a0d3f1ead82973005cc037f5

Download Submit
memory/2264-104-0x000002ABAF710000-0x000002ABAF71A000-memory.dmp

Filesize
40KB

Download
memory/2264-36-0x000002ABAD7B0000-0x000002ABAD7F0000-memory.dmp

Filesize
256KB

Download
memory/2264-167-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2264-163-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2264-68-0x000002ABC7FE0000-0x000002ABC8056000-memory.dmp

Filesize
472KB

Download
memory/2264-69-0x000002ABC7F60000-0x000002ABC7FB0000-memory.dmp

Filesize
320KB

Download
memory/2264-70-0x000002ABAF6D0000-0x000002ABAF6EE000-memory.dmp

Filesize
120KB

Download
memory/2264-40-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2264-105-0x000002ABC7FB0000-0x000002ABC7FC2000-memory.dmp

Filesize
72KB

Download
memory/2920-39-0x0000000000800000-0x00000000008D6000-memory.dmp

Filesize
856KB

Download
memory/2920-43-0x00000000086F0000-0x00000000086FE000-memory.dmp

Filesize
56KB

Download
memory/2920-42-0x0000000008730000-0x0000000008768000-memory.dmp

Filesize
224KB

Download
memory/3332-49-0x000001D906460000-0x000001D906482000-memory.dmp

Filesize
136KB

Download
memory/3672-38-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/3672-37-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download
memory/3672-162-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/3672-168-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/4500-0-0x00007FFDC8A73000-0x00007FFDC8A75000-memory.dmp

Filesize
8KB

Download
memory/4500-1-0x0000000000EF0000-0x0000000001018000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads