umbral | 066692a03f240a40c237f5ec3270d27cac1fda40630dd29f40db006b79a542a8

Analysis

max time kernel
149s
max time network
142s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustAnticheat.exe
Size

1.1MB
MD5

6d63fe8c87e642d9e380a13803aa6858
SHA1

5652877b527da6cec16dfa7e9653d3657fedea8b
SHA256

066692a03f240a40c237f5ec3270d27cac1fda40630dd29f40db006b79a542a8
SHA512

32ad077db3f44cd184f60a715464a0540615fee76cbb4de20c6a2703b1ef2a74391adfad0e77a4c3b2340f9bafbc18238445f19e7fcebf2c11e76e66376d000d
SSDEEP

24576:Ucvup1OydVxYPtGU8ynaQpLUcgs5JTqzCZxGcQVyULZ6U6/:U/1OydfMrgsfX04KZ69/

Score

10^/10

umbral xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1286299751637192826/RNAV05TJwC7uQTEETo8ZiWSJKOrj5gYY87jlWomaK7jJ1jmuh7qm4pMjcc2ZUhDh6jxd

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ac2c-16.dat	family_umbral
behavioral2/memory/4616-19-0x0000028494A60000-0x0000028494AA0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000900000001ab42-7.dat	family_xworm
behavioral2/memory/4640-12-0x00000000006E0000-0x00000000006FC000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4544	powershell.exe
5076	powershell.exe
2528	powershell.exe
3944	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 4 IoCs

pid	Process
4640	RuntimeBroker.exe
5000	RustAntich1eat.exe
4616	Umbral.exe
1100	RuntimeBroker

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker"	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RustAntich1eat.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3212	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
4640	RuntimeBroker.exe
4640	RuntimeBroker.exe
4640	RuntimeBroker.exe
4640	RuntimeBroker.exe
4640	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	RuntimeBroker.exe
Token: SeDebugPrivilege	4616	Umbral.exe
Token: SeIncreaseQuotaPrivilege	424	wmic.exe
Token: SeSecurityPrivilege	424	wmic.exe
Token: SeTakeOwnershipPrivilege	424	wmic.exe
Token: SeLoadDriverPrivilege	424	wmic.exe
Token: SeSystemProfilePrivilege	424	wmic.exe
Token: SeSystemtimePrivilege	424	wmic.exe
Token: SeProfSingleProcessPrivilege	424	wmic.exe
Token: SeIncBasePriorityPrivilege	424	wmic.exe
Token: SeCreatePagefilePrivilege	424	wmic.exe
Token: SeBackupPrivilege	424	wmic.exe
Token: SeRestorePrivilege	424	wmic.exe
Token: SeShutdownPrivilege	424	wmic.exe
Token: SeDebugPrivilege	424	wmic.exe
Token: SeSystemEnvironmentPrivilege	424	wmic.exe
Token: SeRemoteShutdownPrivilege	424	wmic.exe
Token: SeUndockPrivilege	424	wmic.exe
Token: SeManageVolumePrivilege	424	wmic.exe
Token: 33	424	wmic.exe
Token: 34	424	wmic.exe
Token: 35	424	wmic.exe
Token: 36	424	wmic.exe
Token: SeIncreaseQuotaPrivilege	424	wmic.exe
Token: SeSecurityPrivilege	424	wmic.exe
Token: SeTakeOwnershipPrivilege	424	wmic.exe
Token: SeLoadDriverPrivilege	424	wmic.exe
Token: SeSystemProfilePrivilege	424	wmic.exe
Token: SeSystemtimePrivilege	424	wmic.exe
Token: SeProfSingleProcessPrivilege	424	wmic.exe
Token: SeIncBasePriorityPrivilege	424	wmic.exe
Token: SeCreatePagefilePrivilege	424	wmic.exe
Token: SeBackupPrivilege	424	wmic.exe
Token: SeRestorePrivilege	424	wmic.exe
Token: SeShutdownPrivilege	424	wmic.exe
Token: SeDebugPrivilege	424	wmic.exe
Token: SeSystemEnvironmentPrivilege	424	wmic.exe
Token: SeRemoteShutdownPrivilege	424	wmic.exe
Token: SeUndockPrivilege	424	wmic.exe
Token: SeManageVolumePrivilege	424	wmic.exe
Token: 33	424	wmic.exe
Token: 34	424	wmic.exe
Token: 35	424	wmic.exe
Token: 36	424	wmic.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeIncreaseQuotaPrivilege	4544	powershell.exe
Token: SeSecurityPrivilege	4544	powershell.exe
Token: SeTakeOwnershipPrivilege	4544	powershell.exe
Token: SeLoadDriverPrivilege	4544	powershell.exe
Token: SeSystemProfilePrivilege	4544	powershell.exe
Token: SeSystemtimePrivilege	4544	powershell.exe
Token: SeProfSingleProcessPrivilege	4544	powershell.exe
Token: SeIncBasePriorityPrivilege	4544	powershell.exe
Token: SeCreatePagefilePrivilege	4544	powershell.exe
Token: SeBackupPrivilege	4544	powershell.exe
Token: SeRestorePrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeSystemEnvironmentPrivilege	4544	powershell.exe
Token: SeRemoteShutdownPrivilege	4544	powershell.exe
Token: SeUndockPrivilege	4544	powershell.exe
Token: SeManageVolumePrivilege	4544	powershell.exe
Token: 33	4544	powershell.exe
Token: 34	4544	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4640	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4640	3152	RustAnticheat.exe	73
PID 3152 wrote to memory of 4640	3152	RustAnticheat.exe	73
PID 3152 wrote to memory of 5000	3152	RustAnticheat.exe	74
PID 3152 wrote to memory of 5000	3152	RustAnticheat.exe	74
PID 3152 wrote to memory of 5000	3152	RustAnticheat.exe	74
PID 3152 wrote to memory of 4616	3152	RustAnticheat.exe	75
PID 3152 wrote to memory of 4616	3152	RustAnticheat.exe	75
PID 4616 wrote to memory of 424	4616	Umbral.exe	76
PID 4616 wrote to memory of 424	4616	Umbral.exe	76
PID 4640 wrote to memory of 4544	4640	RuntimeBroker.exe	80
PID 4640 wrote to memory of 4544	4640	RuntimeBroker.exe	80
PID 4640 wrote to memory of 5076	4640	RuntimeBroker.exe	83
PID 4640 wrote to memory of 5076	4640	RuntimeBroker.exe	83
PID 4640 wrote to memory of 2528	4640	RuntimeBroker.exe	85
PID 4640 wrote to memory of 2528	4640	RuntimeBroker.exe	85
PID 4640 wrote to memory of 3944	4640	RuntimeBroker.exe	87
PID 4640 wrote to memory of 3944	4640	RuntimeBroker.exe	87
PID 4640 wrote to memory of 4188	4640	RuntimeBroker.exe	89
PID 4640 wrote to memory of 4188	4640	RuntimeBroker.exe	89
PID 4640 wrote to memory of 3672	4640	RuntimeBroker.exe	95
PID 4640 wrote to memory of 3672	4640	RuntimeBroker.exe	95
PID 4640 wrote to memory of 2216	4640	RuntimeBroker.exe	97
PID 4640 wrote to memory of 2216	4640	RuntimeBroker.exe	97
PID 2216 wrote to memory of 3212	2216	cmd.exe	99
PID 2216 wrote to memory of 3212	2216	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\RuntimeBroker.exe
  "C:\Users\Admin\RuntimeBroker.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3944
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Local\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4188
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D5.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3212
- C:\Users\Admin\RustAntich1eat.exe
  "C:\Users\Admin\RustAntich1eat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5000
- C:\Users\Admin\Umbral.exe
  "C:\Users\Admin\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:424

C:\Users\Admin\AppData\Local\RuntimeBroker
C:\Users\Admin\AppData\Local\RuntimeBroker
1⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
56fa67efa74c34191150ad3843de0dda

SHA1
cfa2905dba6ff57d4cf56d505714a2de10c1e19a

SHA256
03be8e43f5f7c434365a47890b01245814d2ccc6a3963ca664283c27e60fbde5

SHA512
57e721f275fda8947f4ad91dcc131a5a6482e61efcd623a618f1bcde4b79f6b43558070b2cd477eb1841d0f5de19334613e79204be126c2940cd4e5a911df877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5bbd7b03c651c64a0f6ec1226f767070

SHA1
4b4fc10565159a28e581dcda7d6448a53d16b779

SHA256
432a5cb23fd51faaa90b1e18598205f5f9ab2b73acd1e9f9c27903fefd4ea427

SHA512
3b22d78a92229c17f0bdde3f3a26bebea44f55e0c40d78228dcda45c38aa4c44655fff21e1ebe164affd48923fa169ece1193de76831c575a9a0db0998e00950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0c32dba5238f8207936eea8b7fe7f41

SHA1
5a1c7d890ecded1b5edd53fff89c420d8b1dc130

SHA256
14a6a3ccaa390014fd2c14cfdd780d7c151aacb79bc2a01d98a7978763a12c26

SHA512
57ed83ed4fc69a1455351fe0a7049404e8a2a823788a77d053fc058e28f4e8f563ec3351ca3a598b946664f60b5f655f18b75a99cde67fe3764953a744af3290

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asab1ws5.sxn.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D5.tmp.bat

Filesize
145B

MD5
6ed77dcee3954e23b20b7ddbfd605880

SHA1
f35e7074b3e526201fcbfe7f19f9e1fc9b297ff2

SHA256
20f28ecf7d0bd964f54c3feb9b969da664891d5b6eff634b87f270f6a5b1f2d2

SHA512
28cb3316a3816eebe190bdb821373827b224bdec88f35a9416d2d36b3e49f8498b47b3ef1f6ec7ac82d7541449d70f930f2daad53922be52983de442a09a218c

Download Submit
C:\Users\Admin\Desktop\LoaderLog.txt

Filesize
4KB

MD5
2f2c0709a6b0497bee61fff5c3583c2b

SHA1
897a3826290e073b18faef31fca95749e1e5946d

SHA256
b7ce2440e64ab08378b554a3333abebc7cdfadc74fa8ad0524e0e6eecbf22111

SHA512
1572440f437b3d2e2ee723532d6edb4cfc2b3e20255bb85d47564c4507eda66807437548b86a035fe51ef3ecbe5a41fbab3d80e1c59ea1e8954b2f1a5d45b083

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
84KB

MD5
98ccb6806d126e3a211b963d3341efd7

SHA1
108dfe1979c04c588f87d6fc2bb57c3ac10f6742

SHA256
11f00d48ecd890e9b8658c652a6283ead05dea9bcd641d89d0bd7f0f618f3cd2

SHA512
373caadac1ad290d60ea41663482946889ae9e0fea96115e21ba38d19d2bf6123c47501190c3fb33ef51aa07f6dbddc4eab43b82cbc008c4f83684707e1d3510

Download Submit
C:\Users\Admin\RustAntich1eat.exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\Umbral.exe

Filesize
230KB

MD5
4647720ef8607199527cb3b0bc793587

SHA1
0728b0cc0fc7e0a1a8ed14c0861f8757780e4163

SHA256
349bfc065bf0580379be8c6e0d0dca592deec1bfc104d8d28c70454436de6337

SHA512
906baf94232c9f76d193021345259d01e23d81b3d9a948067035979235fd45e739e89b8047148f61d2f210c40e561067a040100ccacebbf8921050f12a0281f8

Download Submit
memory/3152-1-0x0000000000740000-0x0000000000866000-memory.dmp

Filesize
1.1MB

Download
memory/3152-0-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp

Filesize
4KB

Download
memory/4544-45-0x000001A175A50000-0x000001A175A72000-memory.dmp

Filesize
136KB

Download
memory/4544-48-0x000001A175C00000-0x000001A175C76000-memory.dmp

Filesize
472KB

Download
memory/4616-19-0x0000028494A60000-0x0000028494AA0000-memory.dmp

Filesize
256KB

Download
memory/4640-300-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-21-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-12-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/4640-25-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-310-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-367-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

Filesize
9.9MB

Download
memory/5000-20-0x0000000000970000-0x0000000000A46000-memory.dmp

Filesize
856KB

Download
memory/5000-23-0x0000000008FA0000-0x0000000008FD8000-memory.dmp

Filesize
224KB

Download