umbral | 2b80a0860ed3b8e262f242f251839d513808829fc3e209b93d2048c272ccc205

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RuntimeBroker.exe
Size

346KB
MD5

6a983258dfa7b270cc0938e4c453f66a
SHA1

21cb0158a55a859552fbfe442b7e7ca04c3dd77f
SHA256

2b80a0860ed3b8e262f242f251839d513808829fc3e209b93d2048c272ccc205
SHA512

7273d35af4e4c590566c9d514a26a24aa71696a94aab0a0bfc30820d6a6e9918044cd0df11c20b9b983b3b30edcfecc76a6e9670bdbb8ab7a7ed48c9d405fef5
SSDEEP

6144:q/cLTw+cOiFUk6Pv6U9yy/J6cIiPx166FpQoO/KzFHT809ii6VfNtvAeB9:q0LdcOiFhXKU6/3zFA09iD1tIeB9

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002344e-17.dat	family_umbral
behavioral2/memory/860-29-0x00000298B6E70000-0x00000298B6EB0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023448-7.dat	family_xworm
behavioral2/memory/664-30-0x00000000005C0000-0x00000000005DA000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3340	powershell.exe
864	powershell.exe
2280	powershell.exe
3664	powershell.exe
4792	powershell.exe
4400	powershell.exe
4072	powershell.exe
4896	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbrall.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 5 IoCs

pid	Process
664	RuntimeBroker.exe
860	Umbrall.exe
1524	SynsWave.exe
1504	RuntimeBroker
4496	RuntimeBroker

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\RuntimeBroker"	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3780	PING.EXE
832	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1204	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3780	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
860	Umbrall.exe
3340	powershell.exe
3340	powershell.exe
4400	powershell.exe
4400	powershell.exe
4072	powershell.exe
4072	powershell.exe
3448	powershell.exe
3448	powershell.exe
864	powershell.exe
864	powershell.exe
2280	powershell.exe
2280	powershell.exe
3664	powershell.exe
4896	powershell.exe
3664	powershell.exe
4896	powershell.exe
4792	powershell.exe
4792	powershell.exe
664	RuntimeBroker.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	RuntimeBroker.exe
Token: SeDebugPrivilege	860	Umbrall.exe
Token: SeIncreaseQuotaPrivilege	3664	wmic.exe
Token: SeSecurityPrivilege	3664	wmic.exe
Token: SeTakeOwnershipPrivilege	3664	wmic.exe
Token: SeLoadDriverPrivilege	3664	wmic.exe
Token: SeSystemProfilePrivilege	3664	wmic.exe
Token: SeSystemtimePrivilege	3664	wmic.exe
Token: SeProfSingleProcessPrivilege	3664	wmic.exe
Token: SeIncBasePriorityPrivilege	3664	wmic.exe
Token: SeCreatePagefilePrivilege	3664	wmic.exe
Token: SeBackupPrivilege	3664	wmic.exe
Token: SeRestorePrivilege	3664	wmic.exe
Token: SeShutdownPrivilege	3664	wmic.exe
Token: SeDebugPrivilege	3664	wmic.exe
Token: SeSystemEnvironmentPrivilege	3664	wmic.exe
Token: SeRemoteShutdownPrivilege	3664	wmic.exe
Token: SeUndockPrivilege	3664	wmic.exe
Token: SeManageVolumePrivilege	3664	wmic.exe
Token: 33	3664	wmic.exe
Token: 34	3664	wmic.exe
Token: 35	3664	wmic.exe
Token: 36	3664	wmic.exe
Token: SeIncreaseQuotaPrivilege	3664	wmic.exe
Token: SeSecurityPrivilege	3664	wmic.exe
Token: SeTakeOwnershipPrivilege	3664	wmic.exe
Token: SeLoadDriverPrivilege	3664	wmic.exe
Token: SeSystemProfilePrivilege	3664	wmic.exe
Token: SeSystemtimePrivilege	3664	wmic.exe
Token: SeProfSingleProcessPrivilege	3664	wmic.exe
Token: SeIncBasePriorityPrivilege	3664	wmic.exe
Token: SeCreatePagefilePrivilege	3664	wmic.exe
Token: SeBackupPrivilege	3664	wmic.exe
Token: SeRestorePrivilege	3664	wmic.exe
Token: SeShutdownPrivilege	3664	wmic.exe
Token: SeDebugPrivilege	3664	wmic.exe
Token: SeSystemEnvironmentPrivilege	3664	wmic.exe
Token: SeRemoteShutdownPrivilege	3664	wmic.exe
Token: SeUndockPrivilege	3664	wmic.exe
Token: SeManageVolumePrivilege	3664	wmic.exe
Token: 33	3664	wmic.exe
Token: 34	3664	wmic.exe
Token: 35	3664	wmic.exe
Token: 36	3664	wmic.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeIncreaseQuotaPrivilege	692	wmic.exe
Token: SeSecurityPrivilege	692	wmic.exe
Token: SeTakeOwnershipPrivilege	692	wmic.exe
Token: SeLoadDriverPrivilege	692	wmic.exe
Token: SeSystemProfilePrivilege	692	wmic.exe
Token: SeSystemtimePrivilege	692	wmic.exe
Token: SeProfSingleProcessPrivilege	692	wmic.exe
Token: SeIncBasePriorityPrivilege	692	wmic.exe
Token: SeCreatePagefilePrivilege	692	wmic.exe
Token: SeBackupPrivilege	692	wmic.exe
Token: SeRestorePrivilege	692	wmic.exe
Token: SeShutdownPrivilege	692	wmic.exe
Token: SeDebugPrivilege	692	wmic.exe
Token: SeSystemEnvironmentPrivilege	692	wmic.exe
Token: SeRemoteShutdownPrivilege	692	wmic.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe
2072	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 664	2596	RuntimeBroker.exe	82
PID 2596 wrote to memory of 664	2596	RuntimeBroker.exe	82
PID 2596 wrote to memory of 860	2596	RuntimeBroker.exe	83
PID 2596 wrote to memory of 860	2596	RuntimeBroker.exe	83
PID 2596 wrote to memory of 1524	2596	RuntimeBroker.exe	84
PID 2596 wrote to memory of 1524	2596	RuntimeBroker.exe	84
PID 1524 wrote to memory of 2920	1524	SynsWave.exe	86
PID 1524 wrote to memory of 2920	1524	SynsWave.exe	86
PID 860 wrote to memory of 3664	860	Umbrall.exe	87
PID 860 wrote to memory of 3664	860	Umbrall.exe	87
PID 860 wrote to memory of 460	860	Umbrall.exe	90
PID 860 wrote to memory of 460	860	Umbrall.exe	90
PID 860 wrote to memory of 3340	860	Umbrall.exe	92
PID 860 wrote to memory of 3340	860	Umbrall.exe	92
PID 860 wrote to memory of 4400	860	Umbrall.exe	94
PID 860 wrote to memory of 4400	860	Umbrall.exe	94
PID 860 wrote to memory of 4072	860	Umbrall.exe	96
PID 860 wrote to memory of 4072	860	Umbrall.exe	96
PID 860 wrote to memory of 3448	860	Umbrall.exe	98
PID 860 wrote to memory of 3448	860	Umbrall.exe	98
PID 664 wrote to memory of 864	664	RuntimeBroker.exe	102
PID 664 wrote to memory of 864	664	RuntimeBroker.exe	102
PID 860 wrote to memory of 692	860	Umbrall.exe	104
PID 860 wrote to memory of 692	860	Umbrall.exe	104
PID 860 wrote to memory of 2996	860	Umbrall.exe	106
PID 860 wrote to memory of 2996	860	Umbrall.exe	106
PID 664 wrote to memory of 2280	664	RuntimeBroker.exe	108
PID 664 wrote to memory of 2280	664	RuntimeBroker.exe	108
PID 860 wrote to memory of 400	860	Umbrall.exe	111
PID 860 wrote to memory of 400	860	Umbrall.exe	111
PID 664 wrote to memory of 3664	664	RuntimeBroker.exe	113
PID 664 wrote to memory of 3664	664	RuntimeBroker.exe	113
PID 860 wrote to memory of 4896	860	Umbrall.exe	115
PID 860 wrote to memory of 4896	860	Umbrall.exe	115
PID 860 wrote to memory of 1204	860	Umbrall.exe	117
PID 860 wrote to memory of 1204	860	Umbrall.exe	117
PID 664 wrote to memory of 4792	664	RuntimeBroker.exe	119
PID 664 wrote to memory of 4792	664	RuntimeBroker.exe	119
PID 664 wrote to memory of 4052	664	RuntimeBroker.exe	122
PID 664 wrote to memory of 4052	664	RuntimeBroker.exe	122
PID 860 wrote to memory of 832	860	Umbrall.exe	124
PID 860 wrote to memory of 832	860	Umbrall.exe	124
PID 832 wrote to memory of 3780	832	cmd.exe	126
PID 832 wrote to memory of 3780	832	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4052
- C:\Users\Admin\AppData\Roaming\Umbrall.exe
  "C:\Users\Admin\AppData\Roaming\Umbrall.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbrall.exe"
    3⤵
    - Views/modifies file attributes
    PID:460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbrall.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2996
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4896
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1204
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbrall.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3780
- C:\Users\Admin\AppData\Roaming\SynsWave.exe
  "C:\Users\Admin\AppData\Roaming\SynsWave.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072

C:\Users\Admin\RuntimeBroker
C:\Users\Admin\RuntimeBroker
1⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\RuntimeBroker
C:\Users\Admin\RuntimeBroker
1⤵
- Executes dropped EXE
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
470a31aac9cf705179e47a32ce51f121

SHA1
757fc377e0198cae813c99f4d63e29d2a82ec1ec

SHA256
cf69cc666c1919e86261080d13dedb0301387c99f3360b674e211bce4071c80c

SHA512
5e667ce8238d0c2b6453b3f34757083cda67834c121ac5726e13bcd7689add07d410b67f5227bb9f9e79f6540e8579ff82e95323243905f825c9d7cf8a05cc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f988f58475bde394904cb9cd32082bc5

SHA1
589c49af2897ddc063ee2af45434a9e8505eb7dd

SHA256
d932d98b90f7d7130e65155f74b2f943f59055ba3a8fdf2f20251c5a983b3889

SHA512
40d79d389a1abec13881e419f8027d869026d20dfbcb276d0e6e22f6732e4d705ecd16c52ce9929f6a0b97efa065b6b53486bc920e2c71ab243e5c64e7bd4bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikftno3k.bvw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

Filesize
788B

MD5
d3847874c650cc58ceb9b8766cbb2121

SHA1
d5ba0b603eeb2779ae6f3385a980746e4cefd551

SHA256
4fe73f962498369c14b2b3bed69c7ad4a0f318be360c9f184aa62188ca1f7403

SHA512
edc63a5b6f01f7cb4a5dc13527195a9f4d800f07cad867068e543175b1e79a3b294f78d9c0468eeedb877f55acee927726498ff4f24bda90750c5fc9b85b8780

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
80KB

MD5
5b8832e9845170717385ed9fb6dd6589

SHA1
b51bbc5d54e0e7c84a3488ca16643e8c88e452fa

SHA256
21ed3d77c21d3f856d7a0852f316abb104c90004e912fa330562435921a26d1d

SHA512
841f88b766c9aae7d6ac3f8c6e563da16a1266bb795c38060d465451c15b0052b13e58e26ad95325253d9196d30717418cbe3c75ad19eaad21a9bdf9f5289fa6

Download Submit
C:\Users\Admin\AppData\Roaming\SynsWave.exe

Filesize
25KB

MD5
12e7359129744823438f3d6b97192955

SHA1
89872a5a18abefe25d10efa824281718cf85ae39

SHA256
348086f9bd5939a48efcc94702271c1caf92ea11f3b0385367daf9530b51cf3e

SHA512
b38516752817d3ac6541d300cc17176c5bf1c38d321fd19c006cb1f5cf9d5ab7a228184ed267636841225e718f71d9cd8aed5e53e36c7ee3548ed6958b9e8563

Download Submit
C:\Users\Admin\AppData\Roaming\Umbrall.exe

Filesize
230KB

MD5
0b1ca5b7db9b402d2a2d5f2ceffb6d03

SHA1
e29fc0c937e930ae463110e6954759bdad901063

SHA256
7e7441520b44960fdc5fc8ec1b43c27a460baf7d84874d91fc78f4f97fd85aab

SHA512
5106921b55ec7f907b79a5b5fcab8cd387f27005c1da9a64680e0c2bdb25b99a20bbe59132452176ad9dcee9d8c2d23a8326f786de6453ef47094723f3e9a8b3

Download Submit
memory/664-168-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download
memory/664-34-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download
memory/664-30-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/860-102-0x00000298D15E0000-0x00000298D15F2000-memory.dmp

Filesize
72KB

Download
memory/860-35-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download
memory/860-101-0x00000298B8B10000-0x00000298B8B1A000-memory.dmp

Filesize
40KB

Download
memory/860-65-0x00000298D16B0000-0x00000298D16CE000-memory.dmp

Filesize
120KB

Download
memory/860-64-0x00000298D1590000-0x00000298D15E0000-memory.dmp

Filesize
320KB

Download
memory/860-63-0x00000298D1610000-0x00000298D1686000-memory.dmp

Filesize
472KB

Download
memory/860-29-0x00000298B6E70000-0x00000298B6EB0000-memory.dmp

Filesize
256KB

Download
memory/860-165-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download
memory/2072-177-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-169-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-170-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-171-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-181-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-180-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-179-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-178-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-176-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2072-175-0x00000193636E0000-0x00000193636E1000-memory.dmp

Filesize
4KB

Download
memory/2596-0-0x00007FFF6DB63000-0x00007FFF6DB65000-memory.dmp

Filesize
8KB

Download
memory/2596-1-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/3340-46-0x000002449DB60000-0x000002449DB82000-memory.dmp

Filesize
136KB

Download