umbral | 544a9c11e53d104ee4987900bebeb849490735d2d3a076dd468bcdedd83b6fde

Analysis

max time kernel
93s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustAnticheat.exe
Size

1.1MB
MD5

51d835de66bac2f502ae697a35baec90
SHA1

46ed68b3af1160c892090db77dbfd8916128afee
SHA256

544a9c11e53d104ee4987900bebeb849490735d2d3a076dd468bcdedd83b6fde
SHA512

1be17435d526b464aee3e453295feb831030a4ec9d87c1a4d47eee9b32a3728675fc29ff35143991209e75c5804d02612da31c51dbbad8a6054f03ad01660746
SSDEEP

24576:kEKrzjpnzLOtAi9SrsvNOOZT8XYYLvqKaZ2IJhaOtlj:dKr3hL4+yRT3KaIIj

Score

10^/10

umbral xworm discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

web-amend.gl.at.ply.gg:59501

Attributes

Install_directory
%AppData%
install_file
RuntimeBroker.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000400000002aab1-28.dat	family_umbral
behavioral5/memory/2888-36-0x0000015073A20000-0x0000015073A60000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000300000002aa62-16.dat	family_xworm
behavioral5/memory/3752-37-0x0000000000800000-0x0000000000818000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
4752	Loader (1).exe
3752	RustAnticheat1.exe
2888	Umbral1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	RustAnticheat1.exe
Token: SeDebugPrivilege	2888	Umbral1.exe
Token: SeIncreaseQuotaPrivilege	5100	wmic.exe
Token: SeSecurityPrivilege	5100	wmic.exe
Token: SeTakeOwnershipPrivilege	5100	wmic.exe
Token: SeLoadDriverPrivilege	5100	wmic.exe
Token: SeSystemProfilePrivilege	5100	wmic.exe
Token: SeSystemtimePrivilege	5100	wmic.exe
Token: SeProfSingleProcessPrivilege	5100	wmic.exe
Token: SeIncBasePriorityPrivilege	5100	wmic.exe
Token: SeCreatePagefilePrivilege	5100	wmic.exe
Token: SeBackupPrivilege	5100	wmic.exe
Token: SeRestorePrivilege	5100	wmic.exe
Token: SeShutdownPrivilege	5100	wmic.exe
Token: SeDebugPrivilege	5100	wmic.exe
Token: SeSystemEnvironmentPrivilege	5100	wmic.exe
Token: SeRemoteShutdownPrivilege	5100	wmic.exe
Token: SeUndockPrivilege	5100	wmic.exe
Token: SeManageVolumePrivilege	5100	wmic.exe
Token: 33	5100	wmic.exe
Token: 34	5100	wmic.exe
Token: 35	5100	wmic.exe
Token: 36	5100	wmic.exe
Token: SeIncreaseQuotaPrivilege	5100	wmic.exe
Token: SeSecurityPrivilege	5100	wmic.exe
Token: SeTakeOwnershipPrivilege	5100	wmic.exe
Token: SeLoadDriverPrivilege	5100	wmic.exe
Token: SeSystemProfilePrivilege	5100	wmic.exe
Token: SeSystemtimePrivilege	5100	wmic.exe
Token: SeProfSingleProcessPrivilege	5100	wmic.exe
Token: SeIncBasePriorityPrivilege	5100	wmic.exe
Token: SeCreatePagefilePrivilege	5100	wmic.exe
Token: SeBackupPrivilege	5100	wmic.exe
Token: SeRestorePrivilege	5100	wmic.exe
Token: SeShutdownPrivilege	5100	wmic.exe
Token: SeDebugPrivilege	5100	wmic.exe
Token: SeSystemEnvironmentPrivilege	5100	wmic.exe
Token: SeRemoteShutdownPrivilege	5100	wmic.exe
Token: SeUndockPrivilege	5100	wmic.exe
Token: SeManageVolumePrivilege	5100	wmic.exe
Token: 33	5100	wmic.exe
Token: 34	5100	wmic.exe
Token: 35	5100	wmic.exe
Token: 36	5100	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4752	2272	RustAnticheat.exe	79
PID 2272 wrote to memory of 4752	2272	RustAnticheat.exe	79
PID 2272 wrote to memory of 4752	2272	RustAnticheat.exe	79
PID 2272 wrote to memory of 3752	2272	RustAnticheat.exe	80
PID 2272 wrote to memory of 3752	2272	RustAnticheat.exe	80
PID 2272 wrote to memory of 2888	2272	RustAnticheat.exe	81
PID 2272 wrote to memory of 2888	2272	RustAnticheat.exe	81
PID 2888 wrote to memory of 5100	2888	Umbral1.exe	82
PID 2888 wrote to memory of 5100	2888	Umbral1.exe	82

C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Loader (1).exe
  "C:\Users\Admin\AppData\Local\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4752
- C:\Users\Admin\AppData\Local\RustAnticheat1.exe
  "C:\Users\Admin\AppData\Local\RustAnticheat1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Users\Admin\AppData\Local\Umbral1.exe
  "C:\Users\Admin\AppData\Local\Umbral1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\AppData\Local\RustAnticheat1.exe

Filesize
67KB

MD5
e2380436ed8f81ca925783cfd4ec2be2

SHA1
da7f9a44014fd130cf7bdb9e19d9605246e8cfca

SHA256
4c1be445457b188ef0aad364ee879505e4b925ddba5405801b0e27af659c806a

SHA512
44a57c5e5811d1d840f2cecc1fb5836ad43c7be80061d0b6e800431bf323fd87eef296ee364d87a2fd88502334b657c12bc001c1f2777ad71fca95bce84b6305

Download Submit
C:\Users\Admin\AppData\Local\Umbral1.exe

Filesize
231KB

MD5
844f85b3c38478161c8918e2d23a4835

SHA1
d2da62e3f0c50ddb3cc510af88368143790d59b9

SHA256
8f3ba7ae0aea1ad543fd98a1cb574bada9d363d476e12ae7a332ea83967883b5

SHA512
96d4ccdd853a7f878d0409f4f39f4f8fdd6bdf7d086ccd665e8f9141cf9ebc2916d079838e599c67c86cddfd02262c14cee434622821a8550c0dbd87535c95c7

Download Submit
memory/2272-0-0x00007FFE673B3000-0x00007FFE673B5000-memory.dmp

Filesize
8KB

Download
memory/2272-1-0x0000000000AB0000-0x0000000000BD2000-memory.dmp

Filesize
1.1MB

Download
memory/2888-36-0x0000015073A20000-0x0000015073A60000-memory.dmp

Filesize
256KB

Download
memory/3752-37-0x0000000000800000-0x0000000000818000-memory.dmp

Filesize
96KB

Download
memory/3752-38-0x00007FFE673B0000-0x00007FFE67E72000-memory.dmp

Filesize
10.8MB

Download
memory/3752-44-0x00007FFE673B0000-0x00007FFE67E72000-memory.dmp

Filesize
10.8MB

Download
memory/4752-39-0x0000000000950000-0x0000000000A26000-memory.dmp

Filesize
856KB

Download
memory/4752-42-0x00000000089C0000-0x00000000089F8000-memory.dmp

Filesize
224KB

Download
memory/4752-43-0x00000000085D0000-0x00000000085DE000-memory.dmp

Filesize
56KB

Download