umbral | 5bf57a09e808187117a444d16d5145fe8cd5064aaecb383d16a1b0336fe618c4

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustAnticheat.exe
Size

1.1MB
MD5

f6f5e5a1dd30fb5fa22f220ecbe1b05a
SHA1

c04279611affa2129b36332b2f748b842cd0e7a7
SHA256

5bf57a09e808187117a444d16d5145fe8cd5064aaecb383d16a1b0336fe618c4
SHA512

730d5719d50148ae79a28d70f2cd102ba260560cdb141aad7d31066453f9ad6cfe8a36a46da9d162a122dec5a5d1685879a4f5b0adef48677daa7168717cb1ff
SSDEEP

24576:32oxfnX+1FmWYQw00hlKAv65/9KlH8XbF1A/t30TuG/m+V54/6AH1Ba:3L5nXumWYCTsCKlcXbU/tjGg/6AV

Score

10^/10

umbral xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

web-amend.gl.at.ply.gg:59501

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1286696205040226395/PlyXt42kMHxkNNkTVcuKXMSs07VdzNAX4G3WkobLmgEeCwny8D96kvYTWDW1AjLuLxBu

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000186b7-17.dat	family_umbral
behavioral1/memory/2740-19-0x0000000000280000-0x00000000002C0000-memory.dmp	family_umbral

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0029000000018671-11.dat	family_xworm
behavioral1/memory/2720-15-0x00000000011C0000-0x00000000011DC000-memory.dmp	family_xworm
behavioral1/memory/1580-58-0x0000000000080000-0x000000000009C000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
1972	powershell.exe
2436	powershell.exe
2116	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 4 IoCs

pid	Process
2820	Loader (1).exe
2720	RuntimeBroker.exe
2740	Umbral1.exe
1580	RuntimeBroker

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\RuntimeBroker"	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2276	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2664	powershell.exe
1972	powershell.exe
2436	powershell.exe
2116	powershell.exe
2720	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	RuntimeBroker.exe
Token: SeDebugPrivilege	2740	Umbral1.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeIncreaseQuotaPrivilege	2428	wmic.exe
Token: SeSecurityPrivilege	2428	wmic.exe
Token: SeTakeOwnershipPrivilege	2428	wmic.exe
Token: SeLoadDriverPrivilege	2428	wmic.exe
Token: SeSystemProfilePrivilege	2428	wmic.exe
Token: SeSystemtimePrivilege	2428	wmic.exe
Token: SeProfSingleProcessPrivilege	2428	wmic.exe
Token: SeIncBasePriorityPrivilege	2428	wmic.exe
Token: SeCreatePagefilePrivilege	2428	wmic.exe
Token: SeBackupPrivilege	2428	wmic.exe
Token: SeRestorePrivilege	2428	wmic.exe
Token: SeShutdownPrivilege	2428	wmic.exe
Token: SeDebugPrivilege	2428	wmic.exe
Token: SeSystemEnvironmentPrivilege	2428	wmic.exe
Token: SeRemoteShutdownPrivilege	2428	wmic.exe
Token: SeUndockPrivilege	2428	wmic.exe
Token: SeManageVolumePrivilege	2428	wmic.exe
Token: 33	2428	wmic.exe
Token: 34	2428	wmic.exe
Token: 35	2428	wmic.exe
Token: SeIncreaseQuotaPrivilege	2428	wmic.exe
Token: SeSecurityPrivilege	2428	wmic.exe
Token: SeTakeOwnershipPrivilege	2428	wmic.exe
Token: SeLoadDriverPrivilege	2428	wmic.exe
Token: SeSystemProfilePrivilege	2428	wmic.exe
Token: SeSystemtimePrivilege	2428	wmic.exe
Token: SeProfSingleProcessPrivilege	2428	wmic.exe
Token: SeIncBasePriorityPrivilege	2428	wmic.exe
Token: SeCreatePagefilePrivilege	2428	wmic.exe
Token: SeBackupPrivilege	2428	wmic.exe
Token: SeRestorePrivilege	2428	wmic.exe
Token: SeShutdownPrivilege	2428	wmic.exe
Token: SeDebugPrivilege	2428	wmic.exe
Token: SeSystemEnvironmentPrivilege	2428	wmic.exe
Token: SeRemoteShutdownPrivilege	2428	wmic.exe
Token: SeUndockPrivilege	2428	wmic.exe
Token: SeManageVolumePrivilege	2428	wmic.exe
Token: 33	2428	wmic.exe
Token: 34	2428	wmic.exe
Token: 35	2428	wmic.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2720	RuntimeBroker.exe
Token: SeDebugPrivilege	1580	RuntimeBroker

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2820	2808	RustAnticheat.exe	30
PID 2808 wrote to memory of 2820	2808	RustAnticheat.exe	30
PID 2808 wrote to memory of 2820	2808	RustAnticheat.exe	30
PID 2808 wrote to memory of 2820	2808	RustAnticheat.exe	30
PID 2808 wrote to memory of 2720	2808	RustAnticheat.exe	31
PID 2808 wrote to memory of 2720	2808	RustAnticheat.exe	31
PID 2808 wrote to memory of 2720	2808	RustAnticheat.exe	31
PID 2808 wrote to memory of 2740	2808	RustAnticheat.exe	32
PID 2808 wrote to memory of 2740	2808	RustAnticheat.exe	32
PID 2808 wrote to memory of 2740	2808	RustAnticheat.exe	32
PID 2720 wrote to memory of 2664	2720	RuntimeBroker.exe	33
PID 2720 wrote to memory of 2664	2720	RuntimeBroker.exe	33
PID 2720 wrote to memory of 2664	2720	RuntimeBroker.exe	33
PID 2740 wrote to memory of 2428	2740	Umbral1.exe	36
PID 2740 wrote to memory of 2428	2740	Umbral1.exe	36
PID 2740 wrote to memory of 2428	2740	Umbral1.exe	36
PID 2720 wrote to memory of 1972	2720	RuntimeBroker.exe	39
PID 2720 wrote to memory of 1972	2720	RuntimeBroker.exe	39
PID 2720 wrote to memory of 1972	2720	RuntimeBroker.exe	39
PID 2720 wrote to memory of 2436	2720	RuntimeBroker.exe	41
PID 2720 wrote to memory of 2436	2720	RuntimeBroker.exe	41
PID 2720 wrote to memory of 2436	2720	RuntimeBroker.exe	41
PID 2720 wrote to memory of 2116	2720	RuntimeBroker.exe	43
PID 2720 wrote to memory of 2116	2720	RuntimeBroker.exe	43
PID 2720 wrote to memory of 2116	2720	RuntimeBroker.exe	43
PID 2720 wrote to memory of 2392	2720	RuntimeBroker.exe	45
PID 2720 wrote to memory of 2392	2720	RuntimeBroker.exe	45
PID 2720 wrote to memory of 2392	2720	RuntimeBroker.exe	45
PID 280 wrote to memory of 1580	280	taskeng.exe	48
PID 280 wrote to memory of 1580	280	taskeng.exe	48
PID 280 wrote to memory of 1580	280	taskeng.exe	48
PID 2720 wrote to memory of 2408	2720	RuntimeBroker.exe	49
PID 2720 wrote to memory of 2408	2720	RuntimeBroker.exe	49
PID 2720 wrote to memory of 2408	2720	RuntimeBroker.exe	49
PID 2720 wrote to memory of 1300	2720	RuntimeBroker.exe	51
PID 2720 wrote to memory of 1300	2720	RuntimeBroker.exe	51
PID 2720 wrote to memory of 1300	2720	RuntimeBroker.exe	51
PID 1300 wrote to memory of 2276	1300	cmd.exe	53
PID 1300 wrote to memory of 2276	1300	cmd.exe	53
PID 1300 wrote to memory of 2276	1300	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\Loader (1).exe
  "C:\Users\Admin\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\RuntimeBroker.exe
  "C:\Users\Admin\RuntimeBroker.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2392
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"
    3⤵
    PID:2408
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA841.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2276
- C:\Users\Admin\Umbral1.exe
  "C:\Users\Admin\Umbral1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428

C:\Windows\system32\taskeng.exe
taskeng.exe {BAA34114-4132-4B51-8AC7-174D542D8328} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:280
- C:\Users\Admin\RuntimeBroker
  C:\Users\Admin\RuntimeBroker
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA841.tmp.bat

Filesize
146B

MD5
f243eb4bddf6d13fc7d1aee4e3b82620

SHA1
db2bc8115a372287e1b2c2add7458858811a3213

SHA256
d157219a3134c6797960b4bc977e74d36d7d28afc0c73e0027dbfb5cbe02ec1a

SHA512
e2bf7701026dbd077f8ac3c75f937127179c7d1cb9e6c3c48861fbd38dbb845f476aa87b2aacc6d984b8f54d059ab8fb47a53c276085856bea62d3c0bdab2653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
69b019bc04360335b15904d36f860541

SHA1
b5123a483eccaa3bd44616c217726acb6f805275

SHA256
ff0de83121231a28ab683327119c7e84615ca790acd4c2d7ebf03dd5c9f597e3

SHA512
5332ff98ca7bcfecb485e6e5331d44c6647fb63de04ae6504942228d77c20cb8d395d8c564028c9a1d159da407f64ddc72697694da60b14e5e53ffddc17ef319

Download Submit
C:\Users\Admin\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
83KB

MD5
ed27f16daba642c2bc917e75e3b8fbaa

SHA1
b9e31e9835d2ca4a0490665559aadaa4c9e48c64

SHA256
97fcd56746339d2e17bc5627c5827ad0e2e18e8a114c764a951299ea5f3a27fe

SHA512
e5cab1626ab9824eb91cd79650b34840c29f10eaeb37cfbe2e024b21edc43d056b6e2cbd1edc949407a09ef10f75f477e2567f68c98078cf70d78d16f598bc91

Download Submit
C:\Users\Admin\Umbral1.exe

Filesize
231KB

MD5
844f85b3c38478161c8918e2d23a4835

SHA1
d2da62e3f0c50ddb3cc510af88368143790d59b9

SHA256
8f3ba7ae0aea1ad543fd98a1cb574bada9d363d476e12ae7a332ea83967883b5

SHA512
96d4ccdd853a7f878d0409f4f39f4f8fdd6bdf7d086ccd665e8f9141cf9ebc2916d079838e599c67c86cddfd02262c14cee434622821a8550c0dbd87535c95c7

Download Submit
memory/1580-58-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/1972-35-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/1972-36-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2436-44-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2436-43-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-28-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-29-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2720-15-0x00000000011C0000-0x00000000011DC000-memory.dmp

Filesize
112KB

Download
memory/2720-21-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2720-50-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2720-70-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-19-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2808-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2808-1-0x0000000001070000-0x0000000001196000-memory.dmp

Filesize
1.1MB

Download
memory/2820-22-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2820-54-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2820-20-0x00000000001E0000-0x00000000002B6000-memory.dmp

Filesize
856KB

Download