umbral | 2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fed

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe
Size

7KB
MD5

a55a5ee391fa38f5f2b7a8c13da0d7e0
SHA1

09411fe1464fb2e6586736c3292cb06e60e482aa
SHA256

2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fed
SHA512

f82eba269c0e5fa276fd46e110ed7d76f15b53dcc410c4c7bb329393cd0a3b7d40bb41827cd1075778b0075f0fcb366b7e5b62a69e2c3bc3dc3c50ee2252b242
SSDEEP

96:uy13k1c0tjvPhLJLMTItVVlkNHRt+sCiEVUY/e2PK0/vzKzNt:J3k1c0tLPh9LNrv83+sSVUYH/vzs

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023453-31.dat	family_umbral
behavioral2/memory/4160-39-0x000001D2A3E10000-0x000001D2A3E50000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Downloads MZ/PE file

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	FontDriverrefBrokerDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f0exigoa.x3u.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe

Executes dropped EXE 15 IoCs

pid	Process
4320	f0exigoa.x3u.exe
4612	DCRatBuild.exe
4160	Umbral.exe
2192	FontDriverrefBrokerDhcp.exe
3672	FontDriverrefBrokerDhcp.exe
2412	FontDriverrefBrokerDhcp.exe
3436	FontDriverrefBrokerDhcp.exe
3168	FontDriverrefBrokerDhcp.exe
4472	FontDriverrefBrokerDhcp.exe
3860	FontDriverrefBrokerDhcp.exe
1872	FontDriverrefBrokerDhcp.exe
2412	FontDriverrefBrokerDhcp.exe
4752	FontDriverrefBrokerDhcp.exe
4132	FontDriverrefBrokerDhcp.exe
1400	FontDriverrefBrokerDhcp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe	FontDriverrefBrokerDhcp.exe
File created	C:\Program Files\Google\Chrome\Application\24dbde2999530e	FontDriverrefBrokerDhcp.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe	FontDriverrefBrokerDhcp.exe
File created	C:\Windows\Panther\actionqueue\53a747bce7deb9	FontDriverrefBrokerDhcp.exe
File created	C:\Windows\Logs\dwm.exe	FontDriverrefBrokerDhcp.exe
File opened for modification	C:\Windows\Logs\dwm.exe	FontDriverrefBrokerDhcp.exe
File created	C:\Windows\Logs\6cb0b6c459d5d3	FontDriverrefBrokerDhcp.exe
File created	C:\Windows\System\Speech\conhost.exe	FontDriverrefBrokerDhcp.exe
File created	C:\Windows\rescache\_merged\1649057605\System.exe	FontDriverrefBrokerDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4744	PING.EXE
3852	PING.EXE
4604	PING.EXE
2136	PING.EXE
884	PING.EXE
4948	PING.EXE

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	FontDriverrefBrokerDhcp.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
4744	PING.EXE
3852	PING.EXE
4604	PING.EXE
2136	PING.EXE
884	PING.EXE
4948	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe
2192	FontDriverrefBrokerDhcp.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe
Token: SeDebugPrivilege	4160	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2120	wmic.exe
Token: SeSecurityPrivilege	2120	wmic.exe
Token: SeTakeOwnershipPrivilege	2120	wmic.exe
Token: SeLoadDriverPrivilege	2120	wmic.exe
Token: SeSystemProfilePrivilege	2120	wmic.exe
Token: SeSystemtimePrivilege	2120	wmic.exe
Token: SeProfSingleProcessPrivilege	2120	wmic.exe
Token: SeIncBasePriorityPrivilege	2120	wmic.exe
Token: SeCreatePagefilePrivilege	2120	wmic.exe
Token: SeBackupPrivilege	2120	wmic.exe
Token: SeRestorePrivilege	2120	wmic.exe
Token: SeShutdownPrivilege	2120	wmic.exe
Token: SeDebugPrivilege	2120	wmic.exe
Token: SeSystemEnvironmentPrivilege	2120	wmic.exe
Token: SeRemoteShutdownPrivilege	2120	wmic.exe
Token: SeUndockPrivilege	2120	wmic.exe
Token: SeManageVolumePrivilege	2120	wmic.exe
Token: 33	2120	wmic.exe
Token: 34	2120	wmic.exe
Token: 35	2120	wmic.exe
Token: 36	2120	wmic.exe
Token: SeIncreaseQuotaPrivilege	2120	wmic.exe
Token: SeSecurityPrivilege	2120	wmic.exe
Token: SeTakeOwnershipPrivilege	2120	wmic.exe
Token: SeLoadDriverPrivilege	2120	wmic.exe
Token: SeSystemProfilePrivilege	2120	wmic.exe
Token: SeSystemtimePrivilege	2120	wmic.exe
Token: SeProfSingleProcessPrivilege	2120	wmic.exe
Token: SeIncBasePriorityPrivilege	2120	wmic.exe
Token: SeCreatePagefilePrivilege	2120	wmic.exe
Token: SeBackupPrivilege	2120	wmic.exe
Token: SeRestorePrivilege	2120	wmic.exe
Token: SeShutdownPrivilege	2120	wmic.exe
Token: SeDebugPrivilege	2120	wmic.exe
Token: SeSystemEnvironmentPrivilege	2120	wmic.exe
Token: SeRemoteShutdownPrivilege	2120	wmic.exe
Token: SeUndockPrivilege	2120	wmic.exe
Token: SeManageVolumePrivilege	2120	wmic.exe
Token: 33	2120	wmic.exe
Token: 34	2120	wmic.exe
Token: 35	2120	wmic.exe
Token: 36	2120	wmic.exe
Token: SeDebugPrivilege	2192	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	3672	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	2412	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	3436	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	3168	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	4472	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	3860	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	1872	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	2412	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	4752	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	4132	FontDriverrefBrokerDhcp.exe
Token: SeDebugPrivilege	1400	FontDriverrefBrokerDhcp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4320	2320	2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe	83
PID 2320 wrote to memory of 4320	2320	2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe	83
PID 4320 wrote to memory of 4612	4320	f0exigoa.x3u.exe	84
PID 4320 wrote to memory of 4612	4320	f0exigoa.x3u.exe	84
PID 4320 wrote to memory of 4612	4320	f0exigoa.x3u.exe	84
PID 4320 wrote to memory of 4160	4320	f0exigoa.x3u.exe	85
PID 4320 wrote to memory of 4160	4320	f0exigoa.x3u.exe	85
PID 4612 wrote to memory of 5092	4612	DCRatBuild.exe	86
PID 4612 wrote to memory of 5092	4612	DCRatBuild.exe	86
PID 4612 wrote to memory of 5092	4612	DCRatBuild.exe	86
PID 4160 wrote to memory of 2120	4160	Umbral.exe	87
PID 4160 wrote to memory of 2120	4160	Umbral.exe	87
PID 5092 wrote to memory of 472	5092	WScript.exe	89
PID 5092 wrote to memory of 472	5092	WScript.exe	89
PID 5092 wrote to memory of 472	5092	WScript.exe	89
PID 472 wrote to memory of 2192	472	cmd.exe	92
PID 472 wrote to memory of 2192	472	cmd.exe	92
PID 2192 wrote to memory of 5052	2192	FontDriverrefBrokerDhcp.exe	95
PID 2192 wrote to memory of 5052	2192	FontDriverrefBrokerDhcp.exe	95
PID 5052 wrote to memory of 3236	5052	cmd.exe	97
PID 5052 wrote to memory of 3236	5052	cmd.exe	97
PID 5052 wrote to memory of 932	5052	cmd.exe	98
PID 5052 wrote to memory of 932	5052	cmd.exe	98
PID 5052 wrote to memory of 3672	5052	cmd.exe	101
PID 5052 wrote to memory of 3672	5052	cmd.exe	101
PID 3672 wrote to memory of 4380	3672	FontDriverrefBrokerDhcp.exe	104
PID 3672 wrote to memory of 4380	3672	FontDriverrefBrokerDhcp.exe	104
PID 4380 wrote to memory of 1652	4380	cmd.exe	106
PID 4380 wrote to memory of 1652	4380	cmd.exe	106
PID 4380 wrote to memory of 4948	4380	cmd.exe	107
PID 4380 wrote to memory of 4948	4380	cmd.exe	107
PID 4380 wrote to memory of 2412	4380	cmd.exe	108
PID 4380 wrote to memory of 2412	4380	cmd.exe	108
PID 2412 wrote to memory of 4592	2412	FontDriverrefBrokerDhcp.exe	109
PID 2412 wrote to memory of 4592	2412	FontDriverrefBrokerDhcp.exe	109
PID 4592 wrote to memory of 3440	4592	cmd.exe	111
PID 4592 wrote to memory of 3440	4592	cmd.exe	111
PID 4592 wrote to memory of 4744	4592	cmd.exe	112
PID 4592 wrote to memory of 4744	4592	cmd.exe	112
PID 4592 wrote to memory of 3436	4592	cmd.exe	115
PID 4592 wrote to memory of 3436	4592	cmd.exe	115
PID 3436 wrote to memory of 4400	3436	FontDriverrefBrokerDhcp.exe	116
PID 3436 wrote to memory of 4400	3436	FontDriverrefBrokerDhcp.exe	116
PID 4400 wrote to memory of 1296	4400	cmd.exe	118
PID 4400 wrote to memory of 1296	4400	cmd.exe	118
PID 4400 wrote to memory of 380	4400	cmd.exe	119
PID 4400 wrote to memory of 380	4400	cmd.exe	119
PID 4400 wrote to memory of 3168	4400	cmd.exe	120
PID 4400 wrote to memory of 3168	4400	cmd.exe	120
PID 3168 wrote to memory of 4276	3168	FontDriverrefBrokerDhcp.exe	121
PID 3168 wrote to memory of 4276	3168	FontDriverrefBrokerDhcp.exe	121
PID 4276 wrote to memory of 2280	4276	cmd.exe	123
PID 4276 wrote to memory of 2280	4276	cmd.exe	123
PID 4276 wrote to memory of 4228	4276	cmd.exe	124
PID 4276 wrote to memory of 4228	4276	cmd.exe	124
PID 4276 wrote to memory of 4472	4276	cmd.exe	125
PID 4276 wrote to memory of 4472	4276	cmd.exe	125
PID 4472 wrote to memory of 1048	4472	FontDriverrefBrokerDhcp.exe	126
PID 4472 wrote to memory of 1048	4472	FontDriverrefBrokerDhcp.exe	126
PID 1048 wrote to memory of 3236	1048	cmd.exe	128
PID 1048 wrote to memory of 3236	1048	cmd.exe	128
PID 1048 wrote to memory of 3852	1048	cmd.exe	129
PID 1048 wrote to memory of 3852	1048	cmd.exe	129
PID 1048 wrote to memory of 3860	1048	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe
"C:\Users\Admin\AppData\Local\Temp\2442b06828c640b3219de3def5337deccd9df4333d583096e6744f03ecc26fedN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\f0exigoa.x3u.exe
  "C:\Users\Admin\AppData\Local\Temp\f0exigoa.x3u.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ReviewSavesinto\zkQ5zxoDi1nsOWcXCcXlndD7jNXnHX260rV.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ReviewSavesinto\vtURW7xQtrMURG9Xmx.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\ReviewSavesinto\FontDriverrefBrokerDhcp.exe
        
        "C:\ReviewSavesinto/FontDriverrefBrokerDhcp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I63xaVOpqK.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:932
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\re37XjgnVO.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JNimNKcfGk.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:380
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4228
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zjPPW8Mczj.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3852
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yUaH2NNloo.bat"
        19⤵
        
        PID:3656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4604
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat"
        21⤵
        
        PID:644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5056
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EROGQHdFU4.bat"
        23⤵
        
        PID:1524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3300
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat"
        25⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat"
        27⤵
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:884
        
        C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe
        
        "C:\Windows\Panther\actionqueue\FontDriverrefBrokerDhcp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ReviewSavesinto\FontDriverrefBrokerDhcp.exe

Filesize
1.9MB

MD5
a940938589498cf9b27d6613e9163140

SHA1
bbfb217563461bd133e0b60d5ddd07f7bf17d80f

SHA256
f032df250131fe982bc1c0c2d112d9da63f723ba0d3011f42e60347bb3d5d6ff

SHA512
c5f1abdd32c37795f3c4f96274df4800fcc8098a496470ce2a1d49e6b4ec80b1fd1b5a7f0b320b07a545d74b35a6ab8efc0cd8a087a4afa079e60632999ea2e2

Download Submit
C:\ReviewSavesinto\vtURW7xQtrMURG9Xmx.bat

Filesize
104B

MD5
ca787fec913b6f5d908ea917f5d84f51

SHA1
2faf342c79ba20db21e1df8da71f5e0bebbf2900

SHA256
2605a4b221a76a2b0dc56030a1c2348c1862c9788e883cfb409ee506851cb9ec

SHA512
08b9f3701810eff5e79f517462cba970fe37f8e645ed46e2a89bef444e3cd374a59a00f6d1b50d25dc0f931ac3061478767d74c3954249adf6800a13762ea771

Download Submit
C:\ReviewSavesinto\zkQ5zxoDi1nsOWcXCcXlndD7jNXnHX260rV.vbe

Filesize
208B

MD5
b5c0a16cc443afbe8708b2a5504c3e28

SHA1
3e3ec9e6d90b286cab59ce75bcf12ac571130fc2

SHA256
47d7915f6a8ee0954372100bef978a7d1118fe62a36fe7bfe1cbae1caafbc0b5

SHA512
8bdc6bcd6c668f5f64a1b61bdf287b0115fb166e794163348bfe2ed9391a034c787a4ae46c9353b3de82572c1eac740176ea49dd91d4da7d1c05fcf6fdd04e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FontDriverrefBrokerDhcp.exe.log

Filesize
1KB

MD5
1eff74e45bb1f7104e691358cb209546

SHA1
253b13ffad516cc34704f5b882c6fa36953a953f

SHA256
7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

SHA512
44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat

Filesize
234B

MD5
ed8108b370b5a87d35abcf3f819282cb

SHA1
115e21a381346d8928eb4fbda8e1269bd29e85fc

SHA256
ac9db9dc3285eeb73130334d9cf670b3be579b2835705ecd6ed41c66db966c51

SHA512
5c512fd38f5ab4d6e6e5d325279becce35960ba6ef5958af84a55ead48688d21a0788589419dc1332069062f4f4b87f2310b81ce29505f9fb2a0eb95d71fd9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat

Filesize
234B

MD5
7babd1c34451c715f15c0e497cdc7543

SHA1
d442f026e6a3f8509303e539c9fad7f1e11949ab

SHA256
f9dfcc9543b563200a7eeab85e7bc159de814e001f67c1219523f208d9f7e488

SHA512
875ef3dd61437e6876cd7e502a3615fc18b27172b8cf279cc30b183a07bcc7980cf2ec763ca2db8bf8e9050e5d4ca7d5115eb50d5f2b9917f5ef3cdbd59ced22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.2MB

MD5
763fbaa90ae4364754a4f677f110690c

SHA1
bb114c34a8182357b1d20728f39263e899edf299

SHA256
4f60e4579e63f6b24198e09927da2d53c6a06a854880f05a09d2a9c9bde7b833

SHA512
2f834a00b6e24fa7078816f73fe8370b6e29e7ec276b86e466bbddd8487126413131f54b4a01c1fe2f684bc00d59d630c56414038b9b6cc1f3c63204bb779e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EROGQHdFU4.bat

Filesize
234B

MD5
315c68f3e5d71ca4426c3e1201633ada

SHA1
1696b3d673632e8e95b926f325ea35055e9fac66

SHA256
c6e5b2ff634581d9367bb1eb889b85a0e5b89ed494ac37f4dcacd824405f2771

SHA512
c4afb45478519c46f6b17d9031ddc99bad0f07bf655ac1f3ebd49cf6872ca7f03d2d539a8c6eb11a7e21e39de6485945bb9174555579dedf48f36564d19f0875

Download Submit
C:\Users\Admin\AppData\Local\Temp\I63xaVOpqK.bat

Filesize
234B

MD5
b6c11724dc436ff2ed93bbbb4ab7969d

SHA1
cbcc9a6a2b477f883e79d0b54177675a17610e05

SHA256
ee5a52644e251310eb6efeac1a0f1eef45b59557ed33f18313b0b7aab7e65ee9

SHA512
be648c4170941ff605e36efd7848cdc7c251b2d3200e021ef8e5826af9e43de24035163cfeec0062460c611a85e4888b47b55825a8fd41d09ce055170004f604

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNimNKcfGk.bat

Filesize
186B

MD5
0fb2cd6ef574edd01378d67bdc34e0ed

SHA1
a800323958fb97bdda4221eaecf5b84fdf440048

SHA256
5e0d5567ecd71c87d8dc0b4b19b5c0e228782b67ca405cc764c724b07140302f

SHA512
0726f87d50a7e437cbe3b2d17a6c8e5e30c23729e9760f57817cc6e13523a94895e0baa5eccf9e174099a628f604a9f075e11a79bb018db76841e358cdf9a392

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat

Filesize
234B

MD5
a56f35186e52285281399793f88d6b23

SHA1
638c4695659c81a2a76ff03117e384fa6f6c4f34

SHA256
5409c1585b3bdda775781241bf10540ad0ce31f92f8007b6431d545f67be60f5

SHA512
3ae9c117564bb153c111f0f845d8f9a42900ff233a5251bceac212aa8a8d3f1e4ce20e9d9fb8c64ed021e7da4deb7c95c5411bc24e4e3ea4294b0056f9509ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
3260b462d8c90bf6f29f22b26aabbf8a

SHA1
70cc4e5122292586cc6e8a524c13275098354f73

SHA256
fad948c2b23cc953c6e9f07591f7850d58d9d7cc1c8cee6adf29b8a26d778619

SHA512
9ffec153238331e1299811d7982a789b78f5591039aebc160a7b32b8f31fcc29695e94634557bd009c9ceefaa416e850ed825a29f42c1ab7e9b9a86a47958195

Download Submit
C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat

Filesize
186B

MD5
ffa732e9ce93117bbc6c9173d957f759

SHA1
dabb2cfc2ed592c9edc777d969a5ad445e8f9fbf

SHA256
11a0e3fc84632c4d174a5832c63b5a14d5a9dd0e2f656a453e921d63b0a6e97a

SHA512
bf3828fc5b405b2cbf78ac0ad80030e917ae1172f7ae757826b95e5020a61bfdc2fc41cc87e24b4adfa45a6cea1041821db7be0cb5e7354667e0c6bf5afee1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0exigoa.x3u.exe

Filesize
1.7MB

MD5
e0940a4e4990c134e827ae1b660c2994

SHA1
ff71d3a4fc8a374e42cdfaf93a0afcc0d5b15576

SHA256
ebd1d0abe831151821741d65288eb548af1e89a009a02a5a8019feff38e82957

SHA512
52a43d74fcd7001897927028be490d429276eff55277ac0b4ecc8b5a44c55c06d3fc22803b4dd7eefaa8ef88e8623380af65c2cf8b9e5116255ec48c5083cbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\re37XjgnVO.bat

Filesize
186B

MD5
6b830c72b9a23222b00d651da48e11d1

SHA1
6c97949506505aa4dfb8aa978a6a7605b3a0ce27

SHA256
0b94ffca5e978324adc300da0f13a6e8f7fe40f1b0c06eac08bd811c14e92aa9

SHA512
c28646de35da094c3c873da90545ebed72a2d15e3c515e3de9ef1ad5ee1868d605b41a9d14900eaf1af518664ad6484d8e2f9d6120a540b2f0455445878fb4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUaH2NNloo.bat

Filesize
186B

MD5
7e12788781ad3e49809afe11aec6ea6a

SHA1
0b3e7145310244713e473a5fae28b5461a16f5de

SHA256
bdf3cb654b666c9be5920b09da3ef8391a939af2602faf4b06e5069b04bad3ef

SHA512
570eec251b15f24b64605ea26cfe7b7830cbbb4e31698de2eec5001500282bb18ece82503bd7765fb59926a9f0dc723e3e4c89214bf0544454f6e2f5818d9242

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjPPW8Mczj.bat

Filesize
186B

MD5
b64699f8b71e9d885c0bd05f01387d55

SHA1
19b2c47e9489542762e8976b43e68c6870714abc

SHA256
6682c1a0f4c233c58f652dca31e34d2de95323ba9a11be38be086a7dce8f8b0f

SHA512
1afa0a8c669768f49d044b863b412009c405a5988a885a2ba41efbc9991e0f44d5621a58bbd79c7b1070df3f4b011b0cc9e9d190675f15b68038a56d3c7bb0cb

Download Submit
memory/2192-65-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/2192-59-0x000000001B3D0000-0x000000001B420000-memory.dmp

Filesize
320KB

Download
memory/2192-61-0x000000001B380000-0x000000001B398000-memory.dmp

Filesize
96KB

Download
memory/2192-63-0x000000001B340000-0x000000001B34E000-memory.dmp

Filesize
56KB

Download
memory/2192-58-0x000000001B360000-0x000000001B37C000-memory.dmp

Filesize
112KB

Download
memory/2192-54-0x0000000000660000-0x0000000000846000-memory.dmp

Filesize
1.9MB

Download
memory/2192-56-0x0000000001150000-0x000000000115E000-memory.dmp

Filesize
56KB

Download
memory/2320-1-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2320-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/2320-2-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/2320-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-39-0x000001D2A3E10000-0x000001D2A3E50000-memory.dmp

Filesize
256KB

Download
memory/4320-16-0x00000000009D0000-0x0000000000B96000-memory.dmp

Filesize
1.8MB

Download
memory/4320-14-0x00007FFD99AA3000-0x00007FFD99AA5000-memory.dmp

Filesize
8KB

Download
memory/4320-19-0x00007FFD99AA0000-0x00007FFD9A561000-memory.dmp

Filesize
10.8MB

Download
memory/4320-47-0x00007FFD99AA0000-0x00007FFD9A561000-memory.dmp

Filesize
10.8MB

Download