umbral | 1d7a3691eb81388e6e74174c07e91dbf2625e97a9fb4230f5abc2f5b60a9b3bf

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustAnticheat.exe
Size

1.1MB
MD5

b323c7d5108d8ebfc2f4dd43eaaef61f
SHA1

1b829cd04387683200ea435d93649603673aeaa9
SHA256

e4fb965deeb173b026d2014ff589944cc6e811b1363368329dc4c08b3ffad039
SHA512

efd6e4c80d5bc150ce33141eefd5608db601567e1cd5f9f4d03171df2ebc5b8d510c152b2e952168788366370417c0de11e42440bd3d0d37c8d0042b879603e5
SSDEEP

24576:+1F5e87F6Kijp49YwhM1Y2CA9vwKBu3NqMvzQYFoaNIfpAKEf:qF5eZKijp+G1Y7AxwKBeQMv00occu

Score

10^/10

umbral xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

web-amend.gl.at.ply.gg:59501

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1291669307859664906/RUEPanQ47YYW363xEFskgjlXsec0mWWiNZ0HNCbO2N0KXACFaI1QIfW4FoUNLAcgE55h

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016b85-16.dat	family_umbral
behavioral1/memory/3060-19-0x0000000000050000-0x0000000000090000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016688-14.dat	family_xworm
behavioral1/memory/1916-17-0x0000000001190000-0x00000000011A8000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2680	powershell.exe
2008	powershell.exe
2620	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
1964	Loader (1).exe
1916	RuntimeBroker.exe
3060	Umbral.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\RuntimeBroker"	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1132	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2620	powershell.exe
2860	powershell.exe
2680	powershell.exe
2008	powershell.exe
1916	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	RuntimeBroker.exe
Token: SeDebugPrivilege	3060	Umbral.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeIncreaseQuotaPrivilege	916	wmic.exe
Token: SeSecurityPrivilege	916	wmic.exe
Token: SeTakeOwnershipPrivilege	916	wmic.exe
Token: SeLoadDriverPrivilege	916	wmic.exe
Token: SeSystemProfilePrivilege	916	wmic.exe
Token: SeSystemtimePrivilege	916	wmic.exe
Token: SeProfSingleProcessPrivilege	916	wmic.exe
Token: SeIncBasePriorityPrivilege	916	wmic.exe
Token: SeCreatePagefilePrivilege	916	wmic.exe
Token: SeBackupPrivilege	916	wmic.exe
Token: SeRestorePrivilege	916	wmic.exe
Token: SeShutdownPrivilege	916	wmic.exe
Token: SeDebugPrivilege	916	wmic.exe
Token: SeSystemEnvironmentPrivilege	916	wmic.exe
Token: SeRemoteShutdownPrivilege	916	wmic.exe
Token: SeUndockPrivilege	916	wmic.exe
Token: SeManageVolumePrivilege	916	wmic.exe
Token: 33	916	wmic.exe
Token: 34	916	wmic.exe
Token: 35	916	wmic.exe
Token: SeIncreaseQuotaPrivilege	916	wmic.exe
Token: SeSecurityPrivilege	916	wmic.exe
Token: SeTakeOwnershipPrivilege	916	wmic.exe
Token: SeLoadDriverPrivilege	916	wmic.exe
Token: SeSystemProfilePrivilege	916	wmic.exe
Token: SeSystemtimePrivilege	916	wmic.exe
Token: SeProfSingleProcessPrivilege	916	wmic.exe
Token: SeIncBasePriorityPrivilege	916	wmic.exe
Token: SeCreatePagefilePrivilege	916	wmic.exe
Token: SeBackupPrivilege	916	wmic.exe
Token: SeRestorePrivilege	916	wmic.exe
Token: SeShutdownPrivilege	916	wmic.exe
Token: SeDebugPrivilege	916	wmic.exe
Token: SeSystemEnvironmentPrivilege	916	wmic.exe
Token: SeRemoteShutdownPrivilege	916	wmic.exe
Token: SeUndockPrivilege	916	wmic.exe
Token: SeManageVolumePrivilege	916	wmic.exe
Token: 33	916	wmic.exe
Token: 34	916	wmic.exe
Token: 35	916	wmic.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1916	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1916	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1964	2700	RustAnticheat.exe	30
PID 2700 wrote to memory of 1964	2700	RustAnticheat.exe	30
PID 2700 wrote to memory of 1964	2700	RustAnticheat.exe	30
PID 2700 wrote to memory of 1964	2700	RustAnticheat.exe	30
PID 2700 wrote to memory of 1916	2700	RustAnticheat.exe	31
PID 2700 wrote to memory of 1916	2700	RustAnticheat.exe	31
PID 2700 wrote to memory of 1916	2700	RustAnticheat.exe	31
PID 2700 wrote to memory of 3060	2700	RustAnticheat.exe	32
PID 2700 wrote to memory of 3060	2700	RustAnticheat.exe	32
PID 2700 wrote to memory of 3060	2700	RustAnticheat.exe	32
PID 1916 wrote to memory of 2620	1916	RuntimeBroker.exe	34
PID 1916 wrote to memory of 2620	1916	RuntimeBroker.exe	34
PID 1916 wrote to memory of 2620	1916	RuntimeBroker.exe	34
PID 3060 wrote to memory of 916	3060	Umbral.exe	36
PID 3060 wrote to memory of 916	3060	Umbral.exe	36
PID 3060 wrote to memory of 916	3060	Umbral.exe	36
PID 1916 wrote to memory of 2860	1916	RuntimeBroker.exe	39
PID 1916 wrote to memory of 2860	1916	RuntimeBroker.exe	39
PID 1916 wrote to memory of 2860	1916	RuntimeBroker.exe	39
PID 1916 wrote to memory of 2680	1916	RuntimeBroker.exe	41
PID 1916 wrote to memory of 2680	1916	RuntimeBroker.exe	41
PID 1916 wrote to memory of 2680	1916	RuntimeBroker.exe	41
PID 1916 wrote to memory of 2008	1916	RuntimeBroker.exe	43
PID 1916 wrote to memory of 2008	1916	RuntimeBroker.exe	43
PID 1916 wrote to memory of 2008	1916	RuntimeBroker.exe	43
PID 1916 wrote to memory of 3012	1916	RuntimeBroker.exe	45
PID 1916 wrote to memory of 3012	1916	RuntimeBroker.exe	45
PID 1916 wrote to memory of 3012	1916	RuntimeBroker.exe	45
PID 1916 wrote to memory of 1736	1916	RuntimeBroker.exe	48
PID 1916 wrote to memory of 1736	1916	RuntimeBroker.exe	48
PID 1916 wrote to memory of 1736	1916	RuntimeBroker.exe	48
PID 1916 wrote to memory of 828	1916	RuntimeBroker.exe	50
PID 1916 wrote to memory of 828	1916	RuntimeBroker.exe	50
PID 1916 wrote to memory of 828	1916	RuntimeBroker.exe	50
PID 828 wrote to memory of 1132	828	cmd.exe	52
PID 828 wrote to memory of 1132	828	cmd.exe	52
PID 828 wrote to memory of 1132	828	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Roaming\Loader (1).exe
  "C:\Users\Admin\AppData\Roaming\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3012
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"
    3⤵
    PID:1736
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1362.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1132
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1362.tmp.bat

Filesize
162B

MD5
699f94ff8f78e8868e096d27083312d6

SHA1
23909ecc8e967e3ed8358cf4ded2a4cac1d73ee6

SHA256
06ee2efa8ef2956b5f5be1fa22dcd170b9f34b1a84714a41d43c75c1cf29b10d

SHA512
9a8d227fe07b3e1d3bb759625efc117722f04619a218e8bc6aa963ab0813405b055f685f7885b5a295454a426030f59fe2e63934de85cb3e667dc08e317421db

Download Submit
C:\Users\Admin\AppData\Roaming\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b736934f06f8abd17fed365da22958e

SHA1
6392882814ef7f963031644112ee0c692968cccf

SHA256
87491dc9e32304faa12909beb8991070d7afd9dd9ecdecd42a8860eab34c3851

SHA512
7eb7935a2b776636017d18765ef13b91a269cc2368a716011142c51e1e479f036e99cb99b57b3a246580e596f42c6e0dd65cc6d166c87b7c6df91588d8f7d9c0

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
73KB

MD5
96af510fc9c01219079834a9c95ddb55

SHA1
14f0c50ad5421350c8ca7f6eaeefd6ab5da38a09

SHA256
3718589c2b1ee0e11197034c51383245fd5cee736a4187bc7d4bbc22daeee598

SHA512
0c560efa6d436435bf1aaaa1c0a1d77d68655591368d8010267ca4b5a24e51204e4bdefce1f7adb6e93b6ecc9401c335e63f886dfd12cec93c759727df8d2da2

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
232KB

MD5
f58d6804055161d2e9eddac2ef14ce3e

SHA1
1ad4327548a8362ceb37b8211291d4eac661f5ae

SHA256
c4131f8c0c24784d9fbecdadd623f112d76da2a8ff4bcd58f2acbb1325da47e5

SHA512
d872364d535fbf4e7f5573a46c96be633a8d23533091f77ae038d78da1b8af6755c61966a607294bf946dc7695973f70bfd43ed824849a7c5dac39d59a2a45c3

Download Submit
memory/1916-66-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-17-0x0000000001190000-0x00000000011A8000-memory.dmp

Filesize
96KB

Download
memory/1916-54-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/1916-21-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-52-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-22-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1964-23-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1964-53-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1964-20-0x0000000000230000-0x0000000000306000-memory.dmp

Filesize
856KB

Download
memory/2620-30-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2620-29-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2700-0-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x0000000000B00000-0x0000000000C24000-memory.dmp

Filesize
1.1MB

Download
memory/2860-36-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2860-37-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/3060-19-0x0000000000050000-0x0000000000090000-memory.dmp

Filesize
256KB

Download