umbral | 073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
Size

800KB
MD5

7198fa10a50ea9aaf6ae5c2a05af2104
SHA1

c35a2a73313e3c5ad08136e3bc583bb9bc26964c
SHA256

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
SHA512

56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
SSDEEP

12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Score

10^/10

umbral xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o

Extracted

Family

xworm

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes

Install_directory
%Userprofile%
install_file
Windows Security Host.exe

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Injector.exe	family_umbral
behavioral1/memory/1428-10-0x0000000000190000-0x00000000001D0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe	family_xworm
behavioral1/memory/2612-20-0x0000000000310000-0x000000000032A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2924	powershell.exe
2520	powershell.exe
1780	powershell.exe
3060	powershell.exe
2184	powershell.exe
1776	powershell.exe
1828	powershell.exe
2588	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

Injector.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe

Drops startup file 2 IoCs

Processes:

Windows Security Host.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe

Executes dropped EXE 4 IoCs

Processes:

Injector.exeWindows Security Host.exeBootstrapperV1.23.exe

pid process

1428 Injector.exe
2612 Windows Security Host.exe
2384 BootstrapperV1.23.exe
1184

pid	process
1428	Injector.exe
2612	Windows Security Host.exe
2384	BootstrapperV1.23.exe
1184

Loads dropped DLL 7 IoCs

Processes:

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exeWerFault.exe

pid	process
2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
2036
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Security Host.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 discord.com
18 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

2844 PING.EXE
2704 cmd.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

2916 wmic.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2868 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2844 PING.EXE

flow	ioc
17	discord.com
18	discord.com

flow	ioc
6	ip-api.com

pid	process
2844	PING.EXE
2704	cmd.exe

pid	process
2916	wmic.exe

pid	process
2868	ipconfig.exe

pid	process
2844	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exeInjector.exepowershell.exepowershell.exepowershell.exeWindows Security Host.exepowershell.exepowershell.exepowershell.exe

pid	process
2924	powershell.exe
2520	powershell.exe
1780	powershell.exe
1428	Injector.exe
3060	powershell.exe
2184	powershell.exe
1776	powershell.exe
2612	Windows Security Host.exe
1828	powershell.exe
1872	powershell.exe
2588	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Windows Security Host.exeInjector.exepowershell.exepowershell.exewmic.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2612	Windows Security Host.exe
Token: SeDebugPrivilege	1428	Injector.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeIncreaseQuotaPrivilege	2988	wmic.exe
Token: SeSecurityPrivilege	2988	wmic.exe
Token: SeTakeOwnershipPrivilege	2988	wmic.exe
Token: SeLoadDriverPrivilege	2988	wmic.exe
Token: SeSystemProfilePrivilege	2988	wmic.exe
Token: SeSystemtimePrivilege	2988	wmic.exe
Token: SeProfSingleProcessPrivilege	2988	wmic.exe
Token: SeIncBasePriorityPrivilege	2988	wmic.exe
Token: SeCreatePagefilePrivilege	2988	wmic.exe
Token: SeBackupPrivilege	2988	wmic.exe
Token: SeRestorePrivilege	2988	wmic.exe
Token: SeShutdownPrivilege	2988	wmic.exe
Token: SeDebugPrivilege	2988	wmic.exe
Token: SeSystemEnvironmentPrivilege	2988	wmic.exe
Token: SeRemoteShutdownPrivilege	2988	wmic.exe
Token: SeUndockPrivilege	2988	wmic.exe
Token: SeManageVolumePrivilege	2988	wmic.exe
Token: 33	2988	wmic.exe
Token: 34	2988	wmic.exe
Token: 35	2988	wmic.exe
Token: SeIncreaseQuotaPrivilege	2988	wmic.exe
Token: SeSecurityPrivilege	2988	wmic.exe
Token: SeTakeOwnershipPrivilege	2988	wmic.exe
Token: SeLoadDriverPrivilege	2988	wmic.exe
Token: SeSystemProfilePrivilege	2988	wmic.exe
Token: SeSystemtimePrivilege	2988	wmic.exe
Token: SeProfSingleProcessPrivilege	2988	wmic.exe
Token: SeIncBasePriorityPrivilege	2988	wmic.exe
Token: SeCreatePagefilePrivilege	2988	wmic.exe
Token: SeBackupPrivilege	2988	wmic.exe
Token: SeRestorePrivilege	2988	wmic.exe
Token: SeShutdownPrivilege	2988	wmic.exe
Token: SeDebugPrivilege	2988	wmic.exe
Token: SeSystemEnvironmentPrivilege	2988	wmic.exe
Token: SeRemoteShutdownPrivilege	2988	wmic.exe
Token: SeUndockPrivilege	2988	wmic.exe
Token: SeManageVolumePrivilege	2988	wmic.exe
Token: 33	2988	wmic.exe
Token: 34	2988	wmic.exe
Token: 35	2988	wmic.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	WMIC.exe
Token: SeSecurityPrivilege	3020	WMIC.exe
Token: SeTakeOwnershipPrivilege	3020	WMIC.exe
Token: SeLoadDriverPrivilege	3020	WMIC.exe
Token: SeSystemProfilePrivilege	3020	WMIC.exe
Token: SeSystemtimePrivilege	3020	WMIC.exe
Token: SeProfSingleProcessPrivilege	3020	WMIC.exe
Token: SeIncBasePriorityPrivilege	3020	WMIC.exe
Token: SeCreatePagefilePrivilege	3020	WMIC.exe
Token: SeBackupPrivilege	3020	WMIC.exe
Token: SeRestorePrivilege	3020	WMIC.exe
Token: SeShutdownPrivilege	3020	WMIC.exe
Token: SeDebugPrivilege	3020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3020	WMIC.exe
Token: SeRemoteShutdownPrivilege	3020	WMIC.exe
Token: SeUndockPrivilege	3020	WMIC.exe
Token: SeManageVolumePrivilege	3020	WMIC.exe
Token: 33	3020	WMIC.exe
Token: 34	3020	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Security Host.exe

pid process

2612 Windows Security Host.exe

pid	process
2612	Windows Security Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exeBootstrapperV1.23.execmd.exeWindows Security Host.exeInjector.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 1428	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Injector.exe
PID 2380 wrote to memory of 1428	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Injector.exe
PID 2380 wrote to memory of 1428	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Injector.exe
PID 2380 wrote to memory of 2612	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Windows Security Host.exe
PID 2380 wrote to memory of 2612	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Windows Security Host.exe
PID 2380 wrote to memory of 2612	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Windows Security Host.exe
PID 2380 wrote to memory of 2384	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	BootstrapperV1.23.exe
PID 2380 wrote to memory of 2384	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	BootstrapperV1.23.exe
PID 2380 wrote to memory of 2384	2380	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	BootstrapperV1.23.exe
PID 2384 wrote to memory of 2440	2384	BootstrapperV1.23.exe	cmd.exe
PID 2384 wrote to memory of 2440	2384	BootstrapperV1.23.exe	cmd.exe
PID 2384 wrote to memory of 2440	2384	BootstrapperV1.23.exe	cmd.exe
PID 2440 wrote to memory of 2868	2440	cmd.exe	ipconfig.exe
PID 2440 wrote to memory of 2868	2440	cmd.exe	ipconfig.exe
PID 2440 wrote to memory of 2868	2440	cmd.exe	ipconfig.exe
PID 2612 wrote to memory of 2924	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2924	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2924	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2520	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2520	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2520	2612	Windows Security Host.exe	powershell.exe
PID 1428 wrote to memory of 2988	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2988	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2988	1428	Injector.exe	wmic.exe
PID 2612 wrote to memory of 1780	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 1780	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 1780	2612	Windows Security Host.exe	powershell.exe
PID 1428 wrote to memory of 1608	1428	Injector.exe	attrib.exe
PID 1428 wrote to memory of 1608	1428	Injector.exe	attrib.exe
PID 1428 wrote to memory of 1608	1428	Injector.exe	attrib.exe
PID 2384 wrote to memory of 1680	2384	BootstrapperV1.23.exe	cmd.exe
PID 2384 wrote to memory of 1680	2384	BootstrapperV1.23.exe	cmd.exe
PID 2384 wrote to memory of 1680	2384	BootstrapperV1.23.exe	cmd.exe
PID 1680 wrote to memory of 3020	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 3020	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 3020	1680	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 3060	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 3060	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 3060	1428	Injector.exe	powershell.exe
PID 2612 wrote to memory of 2184	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2184	2612	Windows Security Host.exe	powershell.exe
PID 2612 wrote to memory of 2184	2612	Windows Security Host.exe	powershell.exe
PID 1428 wrote to memory of 1776	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1776	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1776	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1828	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1828	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1828	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1872	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1872	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 1872	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 2456	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2456	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2456	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2164	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2164	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2164	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 1540	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 1540	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 1540	1428	Injector.exe	wmic.exe
PID 1428 wrote to memory of 2588	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 2588	1428	Injector.exe	powershell.exe
PID 1428 wrote to memory of 2588	1428	Injector.exe	powershell.exe
PID 2384 wrote to memory of 2596	2384	BootstrapperV1.23.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1608 attrib.exe

pid	process
1608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
"C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1872
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2456
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2164
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2916
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2704
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2844
- C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2184
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2868
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2384 -s 1120
    3⤵
    - Loads dropped DLL
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
229KB

MD5
3882cfe50e35985982e9ef0c01b99c47

SHA1
6e09c71ae230b839163628c9179b3a3aac58c1a3

SHA256
da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636

SHA512
a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe

Filesize
79KB

MD5
c7ba63ce2ed6d0aab93ad839e0eddd68

SHA1
087ffd969b37a73b349a81af18bb51191eb42cbd

SHA256
84be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9

SHA512
9f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b59dcb5516a4f86c775e7e2e8c76524d

SHA1
4692b0bccb02572dc6584d52786fc6a89b4fc939

SHA256
8786cb17a3a98b6ab1f5fec0b87caf6262c01d029870e2c31370b2ea22537155

SHA512
283920046c4686ecfa962c98820525cf74019f4c657ce6704f12d11c2ee1634aae170d75313b5c6d0c1e9ffe2a2b0c9af15ad492792da17c737b46988bfced01

Download Submit
memory/1428-10-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/1428-23-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/1428-100-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2380-22-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-1-0x00000000012C0000-0x0000000001332000-memory.dmp

Filesize
456KB

Download
memory/2384-21-0x00000000010E0000-0x00000000011AE000-memory.dmp

Filesize
824KB

Download
memory/2520-36-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2520-37-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2588-90-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2612-20-0x0000000000310000-0x000000000032A000-memory.dmp

Filesize
104KB

Download
memory/2924-29-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2924-30-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download