Overview

overview

10

Static

static

10

94a9aea0d5...e8.exe

windows7-x64

10

94a9aea0d5...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94a9aea0d58aed1c57e0f3857ea7de65778a6faab1912e4decbe463bf7b85ae8.exe

  • Size

    1.9MB

  • MD5

    477ee009f176249987f15c8fd01902f0

  • SHA1

    c40e6e81adcca5bf643ea005e3e2bc062793985d

  • SHA256

    94a9aea0d58aed1c57e0f3857ea7de65778a6faab1912e4decbe463bf7b85ae8

  • SHA512

    aef7538f615ec5607f56f41f17ad045a4ac8bba6e7a27e185068208a7ea704c01b1b87aaae0b5cb42f2e61ee11dd344e01c2f8d2d089a026e14931935da6dfef

  • SSDEEP

    24576:IRDdNQlDWcG0ZbOOdezYwITkHiPIZp7WAvck0poRtf0BJngtcp90kcTFI8A+W4+u:IRDTQRzMKeEcHLZkA0ruJd/

Score
10/10
umbralxwormdiscoveryevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1322985421172641892/q0_diVrV3tWC0qMrnQumssRXcZ18yaPSUtiPWfKvRg2S6sXoeNRQ-lKC87d8pURrSvkv

Extracted

Family

xworm

Version

5.0

C2

were-breeding.gl.at.ply.gg:1234

Mutex

ecqG44OAn0ybERsL

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\94a9aea0d58aed1c57e0f3857ea7de65778a6faab1912e4decbe463bf7b85ae8.exe
    "C:\Users\Admin\AppData\Local\Temp\94a9aea0d58aed1c57e0f3857ea7de65778a6faab1912e4decbe463bf7b85ae8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\KNA SERVICE.EXE
      "C:\Users\Admin\AppData\Local\Temp\KNA SERVICE.EXE"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Users\Admin\AppData\Local\Temp\RUN ME.EXE
      "C:\Users\Admin\AppData\Local\Temp\RUN ME.EXE"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RUN ME.EXE'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RUN ME.EXE'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows defender control'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender control'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1604
    • C:\Users\Admin\AppData\Local\Temp\SSS.EXE
      "C:\Users\Admin\AppData\Local\Temp\SSS.EXE"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3520
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\SSS.EXE"
        3⤵
        • Views/modifies file attributes
        PID:60
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SSS.EXE'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:828
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2876
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4472
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:3888
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\SSS.EXE" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2164

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      5
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      5
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        548dd08570d121a65e82abb7171cae1c

        SHA1

        1a1b5084b3a78f3acd0d811cc79dbcac121217ab

        SHA256

        cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

        SHA512

        37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        44cc2ace0ab8f6d2b9451e69ca703395

        SHA1

        197e9c479a75b47a0be7f62d531c530bda7eeced

        SHA256

        511469e6c6fef21d43955983c65007dc53f4c90b76fd1729b7da04b9d25756ba

        SHA512

        60f5e6659e02e6fab9a1ab1bce47a19cf19eec1edf8a874d4712bc655e5a2c2e16bfff35ef701d75f1f137cf7063ba1c5685db6dc73355ee0fec16f7aba65f9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        c7e30bd006cbe7816a739ce7592525f2

        SHA1

        cbc320e9acc9a73bb512e85e3d1e9246e3258658

        SHA256

        99193e72a35fbdfe03b49259487de7811d7a9c6f0e1f69d9d23238ea66440d88

        SHA512

        874e24c4e5289d705862590c7724ef127ccd68959bee89e426cf8f62017db9eb6b7d423de7a029393e3cf5ffa02ff93b5c4b518629950174de17fc4d56c1cfba

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9c740b7699e2363ac4ecdf496520ca35

        SHA1

        aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

        SHA256

        be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

        SHA512

        8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        47605a4dda32c9dff09a9ca441417339

        SHA1

        4f68c895c35b0dc36257fc8251e70b968c560b62

        SHA256

        e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

        SHA512

        b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        f4bf3ca8753d6bb9725419fec1ec74b9

        SHA1

        71fce9d17d1d92873236a9a827c52eb9e4827f3d

        SHA256

        ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

        SHA512

        a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\KNA SERVICE.EXE
        Filesize

        1.5MB

        MD5

        d3fbde93141444735fb5ea06e1371213

        SHA1

        f25eed8c6bf09ba4b1ce60b6ee72d5e36bf9a4f2

        SHA256

        ed8b9422f74d4dc9ec9a55cabedc04c819a13eaeba5b7ddade5e3d5200337816

        SHA512

        553ee6d8ac6d2faa55b0bbb5b97d1ac7cad0dfb1ebf8e2e30f87c881478309a4e0ed0f98285b334ad244be2243ee2b067cb267ce5054ca119d34ae224df65e31

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RUN ME.EXE
        Filesize

        38KB

        MD5

        816ae2a8f7799541016e947b09286035

        SHA1

        c34cf31168b08a7ae66cafbbbd5570d7d72cab2b

        SHA256

        75a03d5602e8eab0d7013319781dd0b44133fffb50ad5783b5d8224a63265e6d

        SHA512

        7d76cb89386c998e922e38507a931daf4e62a335ff5f1bb9731efd0c1a279efa1ee51bb424f8089b1019dceb2121d379a3f1ef5ab00163a13df6f3efd571039e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SSS.EXE
        Filesize

        229KB

        MD5

        482265beef9bef7b8def0d9e793a8470

        SHA1

        6de3fb6bef13732a226f3b4bcde1c4f8f0b79881

        SHA256

        1da02f46310578bf95267665f964c6c79617e6fd5f3926c53aad40529782750e

        SHA512

        6c6c5d528243895426e7d04ab4fb9af2ce54c7286f25a602e793a034692035c86f832548149d24eee5ce4e4d7f77347361e8ebfe972eb9a826245cff0b7dac8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nenr33p2.bjb.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/2412-182-0x0000000002880000-0x0000000002890000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2412-30-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2412-184-0x0000000002880000-0x0000000002890000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2412-34-0x0000000000810000-0x0000000000820000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2464-43-0x0000019E772C0000-0x0000019E772E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4520-183-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4520-40-0x0000000005890000-0x00000000058F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4520-69-0x00000000072C0000-0x00000000072FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4520-73-0x000000000AD70000-0x000000000AD78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4520-37-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4520-75-0x000000000B1A0000-0x000000000B1D8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4520-76-0x000000000B180000-0x000000000B18E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4520-38-0x0000000000A20000-0x0000000000BB2000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4520-39-0x0000000005570000-0x00000000056DA000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4520-42-0x0000000006770000-0x0000000006782000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4520-41-0x0000000005EB0000-0x0000000006454000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4580-71-0x0000025D3E1D0000-0x0000025D3E246000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4580-114-0x0000025D3E190000-0x0000025D3E1A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4580-113-0x0000025D3E020000-0x0000025D3E02A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4580-74-0x0000025D3E170000-0x0000025D3E18E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4580-178-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4580-72-0x0000025D3E250000-0x0000025D3E2A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4580-36-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4580-35-0x0000025D23A60000-0x0000025D23AA0000-memory.dmp

        Filesize

        256KB

        Download