umbral | 9bd18d2dade015a169996c0c1e36b2d8a8ea7c696660d767aff916d98d3f1ddd

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

umbral.exe
Size

1.6MB
MD5

00d1500f2bf8bca0155b96b09d5c7294
SHA1

dda7ceda5e7bc5ad5db25dcdb4c9f3713ca70e18
SHA256

9bd18d2dade015a169996c0c1e36b2d8a8ea7c696660d767aff916d98d3f1ddd
SHA512

1bf4b531bdfc03508ed000f0f0750b7275d8c5b965804cc8780623010ff8dbe9787f019380d3fc44a96a6ac9bc1b5cd0604f87307ea708a69e0ea1c29f762639
SSDEEP

49152:4AodtaG9kS2U84B+FLan9k5TRM9zl/VjoeftKuFor:o/B1lfthar

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/600-16-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/600-17-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/600-15-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2152-70-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2152-69-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2996	powershell.exe
2072	powershell.exe
1496	powershell.exe
2600	powershell.exe
3020	powershell.exe
2968	powershell.exe
968	powershell.exe
2800	powershell.exe
2716	powershell.exe
1788	powershell.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	installutil.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	installutil.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	installutil.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
6	ip-api.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 600	2900	umbral.exe	36
PID 1544 set thread context of 2152	1544	umbral.exe	67

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1792	cmd.exe
276	PING.EXE
868	cmd.exe
2124	PING.EXE

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
868	wmic.exe
1356	wmic.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2332	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
276	PING.EXE
2124	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2996	powershell.exe
2900	umbral.exe
2072	powershell.exe
3020	powershell.exe
2968	powershell.exe
2280	powershell.exe
1496	powershell.exe
968	powershell.exe
1544	umbral.exe
2600	powershell.exe
2800	powershell.exe
2716	powershell.exe
2244	powershell.exe
1788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	umbral.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	600	installutil.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeDebugPrivilege	1544	umbral.exe
Token: SeIncreaseQuotaPrivilege	2240	wmic.exe
Token: SeSecurityPrivilege	2240	wmic.exe
Token: SeTakeOwnershipPrivilege	2240	wmic.exe
Token: SeLoadDriverPrivilege	2240	wmic.exe
Token: SeSystemProfilePrivilege	2240	wmic.exe
Token: SeSystemtimePrivilege	2240	wmic.exe
Token: SeProfSingleProcessPrivilege	2240	wmic.exe
Token: SeIncBasePriorityPrivilege	2240	wmic.exe
Token: SeCreatePagefilePrivilege	2240	wmic.exe
Token: SeBackupPrivilege	2240	wmic.exe
Token: SeRestorePrivilege	2240	wmic.exe
Token: SeShutdownPrivilege	2240	wmic.exe
Token: SeDebugPrivilege	2240	wmic.exe
Token: SeSystemEnvironmentPrivilege	2240	wmic.exe
Token: SeRemoteShutdownPrivilege	2240	wmic.exe
Token: SeUndockPrivilege	2240	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2996	2900	umbral.exe	31
PID 2900 wrote to memory of 2996	2900	umbral.exe	31
PID 2900 wrote to memory of 2996	2900	umbral.exe	31
PID 2900 wrote to memory of 2672	2900	umbral.exe	33
PID 2900 wrote to memory of 2672	2900	umbral.exe	33
PID 2900 wrote to memory of 2672	2900	umbral.exe	33
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 2692	2900	umbral.exe	34
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 2900 wrote to memory of 600	2900	umbral.exe	36
PID 600 wrote to memory of 2068	600	installutil.exe	37
PID 600 wrote to memory of 2068	600	installutil.exe	37
PID 600 wrote to memory of 2068	600	installutil.exe	37
PID 600 wrote to memory of 2068	600	installutil.exe	37
PID 600 wrote to memory of 2072	600	installutil.exe	39
PID 600 wrote to memory of 2072	600	installutil.exe	39
PID 600 wrote to memory of 2072	600	installutil.exe	39
PID 600 wrote to memory of 2072	600	installutil.exe	39
PID 600 wrote to memory of 3020	600	installutil.exe	41
PID 600 wrote to memory of 3020	600	installutil.exe	41
PID 600 wrote to memory of 3020	600	installutil.exe	41
PID 600 wrote to memory of 3020	600	installutil.exe	41
PID 600 wrote to memory of 2968	600	installutil.exe	43
PID 600 wrote to memory of 2968	600	installutil.exe	43
PID 600 wrote to memory of 2968	600	installutil.exe	43
PID 600 wrote to memory of 2968	600	installutil.exe	43
PID 600 wrote to memory of 2280	600	installutil.exe	45
PID 600 wrote to memory of 2280	600	installutil.exe	45
PID 600 wrote to memory of 2280	600	installutil.exe	45
PID 600 wrote to memory of 2280	600	installutil.exe	45
PID 600 wrote to memory of 2452	600	installutil.exe	47
PID 600 wrote to memory of 2452	600	installutil.exe	47
PID 600 wrote to memory of 2452	600	installutil.exe	47
PID 600 wrote to memory of 2452	600	installutil.exe	47
PID 600 wrote to memory of 2240	600	installutil.exe	52
PID 600 wrote to memory of 2240	600	installutil.exe	52
PID 600 wrote to memory of 2240	600	installutil.exe	52
PID 600 wrote to memory of 2240	600	installutil.exe	52
PID 1544 wrote to memory of 1496	1544	umbral.exe	54
PID 1544 wrote to memory of 1496	1544	umbral.exe	54
PID 1544 wrote to memory of 1496	1544	umbral.exe	54
PID 600 wrote to memory of 3048	600	installutil.exe	56
PID 600 wrote to memory of 3048	600	installutil.exe	56
PID 600 wrote to memory of 3048	600	installutil.exe	56
PID 600 wrote to memory of 3048	600	installutil.exe	56
PID 600 wrote to memory of 968	600	installutil.exe	58
PID 600 wrote to memory of 968	600	installutil.exe	58

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2068	attrib.exe
3024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\umbral.exe
"C:\Users\Admin\AppData\Local\Temp\umbral.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\windows\system32\cmstp.exe
  "C:\windows\system32\cmstp.exe" /au C:\windows\temp\2127832911.inf
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\attrib.exe
    "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:968
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - System Location Discovery: System Language Discovery
    - Detects videocard installed
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" && pause
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1792
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:276

C:\Users\Admin\AppData\Local\Temp\umbral.exe
C:\Users\Admin\AppData\Local\Temp\umbral.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\windows\system32\cmstp.exe
  "C:\windows\system32\cmstp.exe" /au C:\windows\temp\79206884.inf
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Windows\SysWOW64\attrib.exe
    "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1788
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - System Location Discovery: System Language Discovery
    - Detects videocard installed
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" && pause
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:868
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2124

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed2a346bce05490502f52b2230205229

SHA1
c044d60c1f6923c3489ef6d233180d1f2b228c58

SHA256
84d2779fd0d8a6507b526883663a0a1d634bf9dfdee7d4697defec18a79dc256

SHA512
dde567eb2646febd93f7c6c8a7e2c4ac43a5e6049e78652900c7ec2b9ba1986a47b1f8b76db7cbdbfa0bdb6cc7ecec49be6660a1cda4f7d5565b8b59cae71af0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\61LVDTHVNYIDDZRFFANA.temp

Filesize
7KB

MD5
a333a67d0254d5d14b906304a203101b

SHA1
4ce8ba26a656bd09b4bbe2d94cc86dbd20c88dff

SHA256
08390387c26764d57691cf748c3f8ba02e524e31ba20f1a8ebb83cb46dda709b

SHA512
860a3d5165add7c4bc79af33a927a26e592a678522961285c8a442c41b8b2fc1525ae3486f86ed7330178ef968370e31aa2b80554e441fcce05b6b4e41fe8963

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6882321a1c3df9a3a48d9170e235fe57

SHA1
264a35319c48c68cd3bcd2623d8c90089f6cda0d

SHA256
6afb62d05b90cb79a8b7d83826c5ff5d7d8ab102293c4b0b96691c4725bd6c3a

SHA512
55cf9dee5eaa829af3ae1e41dc078f6ff626bdba450b4d92ca01eb323b3f03c859c86a711ac73e73f2628c50f608226c5698a3f293c7a15dd8c31b144d8d73e8

Download Submit
C:\Users\Admin\umbral.exe

Filesize
1.6MB

MD5
00d1500f2bf8bca0155b96b09d5c7294

SHA1
dda7ceda5e7bc5ad5db25dcdb4c9f3713ca70e18

SHA256
9bd18d2dade015a169996c0c1e36b2d8a8ea7c696660d767aff916d98d3f1ddd

SHA512
1bf4b531bdfc03508ed000f0f0750b7275d8c5b965804cc8780623010ff8dbe9787f019380d3fc44a96a6ac9bc1b5cd0604f87307ea708a69e0ea1c29f762639

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
C:\windows\temp\2127832911.inf

Filesize
515B

MD5
80d2c07ef768a5a9beea96e8e486eb80

SHA1
3684c9e2c22850743ed549ddb5d607e24d3754fe

SHA256
b3bd9ad9314ed67fce90609697dad32926efa86b266d9c0a7afcb048584fb6a9

SHA512
9ca8114aaa2f0e64c4ab1ad8931ee77d0bd8036db7a94a3c26b98a373516734eff1d257004461685a1a1286793d5870e9a224186ce05dd0fde4f5b45cdd9d0ad

Download Submit
memory/600-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/600-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/600-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-54-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1496-53-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2152-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-14-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-10-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-9-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-4-0x000007FEF544E000-0x000007FEF544F000-memory.dmp

Filesize
4KB

Download
memory/2996-8-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-6-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2996-7-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download