umbral | bd4e54b8671c85242bf92ee9b90e237db0fecfa97a4298cfeeaaf4d1b40e6c11

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-02-2025 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7727b8188b78a605f766578aab1cb995.exe
Size

19.0MB
MD5

7727b8188b78a605f766578aab1cb995
SHA1

4c7c56fdfdd300b421c121394ce5a1cb556f9592
SHA256

bd4e54b8671c85242bf92ee9b90e237db0fecfa97a4298cfeeaaf4d1b40e6c11
SHA512

4eef5259f1e33329a2b804165204d1b6c7cbba3851ae542ddcfe79fe005ad31440a983b32d3fb36ed04b1c89bae7a4e42d523002059d5d228d5a62e7593717a1
SSDEEP

393216:9v0t4S8QtZbO8Z9Q9dIcBkvbxrM4mQqHtSMo+9/pWFGRw0qr2W673KH9+8J:9c2S3ZbO8Z9AeeQqHt1o+9/pWQx36d+q

Score

10^/10

umbral defense_evasion discovery evasion execution pyinstaller stealer trojan upx

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1339207974182191194/Cbspp1D1YgKvkqPsxxLAOiahYoeW0ceIteSYlYtjG202TSZnR-Kj6vR7I8pJsgFtUunb

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0008000000015d75-10.dat	disable_win_def
behavioral1/files/0x0008000000015d7f-9.dat	disable_win_def
behavioral1/memory/2708-38-0x0000000000400000-0x000000000040A000-memory.dmp	disable_win_def
behavioral1/memory/2720-50-0x0000000000400000-0x0000000001701000-memory.dmp	disable_win_def

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/1628-131-0x00000000009A0000-0x0000000000D46000-memory.dmp	family_umbral
behavioral1/memory/1628-130-0x00000000009A0000-0x0000000000D46000-memory.dmp	family_umbral
behavioral1/memory/1628-215-0x00000000009A0000-0x0000000000D46000-memory.dmp	family_umbral

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	WScript.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Executes dropped EXE 6 IoCs

pid	Process
2708	AV7.6.exe
324	service.exe
344	OldUpdate.exe
1628	Update.exe
2192	OldUpdate.exe
1192	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
2720	7727b8188b78a605f766578aab1cb995.exe
2720	7727b8188b78a605f766578aab1cb995.exe
2720	7727b8188b78a605f766578aab1cb995.exe
2720	7727b8188b78a605f766578aab1cb995.exe
2720	7727b8188b78a605f766578aab1cb995.exe
344	OldUpdate.exe
2192	OldUpdate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
2700	powershell.exe
3000	powershell.exe
660	powershell.exe
904	powershell.exe
2984	powershell.exe
992	powershell.exe
1940	powershell.exe
1656	powershell.exe
1496	powershell.exe
1296	powershell.exe
1716	powershell.exe
2848	powershell.exe
472	powershell.exe
1952	powershell.exe
2032	powershell.exe
1472	powershell.exe
1528	powershell.exe
2056	powershell.exe
1944	powershell.exe
1600	powershell.exe
792	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32.exe	7727b8188b78a605f766578aab1cb995.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
324	service.exe
1628	Update.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a325-99.dat	upx
behavioral1/memory/2192-101-0x000007FEF5280000-0x000007FEF5868000-memory.dmp	upx
behavioral1/memory/2192-216-0x000007FEF5280000-0x000007FEF5868000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000015e47-31.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7727b8188b78a605f766578aab1cb995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV7.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
324	service.exe
904	powershell.exe
2056	powershell.exe
792	powershell.exe
2984	powershell.exe
1940	powershell.exe
660	powershell.exe
1528	powershell.exe
992	powershell.exe
1296	powershell.exe
2032	powershell.exe
3000	powershell.exe
2848	powershell.exe
1600	powershell.exe
2700	powershell.exe
1952	powershell.exe
1800	powershell.exe
1944	powershell.exe
1472	powershell.exe
1656	powershell.exe
1496	powershell.exe
1716	powershell.exe
472	powershell.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1628	Update.exe
Token: SeIncreaseQuotaPrivilege	2356	wmic.exe
Token: SeSecurityPrivilege	2356	wmic.exe
Token: SeTakeOwnershipPrivilege	2356	wmic.exe
Token: SeLoadDriverPrivilege	2356	wmic.exe
Token: SeSystemProfilePrivilege	2356	wmic.exe
Token: SeSystemtimePrivilege	2356	wmic.exe
Token: SeProfSingleProcessPrivilege	2356	wmic.exe
Token: SeIncBasePriorityPrivilege	2356	wmic.exe
Token: SeCreatePagefilePrivilege	2356	wmic.exe
Token: SeBackupPrivilege	2356	wmic.exe
Token: SeRestorePrivilege	2356	wmic.exe
Token: SeShutdownPrivilege	2356	wmic.exe
Token: SeDebugPrivilege	2356	wmic.exe
Token: SeSystemEnvironmentPrivilege	2356	wmic.exe
Token: SeRemoteShutdownPrivilege	2356	wmic.exe
Token: SeUndockPrivilege	2356	wmic.exe
Token: SeManageVolumePrivilege	2356	wmic.exe
Token: 33	2356	wmic.exe
Token: 34	2356	wmic.exe
Token: 35	2356	wmic.exe
Token: SeIncreaseQuotaPrivilege	2356	wmic.exe
Token: SeSecurityPrivilege	2356	wmic.exe
Token: SeTakeOwnershipPrivilege	2356	wmic.exe
Token: SeLoadDriverPrivilege	2356	wmic.exe
Token: SeSystemProfilePrivilege	2356	wmic.exe
Token: SeSystemtimePrivilege	2356	wmic.exe
Token: SeProfSingleProcessPrivilege	2356	wmic.exe
Token: SeIncBasePriorityPrivilege	2356	wmic.exe
Token: SeCreatePagefilePrivilege	2356	wmic.exe
Token: SeBackupPrivilege	2356	wmic.exe
Token: SeRestorePrivilege	2356	wmic.exe
Token: SeShutdownPrivilege	2356	wmic.exe
Token: SeDebugPrivilege	2356	wmic.exe
Token: SeSystemEnvironmentPrivilege	2356	wmic.exe
Token: SeRemoteShutdownPrivilege	2356	wmic.exe
Token: SeUndockPrivilege	2356	wmic.exe
Token: SeManageVolumePrivilege	2356	wmic.exe
Token: 33	2356	wmic.exe
Token: 34	2356	wmic.exe
Token: 35	2356	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
324	service.exe
1628	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2688	2720	7727b8188b78a605f766578aab1cb995.exe	30
PID 2720 wrote to memory of 2688	2720	7727b8188b78a605f766578aab1cb995.exe	30
PID 2720 wrote to memory of 2688	2720	7727b8188b78a605f766578aab1cb995.exe	30
PID 2720 wrote to memory of 2688	2720	7727b8188b78a605f766578aab1cb995.exe	30
PID 2720 wrote to memory of 2840	2720	7727b8188b78a605f766578aab1cb995.exe	31
PID 2720 wrote to memory of 2840	2720	7727b8188b78a605f766578aab1cb995.exe	31
PID 2720 wrote to memory of 2840	2720	7727b8188b78a605f766578aab1cb995.exe	31
PID 2720 wrote to memory of 2840	2720	7727b8188b78a605f766578aab1cb995.exe	31
PID 2720 wrote to memory of 2708	2720	7727b8188b78a605f766578aab1cb995.exe	32
PID 2720 wrote to memory of 2708	2720	7727b8188b78a605f766578aab1cb995.exe	32
PID 2720 wrote to memory of 2708	2720	7727b8188b78a605f766578aab1cb995.exe	32
PID 2720 wrote to memory of 2708	2720	7727b8188b78a605f766578aab1cb995.exe	32
PID 2840 wrote to memory of 2644	2840	WScript.exe	33
PID 2840 wrote to memory of 2644	2840	WScript.exe	33
PID 2840 wrote to memory of 2644	2840	WScript.exe	33
PID 2840 wrote to memory of 2644	2840	WScript.exe	33
PID 2720 wrote to memory of 324	2720	7727b8188b78a605f766578aab1cb995.exe	34
PID 2720 wrote to memory of 324	2720	7727b8188b78a605f766578aab1cb995.exe	34
PID 2720 wrote to memory of 324	2720	7727b8188b78a605f766578aab1cb995.exe	34
PID 2720 wrote to memory of 324	2720	7727b8188b78a605f766578aab1cb995.exe	34
PID 2708 wrote to memory of 528	2708	AV7.6.exe	35
PID 2708 wrote to memory of 528	2708	AV7.6.exe	35
PID 2708 wrote to memory of 528	2708	AV7.6.exe	35
PID 2708 wrote to memory of 528	2708	AV7.6.exe	35
PID 2720 wrote to memory of 344	2720	7727b8188b78a605f766578aab1cb995.exe	36
PID 2720 wrote to memory of 344	2720	7727b8188b78a605f766578aab1cb995.exe	36
PID 2720 wrote to memory of 344	2720	7727b8188b78a605f766578aab1cb995.exe	36
PID 2720 wrote to memory of 344	2720	7727b8188b78a605f766578aab1cb995.exe	36
PID 2708 wrote to memory of 1096	2708	AV7.6.exe	37
PID 2708 wrote to memory of 1096	2708	AV7.6.exe	37
PID 2708 wrote to memory of 1096	2708	AV7.6.exe	37
PID 2708 wrote to memory of 1096	2708	AV7.6.exe	37
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 2720 wrote to memory of 1628	2720	7727b8188b78a605f766578aab1cb995.exe	38
PID 1096 wrote to memory of 2544	1096	WScript.exe	39
PID 1096 wrote to memory of 2544	1096	WScript.exe	39
PID 1096 wrote to memory of 2544	1096	WScript.exe	39
PID 1096 wrote to memory of 2544	1096	WScript.exe	39
PID 2644 wrote to memory of 2848	2644	WScript.exe	40
PID 2644 wrote to memory of 2848	2644	WScript.exe	40
PID 2644 wrote to memory of 2848	2644	WScript.exe	40
PID 2644 wrote to memory of 2848	2644	WScript.exe	40
PID 344 wrote to memory of 2192	344	OldUpdate.exe	41
PID 344 wrote to memory of 2192	344	OldUpdate.exe	41
PID 344 wrote to memory of 2192	344	OldUpdate.exe	41
PID 2644 wrote to memory of 1940	2644	WScript.exe	42
PID 2644 wrote to memory of 1940	2644	WScript.exe	42
PID 2644 wrote to memory of 1940	2644	WScript.exe	42
PID 2644 wrote to memory of 1940	2644	WScript.exe	42
PID 2644 wrote to memory of 1800	2644	WScript.exe	45
PID 2644 wrote to memory of 1800	2644	WScript.exe	45
PID 2644 wrote to memory of 1800	2644	WScript.exe	45
PID 2644 wrote to memory of 1800	2644	WScript.exe	45
PID 2644 wrote to memory of 2032	2644	WScript.exe	46
PID 2644 wrote to memory of 2032	2644	WScript.exe	46
PID 2644 wrote to memory of 2032	2644	WScript.exe	46
PID 2644 wrote to memory of 2032	2644	WScript.exe	46
PID 2644 wrote to memory of 1952	2644	WScript.exe	49
PID 2644 wrote to memory of 1952	2644	WScript.exe	49

C:\Users\Admin\AppData\Local\Temp\7727b8188b78a605f766578aab1cb995.exe
"C:\Users\Admin\AppData\Local\Temp\7727b8188b78a605f766578aab1cb995.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V2.5.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V5.1.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V5.1.vbs" /elevate
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2056
- C:\Users\Admin\AppData\Local\Temp\AV7.6.exe
  "C:\Users\Admin\AppData\Local\Temp\AV7.6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V2.5.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V5.1.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V5.1.vbs" /elevate
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
- C:\Users\Admin\AppData\Local\Temp\service.exe
  "C:\Users\Admin\AppData\Local\Temp\service.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:324
- C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\OldUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1628
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V2.5.vbs

Filesize
313B

MD5
b0bf0a477bcca312021177572311e666

SHA1
ea77332d7779938ae8e92ad35d6dea4f4be37a92

SHA256
af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

SHA512
09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\V5.1.vbs

Filesize
1KB

MD5
3183ab3e54079f5094f0438ad5d460f6

SHA1
850eacdf078b851378fee9b83a895a247f3ff1ed

SHA256
16da599511714cce9fd5888b1cc06bdb44857fc9147f9a2b5eed422d9ae40415

SHA512
31e996ae9eaf26a7292a6c3c0d7a4284228dec13d082a82f0b5f8825cd265a249e266b5a99c755f41dfd370ce8a179ad29780311c1f49f89dc80f5e4a99ce31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3442\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0f9ebbe7dc2bb65fa6444672926fbd01

SHA1
2825d15441254d04b3c3312a3d186172c6ac69a4

SHA256
2a577e1c9414b383b29ff5716c8063324957bd9b60334d1d7725adf357977eb6

SHA512
6065a6f3339b92c2ab83a75ae3423d9190c51c9725ca233b26f31a5c5c6c1cd0bc87c0e0cf50b22cb390980e1f2d74ada7bf1c5cf08c839c0ea66711f41cda4c

Download Submit
\Users\Admin\AppData\Local\Temp\AV7.6.exe

Filesize
11KB

MD5
b8dc7fed765d83b88e907e78564d2508

SHA1
5f422b6a7cfdbd8eef0531056037b693e181dbe7

SHA256
a963b8059802e7a957627ef91d2c2fdee2671ad7d1627a34c0b39cf8e51c802f

SHA512
dd3bcb1738433be42e9eaff273e90e5e049fbc20540a3a20d117db8acf0e8e20e9e4c8bb243c4e3655fab179c0c1f30190c82370e02b1866db86edc5511c38bb

Download Submit
\Users\Admin\AppData\Local\Temp\OldUpdate.exe

Filesize
11.0MB

MD5
1402c059929ed46f4e1285dc6aeed9bd

SHA1
e0bd2d6a8a43423eec705817604f28b57ce07e71

SHA256
1bb087fc008f5f349f8ee9ef7a9b26afafd9d20e1e3668a72f81b676184f6235

SHA512
c4c3d26bfa06584014d6ac68365fe32e2f29353cd25a455e335a745b75be2577d394ba1d4a6b683057a8ac677932ed3264b2d3be7632e9270f1119455b21d3e9

Download Submit
\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
1.1MB

MD5
bec76763245338a16c702be508f39e9a

SHA1
df300e6e42f8187243078bf3505a2e325923cb80

SHA256
49e9ff578bafe596be1a6757ddd9c59ff8b13f6ace03227f7a836520f6f50960

SHA512
3bd6dd997762a5c15156286ccf145044240b83846a2311d9db24f97f0dc623513166408e78eef6317231c6d0517362fb31e3bff8d1566ac96109466cfc9e7e8e

Download Submit
\Users\Admin\AppData\Local\Temp\service.exe

Filesize
2.6MB

MD5
a20ecd40423b7957b533974afe24f8ec

SHA1
10f90f6cd40eafa01aa1fc372db16f891ee8241d

SHA256
bc6b3b4d57c44a321d0b5950dcdfab45c3785b78d5863bceccb4dc850709ed96

SHA512
7bf012d5fdb287e74051558f8242d1edbb6f5e772c64856ff2b3657e91d187d05d83eca5e8889a4c791f7d2f58e95f1cfc829da233871dc3f2fbf668149daecc

Download Submit
memory/324-30-0x00000000013C0000-0x00000000017A9000-memory.dmp

Filesize
3.9MB

Download
memory/324-212-0x00000000013C0000-0x00000000017A9000-memory.dmp

Filesize
3.9MB

Download
memory/1628-130-0x00000000009A0000-0x0000000000D46000-memory.dmp

Filesize
3.6MB

Download
memory/1628-52-0x00000000009A0000-0x0000000000D46000-memory.dmp

Filesize
3.6MB

Download
memory/1628-131-0x00000000009A0000-0x0000000000D46000-memory.dmp

Filesize
3.6MB

Download
memory/1628-215-0x00000000009A0000-0x0000000000D46000-memory.dmp

Filesize
3.6MB

Download
memory/2192-101-0x000007FEF5280000-0x000007FEF5868000-memory.dmp

Filesize
5.9MB

Download
memory/2192-216-0x000007FEF5280000-0x000007FEF5868000-memory.dmp

Filesize
5.9MB

Download
memory/2708-38-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-44-0x0000000004C60000-0x0000000005006000-memory.dmp

Filesize
3.6MB

Download
memory/2720-50-0x0000000000400000-0x0000000001701000-memory.dmp

Filesize
19.0MB

Download
memory/2720-23-0x0000000004F80000-0x0000000005369000-memory.dmp

Filesize
3.9MB

Download