Overview

overview

10

Static

static

3

NeuraX-Spo...MP.exe

windows7-x64

10

NeuraX-Spo...MP.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2025 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NeuraX-SpooferTEMP.exe

  • Size

    368KB

  • MD5

    35c6f16313a956763c7402b49499b1f9

  • SHA1

    8f12a11413044b39cdd626be408aaae50254e4a5

  • SHA256

    d76a5a1ae2f2537b56c7e0499ab5f0c8ea28d7efbbc9793a5174aabbedc74f4e

  • SHA512

    fa16a5e069f5c0133674c5d3a515162a43c68cb619cf646b499fbd20b66dbc50a1dcd38003eeaa9335a95d432a8aa5bca1d0d6814011007d46b80e9556331cac

  • SSDEEP

    6144:/3KWL1LMxGp99JRlnzN6gqoZ7zms0oXgd6TKU6EKKXclsBGlDstmvcHcI0us:/PLMxGpPJvzNZZ7iqgoTR2+ED0m0Hc6

Score
10/10
umbralxwormratstealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1339055156502986883/hV7TgqQ9AafNGFGpp7dC-W403JrFQJgWGzHFHp2kf7TXQCcWELY6esk8kBXS_EYrIukR

Extracted

Family

xworm

C2

127.0.0.1:3913

purpose-perth.gl.at.ply.gg:3913

127.0.0.1:14182

figure-cement.gl.at.ply.gg:14182
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 4 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeuraX-SpooferTEMP.exe
    "C:\Users\Admin\AppData\Local\Temp\NeuraX-SpooferTEMP.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Roaming\skibidi.exe
      "C:\Users\Admin\AppData\Roaming\skibidi.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Users\Admin\AppData\Roaming\Loader.exe
      "C:\Users\Admin\AppData\Roaming\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1264
    • C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe
      "C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Loader.exe
    Filesize

    60KB

    MD5

    8d81cb248bc3cabb8f870d305c9da628

    SHA1

    2faf8b5e88d237198cf3a0d83dce6eeb72df5905

    SHA256

    864adf43fb7566bc89eddae126babe13e9556d9da44ef4ef6e81484559289ac9

    SHA512

    c93a22d82719c6da6123fc81caa1b714e828ec14c85931da3890fe548094103f80793c5c1de67af0b93f2d078ee410a10a5b3896ba512b385759ab9dae26a28d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NeuraX - CLeaner.exe
    Filesize

    231KB

    MD5

    c4f0439175ac80f05ffec5da48d45ed4

    SHA1

    45350dbb06357d1230dba9184f1899d9d737866c

    SHA256

    a5c3af3b30e50f1202cafd220074543bc956de20186abe3f750163223da4528a

    SHA512

    ebb6c0c650e051761dad6d969f2da3e433998d5d01d28823fed5652aeb85aaacfbcc6b849d7d4bc01967d9552b9f862b50ced554ab932c12b5b7a683fdc0bfbd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\skibidi.exe
    Filesize

    57KB

    MD5

    94d345c8c8058719dfcc325caf73ce94

    SHA1

    c8ed543bdd54e52f3b6624f5820dd5d2e05e1367

    SHA256

    e0882f68128a2b2e2aa7b8473d31e47691f8bce2c76dd293dae24bbf8c8a1918

    SHA512

    deb8b44169b1217f0598ae32b9bc101e04074226630da81239581d51682cd19172e0a9d56fb4a27434fd343b32bcf8fe926a299bad686e2ebdbde2646b88d1dd

    Download Submit

  • memory/1264-38-0x00000000007C0000-0x00000000007D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1264-40-0x00007FF90ECC0000-0x00007FF90F781000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1264-45-0x00007FF90ECC0000-0x00007FF90F781000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1572-0-0x00007FF90ECC3000-0x00007FF90ECC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1572-1-0x0000000000540000-0x00000000005A2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2100-34-0x0000000000FB0000-0x0000000000FC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2100-39-0x00007FF90ECC0000-0x00007FF90F781000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2100-46-0x00007FF90ECC0000-0x00007FF90F781000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3496-37-0x0000018B00AD0000-0x0000018B00B10000-memory.dmp

    Filesize

    256KB

    Download