Overview

overview

10

Static

static

3

obxod266dev.exe

windows7-x64

10

obxod266dev.exe

windows7-x64

10

obxod266dev.exe

windows10-2004-x64

10

obxod266dev.exe

windows10-ltsc 2021-x64

10

obxod266dev.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    23-02-2025 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    obxod266dev.exe

  • Size

    329KB

  • MD5

    31fc82eeaed45f2389b57ffb9d8f6ea2

  • SHA1

    fd46d4e307b09a372a3bfc0d88b87eeccaf77912

  • SHA256

    dc7f8c7c39bb043da2c19a03504c499e0af367fefee810a8190c1119992e2248

  • SHA512

    418bca3b27a8354e559de8e1333ebc8ff42a5d4f07b42a0ec95775c9a52feb1d61a00006ceefef3be8e30dc07c0fb3123440413a2b16d8d9cc6e468cb9d5c962

  • SSDEEP

    6144:3aDaK7MooumCpZSApAWl2IenY7YDlw+JmS1r8+CMCX:3LK7sk2IKYkp/mYPCX

Score
10/10
umbralxwormexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

25.ip.gl.ply.gg:59054

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\obxod266dev.exe
    "C:\Users\Admin\AppData\Local\Temp\obxod266dev.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Roaming\obxod 266dev.exe
      "C:\Users\Admin\AppData\Roaming\obxod 266dev.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\obxod 266dev.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'obxod 266dev.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:548
    • C:\Users\Admin\AppData\Roaming\Umbral.exe
      "C:\Users\Admin\AppData\Roaming\Umbral.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3572
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"
        3⤵
        • Views/modifies file attributes
        PID:1804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3496
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    0b8cf01605eeab6a2d2ad054db8a9b0a

    SHA1

    a59ede31be83b7096b8fe5cb9f91e9aa88017fc0

    SHA256

    bd0cd35ebfb6a65dc4363d958c7b48afcf1a290bbab8416f443d66099f2d7bf3

    SHA512

    e86324c7e6e3be16999bee30804981439107446c8c4acf5d5a004d835c5ccb6a17c55d1aaab889d7121c19cc83cc0190504d221cc2881444243dc680e0a0239e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    de2f0f1eb81111b53da009af10ef181c

    SHA1

    98b97f769b3b187c648c8a4e4ec32b7db59f1c13

    SHA256

    ec0299bdbe85e533d346f228af446908c2e388e8e6b130904ff1444e23d2f1f9

    SHA512

    ae2d866fdc311990bcda78504788b62634edc349f681a345490795414f7bd58c16fa95149057a903ccae4779ae5e85e19d1f337d8bd1828778fbc491060c1c80

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    ef2a151278c33bdef0e800500b54934e

    SHA1

    ecb81ab045d4bc8eca0f0837ccfa7e73e44b073d

    SHA256

    a1ddcf3f93dedcb2fa4b7e9685f04585ead0b7f77555c7cf38c15f18db4c6815

    SHA512

    9d13a04fcca79237a20e3897d823913d7db08e15ab20c31d374c9831be3bb46a2760007b98a5d62bf1437e815dfecc700006da80c0cacb5966fbc4a53e0200a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    6021e5afcdd1c0ac77fbf7622d2750a4

    SHA1

    bbba3056be8e4feb4b46f528d77e859858837a1c

    SHA256

    fb82fe34b7486f6c07952ac2a68cd58eb401faa7000dc79e77d88ca2839e9854

    SHA512

    1eef4e38651a4310c86d7112de4bf56bd6a4041f9c32b21e3530885453459446211cc58446f577b35844b98b82e64121203d98934d5e77d9282ad93a6a56d0b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8e1fdd1b66d2fee9f6a052524d4ddca5

    SHA1

    0a9d0994559d1be2eecd8b0d6960540ca627bdb6

    SHA256

    4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

    SHA512

    5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    fe8f2aae2206d5e208e76df5d4469399

    SHA1

    0b46c41301a288ac29d6bbd5cc5b30f30dc1c66f

    SHA256

    df123c595279f7baa2202aeddbb77b8955d476e7839df70367900e157889da01

    SHA512

    6b5d5001b82ae7d798416d38dcd7c76d1d21efe169a02747db2e0f11917a4fe08d44e93f662b884b81b99f5c0531e276dfeb8372a88ab597ba704b40a7b7ee1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b17d1009b9dabe51495587f4dfc57b2f

    SHA1

    3a888956505980d86a569f07f8a18024e4bc5393

    SHA256

    a90ef3ffdb69fe35c2d36640f92a354530b45c09fcb1b4cd6f98b58ce5d146f3

    SHA512

    b26301bf29fcc78028b14dc68d014490702b2d028d285435e05968d12864468894c7aa8e5c1c239ea23b6c862db69c4fbc9316bfafe3a552b7251f5e1419ea61

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d362da7956a09236d8817722d1d10a27

    SHA1

    2a308465404274ff271711b4bfce2796f9cbb152

    SHA256

    9a34237d21f71887b283b28ef2a0a302842eecff7d2c3b6e420c286ae2af5602

    SHA512

    2e8ee4b8288f35d18a1fbd64500e6b0c4eea817a198a6411a5c637292f8dca19c66867b9bcf18f8649c369e9b7f2bc4229900be787a974f1ea553da5fe2833d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fo4hp2ov.lss.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Umbral.exe
    Filesize

    232KB

    MD5

    e486d8aafa368a43a56987dd4d80aa75

    SHA1

    8851fe89928a47a58b50348d9a4458f24e2725f9

    SHA256

    596ac7d2aa525ceb7b82aec1e6376d34f36649f028de442fb0a0021e380db136

    SHA512

    abe413e1277c0ac103778822dcd3f6b03f315fad83731af10284a68fca8ecfa2d2c6b9d9c3e0ec55803a2b31d03ae9c863c430eba23954ccc5f82b2a6d21e573

    Download Submit

  • C:\Users\Admin\AppData\Roaming\obxod 266dev.exe
    Filesize

    80KB

    MD5

    3598f860aacfe53b00c305715a6c7b2f

    SHA1

    70640b2e8a71017cdf5fb8e91fe0b065f89a064b

    SHA256

    b4b8385381c3bb23d821f179a73ff19083d15f7cc6e1c9cc2235da3c382db241

    SHA512

    0b2bfa9e701ba126acb6bf9b9b5df26e8558a59708659ec2981173267d277f44e6b6575f1ceb945a86705796ea8f50c5cd1617ee45fdaabdc68af9b2022e654c

    Download Submit

  • memory/2872-34-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2872-32-0x0000022709320000-0x0000022709360000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2872-147-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2872-142-0x0000022723910000-0x0000022723922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2872-141-0x0000022709810000-0x000002270981A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2872-116-0x0000022723B70000-0x0000022723B8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2872-115-0x0000022723A70000-0x0000022723AC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2872-89-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2872-114-0x0000022723AF0000-0x0000022723B66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3036-87-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3036-33-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3036-90-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3036-88-0x00007FFD4F8D0000-0x00007FFD50392000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3036-31-0x00000000001B0000-0x00000000001CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3152-71-0x000001F1EBB40000-0x000001F1EBD5D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4088-47-0x0000023F72380000-0x0000023F7259D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4088-44-0x0000023F726A0000-0x0000023F726C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4936-1-0x0000000000FF0000-0x0000000001048000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4936-0-0x00007FFD4F8D3000-0x00007FFD4F8D5000-memory.dmp

    Filesize

    8KB

    Download