General
-
Target
lol.exe
-
Size
20.3MB
-
Sample
240523-2dm44abc83
-
MD5
1da87056da8166d6ed5e04d81aa5522c
-
SHA1
f3f81e8e0b116627682ae03ed6f004b2ac46f464
-
SHA256
7bfea7f092cf7638322f351474791f12b66ec22c66f0872f3488256839bc4c45
-
SHA512
cd9e5b62cc6918cc496dec0ab610a2d00c88d7e8285521730faecf881892070886c91ef9e0930f579e26d1cae20d09e0b233b365cdeabab4c29957c28e0e1b0f
-
SSDEEP
393216:PzuEpuRT4xFrlZfl23p33X55EWheYkv8LlCTe2x:v4RerlLa3nTEwrkACTec
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Targets
-
-
Target
lol.exe
-
Size
20.3MB
-
MD5
1da87056da8166d6ed5e04d81aa5522c
-
SHA1
f3f81e8e0b116627682ae03ed6f004b2ac46f464
-
SHA256
7bfea7f092cf7638322f351474791f12b66ec22c66f0872f3488256839bc4c45
-
SHA512
cd9e5b62cc6918cc496dec0ab610a2d00c88d7e8285521730faecf881892070886c91ef9e0930f579e26d1cae20d09e0b233b365cdeabab4c29957c28e0e1b0f
-
SSDEEP
393216:PzuEpuRT4xFrlZfl23p33X55EWheYkv8LlCTe2x:v4RerlLa3nTEwrkACTec
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Quasar payload
-
Disables RegEdit via registry modification
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
10Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3File and Directory Permissions Modification
1