General

  • Target

    lol.exe

  • Size

    9.2MB

  • Sample

    240523-rvzjcaed2z

  • MD5

    d34b17e6ea6ac4905395e642fccb4b41

  • SHA1

    28077dd98405dc4d81ab23a5d4b8d3bd1641c1f7

  • SHA256

    76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52

  • SHA512

    db566fa061db5592329fe2719c4083c8c8d17f032f7f6a36c899c3c9aa02a4766edc4711547b0ad6bc8e6cb4d61d10a3961850fe9a8993bf5f4f2da617ee3909

  • SSDEEP

    196608:tbVYKe7PTQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzuQ5EWheYkv8LlB23

Malware Config

Targets

    • Target

      lol.exe

    • Size

      9.2MB

    • MD5

      d34b17e6ea6ac4905395e642fccb4b41

    • SHA1

      28077dd98405dc4d81ab23a5d4b8d3bd1641c1f7

    • SHA256

      76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52

    • SHA512

      db566fa061db5592329fe2719c4083c8c8d17f032f7f6a36c899c3c9aa02a4766edc4711547b0ad6bc8e6cb4d61d10a3961850fe9a8993bf5f4f2da617ee3909

    • SSDEEP

      196608:tbVYKe7PTQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzuQ5EWheYkv8LlB23

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • UAC bypass

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

3
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Tasks