General
-
Target
lol.exe
-
Size
9.2MB
-
Sample
240523-rvzjcaed2z
-
MD5
d34b17e6ea6ac4905395e642fccb4b41
-
SHA1
28077dd98405dc4d81ab23a5d4b8d3bd1641c1f7
-
SHA256
76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52
-
SHA512
db566fa061db5592329fe2719c4083c8c8d17f032f7f6a36c899c3c9aa02a4766edc4711547b0ad6bc8e6cb4d61d10a3961850fe9a8993bf5f4f2da617ee3909
-
SSDEEP
196608:tbVYKe7PTQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzuQ5EWheYkv8LlB23
Malware Config
Targets
-
-
Target
lol.exe
-
Size
9.2MB
-
MD5
d34b17e6ea6ac4905395e642fccb4b41
-
SHA1
28077dd98405dc4d81ab23a5d4b8d3bd1641c1f7
-
SHA256
76f7d049dcc9d1ce18c0a6e9ecdb1330a4cc3c01338a4048a8d0801a0d54cf52
-
SHA512
db566fa061db5592329fe2719c4083c8c8d17f032f7f6a36c899c3c9aa02a4766edc4711547b0ad6bc8e6cb4d61d10a3961850fe9a8993bf5f4f2da617ee3909
-
SSDEEP
196608:tbVYKe7PTQhn5EQ9hNQAYzA5k6cTWDn7JKObS09BBI3:pzuQ5EWheYkv8LlB23
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1