General
-
Target
Client1.exe
-
Size
747KB
-
Sample
240527-pryfrscc3t
-
MD5
c8d8bf0cef0eb986664a7653b30062b6
-
SHA1
da1957c3bcd76a71d8182fd42a677e5aeaf76cde
-
SHA256
e3b98f944dd0cf41f0955cbc2b8858d249a39f69568ea82286d14e20d8e9c910
-
SHA512
34278aee895a03cd76b56278c5b362aa013d83f8be355fd5fdac442e19eaf5a60477f317cdeac157ba69785661866ff41d6051c1cb40ecb473c2814c5d0c672a
-
SSDEEP
12288:+cWW/gSKBvPVle8c6bn3VG0jMRxPjT90n/4mhBE:+CNEVXePjT90ww
Static task
static1
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1243097311723393148/0kJSMmx_-19_4524KFq8Hz7UKUelS_Uh7rQ6mExsss1TqjKf8JjJJVNCnPnFTM52o-iH
Targets
-
-
Target
Client1.exe
-
Size
747KB
-
MD5
c8d8bf0cef0eb986664a7653b30062b6
-
SHA1
da1957c3bcd76a71d8182fd42a677e5aeaf76cde
-
SHA256
e3b98f944dd0cf41f0955cbc2b8858d249a39f69568ea82286d14e20d8e9c910
-
SHA512
34278aee895a03cd76b56278c5b362aa013d83f8be355fd5fdac442e19eaf5a60477f317cdeac157ba69785661866ff41d6051c1cb40ecb473c2814c5d0c672a
-
SSDEEP
12288:+cWW/gSKBvPVle8c6bn3VG0jMRxPjT90n/4mhBE:+CNEVXePjT90ww
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification
-
Drops file in Drivers directory
-
Modifies AppInit DLL entries
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Pre-OS Boot
1Bootkit
1