General
-
Target
inj.vmp.exe
-
Size
22.7MB
-
Sample
240530-ppqyxahh65
-
MD5
dee1c4a8e532d17e7df879ec1a6c976b
-
SHA1
6a037eb25dc446471df9799fabf60e605e609736
-
SHA256
769b8a2310c87fdd9be0e00525d0f347b7e0d7fd8e5ecf17f1aa119889b1e654
-
SHA512
326b6ca9ef7487acf89e4d6a3f29984a371dd20e2e5e0fb3269a4a7ecb79984a3d133617d5025aa759441b1fd54f1953a356ccffa847f17774e3b5ec64b308a3
-
SSDEEP
393216:ML1qcoAyijQ73qEjyqB+oriLjzLYlH5g68q4gsVEmoOZCStRQO2Wv:UqksXyqB3AjPYli6ZRWQO2C
Behavioral task
behavioral1
Sample
inj.vmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
inj.vmp.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:64360
19.ip.gl.ply.gg:64360
fQ7cS52Kya0qPDrO
-
Install_directory
%Public%
-
install_file
drivers win gui32-64.exe
-
telegram
https://api.telegram.org/bot7428011234:AAGLbtvNd_gYGzKdTJ5RNt6COu1jCeNidCs/sendMessage?chat_id=6043308554
Extracted
umbral
https://discord.com/api/webhooks/1245665414894063698/9HY7oZoZyztJUOo37jUN0IUaDDWwrbOgYQ06gp0QdpH2eHf05kVC8yRyvqaZKUVdWnAm
Targets
-
-
Target
inj.vmp.exe
-
Size
22.7MB
-
MD5
dee1c4a8e532d17e7df879ec1a6c976b
-
SHA1
6a037eb25dc446471df9799fabf60e605e609736
-
SHA256
769b8a2310c87fdd9be0e00525d0f347b7e0d7fd8e5ecf17f1aa119889b1e654
-
SHA512
326b6ca9ef7487acf89e4d6a3f29984a371dd20e2e5e0fb3269a4a7ecb79984a3d133617d5025aa759441b1fd54f1953a356ccffa847f17774e3b5ec64b308a3
-
SSDEEP
393216:ML1qcoAyijQ73qEjyqB+oriLjzLYlH5g68q4gsVEmoOZCStRQO2Wv:UqksXyqB3AjPYli6ZRWQO2C
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Detect Xworm Payload
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2