General
-
Target
mc.holyworld.ru.txt
-
Size
441B
-
Sample
240612-vx9nwawhrn
-
MD5
6b5f9725b7fd7348c9c1a70ce5291ecc
-
SHA1
a36ae0a9f29f72e68fe21947841169fb02e6b973
-
SHA256
87bbdc08df5add73d75325002704ab64c57d7e50ebff97b2fc4155b619eb2704
-
SHA512
d60cd62d5e71fe626fdad52dbb5f71865946a55ad44fa49126257565b52fdd8b20d0be42bb02fda7112e78a1f61b28b77109bf00b46e431cb41d88ad3c63afd3
Static task
static1
Behavioral task
behavioral1
Sample
mc.holyworld.ru.txt
Resource
win10v2004-20240611-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1250361429333250119/Ue0qgEfIsngTl30ZNCtwzPjGafoMAt1Nkvz6HdtQyp6-br8N7e5NViVMa77MrDft7Ulq
Targets
-
-
Target
mc.holyworld.ru.txt
-
Size
441B
-
MD5
6b5f9725b7fd7348c9c1a70ce5291ecc
-
SHA1
a36ae0a9f29f72e68fe21947841169fb02e6b973
-
SHA256
87bbdc08df5add73d75325002704ab64c57d7e50ebff97b2fc4155b619eb2704
-
SHA512
d60cd62d5e71fe626fdad52dbb5f71865946a55ad44fa49126257565b52fdd8b20d0be42bb02fda7112e78a1f61b28b77109bf00b46e431cb41d88ad3c63afd3
Score10/10-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies AppInit DLL entries
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2