General
-
Target
74e445436b010306f116973c93656630N.exe
-
Size
170KB
-
Sample
240906-gmgcpazcjr
-
MD5
74e445436b010306f116973c93656630
-
SHA1
b1176522355a5863f5c7d7d3ca9db3889bbc485b
-
SHA256
dceb4a5e6cd2b0d37758cff6b217c69472d6bc6844617817fe22fbf86b7b7135
-
SHA512
8a331a232b877e329110bb264efe79baaa1189316ac1cabefd12f82f249cf7c8415aec6e1df300e132ba8b6bcc9265e6b1b39847e3baea1d0f1e7e698ad2e367
-
SSDEEP
3072:hVK2s3mxhbEmdMfQw/eJPGN0wxdFk7G1xB3O/Ga/32hK505EyWEBuedcH5e0K:hVE3m7bh+/eJPGVx0MxB3O/Ga/cQ05vh
Static task
static1
Behavioral task
behavioral1
Sample
74e445436b010306f116973c93656630N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
74e445436b010306f116973c93656630N.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2
Targets
-
-
Target
74e445436b010306f116973c93656630N.exe
-
Size
170KB
-
MD5
74e445436b010306f116973c93656630
-
SHA1
b1176522355a5863f5c7d7d3ca9db3889bbc485b
-
SHA256
dceb4a5e6cd2b0d37758cff6b217c69472d6bc6844617817fe22fbf86b7b7135
-
SHA512
8a331a232b877e329110bb264efe79baaa1189316ac1cabefd12f82f249cf7c8415aec6e1df300e132ba8b6bcc9265e6b1b39847e3baea1d0f1e7e698ad2e367
-
SSDEEP
3072:hVK2s3mxhbEmdMfQw/eJPGN0wxdFk7G1xB3O/Ga/32hK505EyWEBuedcH5e0K:hVE3m7bh+/eJPGVx0MxB3O/Ga/cQ05vh
-
Detect Umbral payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1