umbral | 6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed | Triage

Submit
Reports

Overview

overview

Static

static

Emerald X.zip

windows7-x64

1

Emerald X.zip

windows10-2004-x64

7

Resubmissions

21-09-2024 20:11

240921-yyasqa1cnc 10

21-09-2024 11:23

240921-nhfc6azbpe 10

Sharing

General

Target

Emerald X.zip
Size

2.9MB
Sample

240921-nhfc6azbpe
MD5

6d5e6bb315019834ad58da276fb2b4ee
SHA1

c3dfebcf3caf961c745a070c58a78dd5c30bd368
SHA256

6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed
SHA512

6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213
SSDEEP

49152:Gf+JRr8UFdx5nmGAlo1S6OxurnJtB1Xgaon+3BzWVoZ0AEk:G2bdx5nmc7OcnJhXge3BzWiZ0Ab

Score

10^/10

umbral discovery persistence privilege_escalation

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Emerald X.zip

Resource

win7-20240903-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

Emerald X.zip

Resource

win10v2004-20240802-en

discovery persistence privilege_escalation

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1282641542556811284/XhP2lBGmy2WSxK1y0l23RHuQqEin2SHIJODdzqGhEFoaXh5jRVDNcIXTEi8GEfBNxtlo

Targets

- Target
  
  Emerald X.zip
- Size
  
  2.9MB
- MD5
  
  6d5e6bb315019834ad58da276fb2b4ee
- SHA1
  
  c3dfebcf3caf961c745a070c58a78dd5c30bd368
- SHA256
  
  6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed
- SHA512
  
  6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213
- SSDEEP
  
  49152:Gf+JRr8UFdx5nmGAlo1S6OxurnJtB1Xgaon+3BzWVoZ0AEk:G2bdx5nmc7OcnJhXge3BzWiZ0Ab
Score

7^/10

discovery persistence privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discoverypersistenceprivilege_escalation

© 2018-2024

Terms | Privacy