General
-
Target
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
-
Size
800KB
-
Sample
241117-b6eejsybrc
-
MD5
7198fa10a50ea9aaf6ae5c2a05af2104
-
SHA1
c35a2a73313e3c5ad08136e3bc583bb9bc26964c
-
SHA256
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
-
SHA512
56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
-
SSDEEP
12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0
Static task
static1
Behavioral task
behavioral1
Sample
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
Resource
win7-20240903-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o
Extracted
xworm
127.0.0.1:26848
23.ip.gl.ply.gg:26848
-
Install_directory
%Userprofile%
-
install_file
Windows Security Host.exe
Targets
-
-
Target
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
-
Size
800KB
-
MD5
7198fa10a50ea9aaf6ae5c2a05af2104
-
SHA1
c35a2a73313e3c5ad08136e3bc583bb9bc26964c
-
SHA256
073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
-
SHA512
56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
-
SSDEEP
12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0
-
Detect Umbral payload
-
Detect Xworm Payload
-
Umbral family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1