Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Photon External.exe

  • Size

    448KB

  • Sample

    250210-vplxvayqdv

  • MD5

    114977c4b8e58661eca598e3e864ccea

  • SHA1

    f4cd68a7a9f39252b3d9337f6d4bb1f2b2ba66fb

  • SHA256

    de0b828a0c5a7de9ee5cb878bf53c26294106ba05d1cc1d09e34463c6bb37e45

  • SHA512

    7e5730e53a6c3b9f444659f81ab582216f54ee36b2d6be59893cd93711ad2dbe125d00ca4107238324321e661a3783cf2b6de6c4f9469fad7677e7a2965bf988

  • SSDEEP

    12288:7oZtL+EP8q6BoHdmOhWU9va6vAZQtPgkFDIknaHeELrvajxzp:FI8hBoHdmOhWU9va6vACNF5niecmxz

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1338552904809840722/hsyZwj-uzjCk5GrydtVTJEX9YMA707rvYu9a190S3lPA7pLKiUroXIJhqyfI11yKIMUu

Targets

    • Target

      Photon External.exe

    • Size

      448KB

    • MD5

      114977c4b8e58661eca598e3e864ccea

    • SHA1

      f4cd68a7a9f39252b3d9337f6d4bb1f2b2ba66fb

    • SHA256

      de0b828a0c5a7de9ee5cb878bf53c26294106ba05d1cc1d09e34463c6bb37e45

    • SHA512

      7e5730e53a6c3b9f444659f81ab582216f54ee36b2d6be59893cd93711ad2dbe125d00ca4107238324321e661a3783cf2b6de6c4f9469fad7677e7a2965bf988

    • SSDEEP

      12288:7oZtL+EP8q6BoHdmOhWU9va6vAZQtPgkFDIknaHeELrvajxzp:FI8hBoHdmOhWU9va6vACNF5niecmxz

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks