General
-
Target
BALDI.exe
-
Size
5.6MB
-
Sample
240625-gx397sthkd
-
MD5
8235f398b63cb2b0926edf528a56ad35
-
SHA1
668ff71112d6bf289b70659d063d524481c19b0f
-
SHA256
0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
-
SHA512
51cf7794ea120ebaad6d53b2722f35e57b1d28b5365e53a74d945f45d180d6a5bfe3b27f963485c53079103947e552c88631485ba49a160a4b09c9afd4a66674
-
SSDEEP
98304:3rd/2Kf8MIhWIcn1111DIgzO9QeMfXTjig8nuluLlKUORY+6Mrv:3rR2KfBIc1j1J8sfXvpQlHfE
Static task
static1
Behavioral task
behavioral1
Sample
BALDI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BALDI.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
BALDI.exe
-
Size
5.6MB
-
MD5
8235f398b63cb2b0926edf528a56ad35
-
SHA1
668ff71112d6bf289b70659d063d524481c19b0f
-
SHA256
0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
-
SHA512
51cf7794ea120ebaad6d53b2722f35e57b1d28b5365e53a74d945f45d180d6a5bfe3b27f963485c53079103947e552c88631485ba49a160a4b09c9afd4a66674
-
SSDEEP
98304:3rd/2Kf8MIhWIcn1111DIgzO9QeMfXTjig8nuluLlKUORY+6Mrv:3rR2KfBIc1j1J8sfXvpQlHfE
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Accessibility Features
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Accessibility Features
1Defense Evasion
Modify Registry
3Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1File and Directory Permissions Modification
1