umbral | 0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a | Triage

Submit
Reports

Overview

overview

Static

static

3

BALDI.exe

windows7-x64

1

BALDI.exe

windows10-2004-x64

Sharing

General

Target

BALDI.exe
Size

5.6MB
Sample

240625-gx397sthkd
MD5

8235f398b63cb2b0926edf528a56ad35
SHA1

668ff71112d6bf289b70659d063d524481c19b0f
SHA256

0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
SHA512

51cf7794ea120ebaad6d53b2722f35e57b1d28b5365e53a74d945f45d180d6a5bfe3b27f963485c53079103947e552c88631485ba49a160a4b09c9afd4a66674
SSDEEP

98304:3rd/2Kf8MIhWIcn1111DIgzO9QeMfXTjig8nuluLlKUORY+6Mrv:3rR2KfBIc1j1J8sfXvpQlHfE

Score

10^/10

umbral discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BALDI.exe

Resource

win7-20240221-en

windows7-x64

5 signatures

1800 seconds

Behavioral task

behavioral2

Sample

BALDI.exe

Resource

win10v2004-20240226-en

umbral discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

windows10-2004-x64

26 signatures

1800 seconds

Malware Config

Targets

- Target
  
  BALDI.exe
- Size
  
  5.6MB
- MD5
  
  8235f398b63cb2b0926edf528a56ad35
- SHA1
  
  668ff71112d6bf289b70659d063d524481c19b0f
- SHA256
  
  0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
- SHA512
  
  51cf7794ea120ebaad6d53b2722f35e57b1d28b5365e53a74d945f45d180d6a5bfe3b27f963485c53079103947e552c88631485ba49a160a4b09c9afd4a66674
- SSDEEP
  
  98304:3rd/2Kf8MIhWIcn1111DIgzO9QeMfXTjig8nuluLlKUORY+6Mrv:3rR2KfBIc1j1J8sfXvpQlHfE
Score

10^/10

umbral discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan
- Detect Umbral payload
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Possible privilege escalation attempt
  exploit
- Modifies file permissions
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Event Triggered Execution

Accessibility Features

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Abuse Elevation Control Mechanism

Bypass User Account Control

Event Triggered Execution

Accessibility Features

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

File and Directory Permissions Modification

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Defacement

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

umbraldiscoveryevasionexecutionexploitpersistenceprivilege_escalationransomwarestealertrojan

© 2018-2024

Terms | Privacy