Analysis
-
max time kernel
1795s -
max time network
1172s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 20:32
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/C11Setup.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
C11Bootstrapper/Properties/msgbox.vbs
Resource
win11-20240412-en
General
-
Target
C11Bootstrapper/Properties/IndependenciesInstallation.bat
-
Size
489B
-
MD5
d8da01fb6f6288b044868f85228cbb10
-
SHA1
9d08c813ce59ab863c6ec3c68c336eed265c5e8a
-
SHA256
74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
-
SHA512
c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
127.0.0.1:6555
127.0.0.1:0
127.0.0.1:4040
chhphkahmfnasuyziqc
-
delay
1
-
install
false
-
install_folder
%Temp%
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral3/memory/4708-0-0x0000015805FC0000-0x0000015806004000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts GuiLoader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 discord.com 25 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
pid Process 1080 timeout.exe 3608 timeout.exe 1400 timeout.exe 3924 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3536 wmic.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3440 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3556 C11Setup.exe 3556 C11Setup.exe 4708 GuiLoader.exe 1284 powershell.exe 1284 powershell.exe 4700 powershell.exe 4700 powershell.exe 3556 C11Setup.exe 2952 powershell.exe 2952 powershell.exe 988 powershell.exe 988 powershell.exe 3556 C11Setup.exe 3308 powershell.exe 3308 powershell.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe 3556 C11Setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2324 PageEditor.exe Token: SeDebugPrivilege 3556 C11Setup.exe Token: SeDebugPrivilege 4708 GuiLoader.exe Token: SeIncreaseQuotaPrivilege 2328 wmic.exe Token: SeSecurityPrivilege 2328 wmic.exe Token: SeTakeOwnershipPrivilege 2328 wmic.exe Token: SeLoadDriverPrivilege 2328 wmic.exe Token: SeSystemProfilePrivilege 2328 wmic.exe Token: SeSystemtimePrivilege 2328 wmic.exe Token: SeProfSingleProcessPrivilege 2328 wmic.exe Token: SeIncBasePriorityPrivilege 2328 wmic.exe Token: SeCreatePagefilePrivilege 2328 wmic.exe Token: SeBackupPrivilege 2328 wmic.exe Token: SeRestorePrivilege 2328 wmic.exe Token: SeShutdownPrivilege 2328 wmic.exe Token: SeDebugPrivilege 2328 wmic.exe Token: SeSystemEnvironmentPrivilege 2328 wmic.exe Token: SeRemoteShutdownPrivilege 2328 wmic.exe Token: SeUndockPrivilege 2328 wmic.exe Token: SeManageVolumePrivilege 2328 wmic.exe Token: 33 2328 wmic.exe Token: 34 2328 wmic.exe Token: 35 2328 wmic.exe Token: 36 2328 wmic.exe Token: SeIncreaseQuotaPrivilege 2328 wmic.exe Token: SeSecurityPrivilege 2328 wmic.exe Token: SeTakeOwnershipPrivilege 2328 wmic.exe Token: SeLoadDriverPrivilege 2328 wmic.exe Token: SeSystemProfilePrivilege 2328 wmic.exe Token: SeSystemtimePrivilege 2328 wmic.exe Token: SeProfSingleProcessPrivilege 2328 wmic.exe Token: SeIncBasePriorityPrivilege 2328 wmic.exe Token: SeCreatePagefilePrivilege 2328 wmic.exe Token: SeBackupPrivilege 2328 wmic.exe Token: SeRestorePrivilege 2328 wmic.exe Token: SeShutdownPrivilege 2328 wmic.exe Token: SeDebugPrivilege 2328 wmic.exe Token: SeSystemEnvironmentPrivilege 2328 wmic.exe Token: SeRemoteShutdownPrivilege 2328 wmic.exe Token: SeUndockPrivilege 2328 wmic.exe Token: SeManageVolumePrivilege 2328 wmic.exe Token: 33 2328 wmic.exe Token: 34 2328 wmic.exe Token: 35 2328 wmic.exe Token: 36 2328 wmic.exe Token: SeIncreaseQuotaPrivilege 2324 PageEditor.exe Token: SeSecurityPrivilege 2324 PageEditor.exe Token: SeTakeOwnershipPrivilege 2324 PageEditor.exe Token: SeLoadDriverPrivilege 2324 PageEditor.exe Token: SeSystemProfilePrivilege 2324 PageEditor.exe Token: SeSystemtimePrivilege 2324 PageEditor.exe Token: SeProfSingleProcessPrivilege 2324 PageEditor.exe Token: SeIncBasePriorityPrivilege 2324 PageEditor.exe Token: SeCreatePagefilePrivilege 2324 PageEditor.exe Token: SeBackupPrivilege 2324 PageEditor.exe Token: SeRestorePrivilege 2324 PageEditor.exe Token: SeShutdownPrivilege 2324 PageEditor.exe Token: SeDebugPrivilege 2324 PageEditor.exe Token: SeSystemEnvironmentPrivilege 2324 PageEditor.exe Token: SeRemoteShutdownPrivilege 2324 PageEditor.exe Token: SeUndockPrivilege 2324 PageEditor.exe Token: SeManageVolumePrivilege 2324 PageEditor.exe Token: 33 2324 PageEditor.exe Token: 34 2324 PageEditor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3556 C11Setup.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3980 wrote to memory of 1080 3980 cmd.exe 82 PID 3980 wrote to memory of 1080 3980 cmd.exe 82 PID 3980 wrote to memory of 3608 3980 cmd.exe 83 PID 3980 wrote to memory of 3608 3980 cmd.exe 83 PID 3980 wrote to memory of 1400 3980 cmd.exe 86 PID 3980 wrote to memory of 1400 3980 cmd.exe 86 PID 3980 wrote to memory of 2056 3980 cmd.exe 89 PID 3980 wrote to memory of 2056 3980 cmd.exe 89 PID 3980 wrote to memory of 3924 3980 cmd.exe 90 PID 3980 wrote to memory of 3924 3980 cmd.exe 90 PID 3980 wrote to memory of 3556 3980 cmd.exe 91 PID 3980 wrote to memory of 3556 3980 cmd.exe 91 PID 3980 wrote to memory of 4708 3980 cmd.exe 92 PID 3980 wrote to memory of 4708 3980 cmd.exe 92 PID 3980 wrote to memory of 2324 3980 cmd.exe 93 PID 3980 wrote to memory of 2324 3980 cmd.exe 93 PID 4708 wrote to memory of 2328 4708 GuiLoader.exe 94 PID 4708 wrote to memory of 2328 4708 GuiLoader.exe 94 PID 4708 wrote to memory of 2716 4708 GuiLoader.exe 100 PID 4708 wrote to memory of 2716 4708 GuiLoader.exe 100 PID 4708 wrote to memory of 1284 4708 GuiLoader.exe 102 PID 4708 wrote to memory of 1284 4708 GuiLoader.exe 102 PID 4708 wrote to memory of 4700 4708 GuiLoader.exe 104 PID 4708 wrote to memory of 4700 4708 GuiLoader.exe 104 PID 4708 wrote to memory of 2952 4708 GuiLoader.exe 106 PID 4708 wrote to memory of 2952 4708 GuiLoader.exe 106 PID 4708 wrote to memory of 988 4708 GuiLoader.exe 108 PID 4708 wrote to memory of 988 4708 GuiLoader.exe 108 PID 4708 wrote to memory of 3208 4708 GuiLoader.exe 110 PID 4708 wrote to memory of 3208 4708 GuiLoader.exe 110 PID 4708 wrote to memory of 2916 4708 GuiLoader.exe 112 PID 4708 wrote to memory of 2916 4708 GuiLoader.exe 112 PID 4708 wrote to memory of 2740 4708 GuiLoader.exe 114 PID 4708 wrote to memory of 2740 4708 GuiLoader.exe 114 PID 4708 wrote to memory of 3308 4708 GuiLoader.exe 116 PID 4708 wrote to memory of 3308 4708 GuiLoader.exe 116 PID 4708 wrote to memory of 3536 4708 GuiLoader.exe 118 PID 4708 wrote to memory of 3536 4708 GuiLoader.exe 118 PID 4708 wrote to memory of 4452 4708 GuiLoader.exe 120 PID 4708 wrote to memory of 4452 4708 GuiLoader.exe 120 PID 4452 wrote to memory of 3440 4452 cmd.exe 122 PID 4452 wrote to memory of 3440 4452 cmd.exe 122 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2716 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\IndependenciesInstallation.bat"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:1080
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:3608
-
-
C:\Windows\system32\timeout.exetimeout /t 32⤵
- Delays execution with timeout.exe
PID:1400
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"2⤵PID:2056
-
-
C:\Windows\system32\timeout.exetimeout /t 42⤵
- Delays execution with timeout.exe
PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exeC11Setup.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exeGuiLoader.exe2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"3⤵
- Views/modifies file attributes
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:988
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵PID:3208
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:2916
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3308
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:3536
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:3440
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exePageEditor.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD59db2bc0a0bdfa296036c380393d879e6
SHA1671288bb74f568effac2199c9213cf7e23a31ef9
SHA256cce5cc392ad9a82edd35129076da6bb2c3ebe85e158efef8ee7740e9e722c678
SHA512a1331966d5669c465ccbfbb588d8e09d295aba56be1e0bc895966da28916bdfb2e3333e24f48a54c68f3c3af0f78ec70cea1e07ec2e2647e154d7dfc4d412fc7
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
948B
MD545741c307af2576c6437c5fdb24ef9ce
SHA1a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf
SHA2567887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2
SHA51239fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b