Analysis
-
max time kernel
308s -
max time network
204s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 20:37
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/C11Setup.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
C11Bootstrapper/Properties/msgbox.vbs
Resource
win11-20240412-en
General
-
Target
C11Bootstrapper/Properties/IndependenciesInstallation.bat
-
Size
489B
-
MD5
d8da01fb6f6288b044868f85228cbb10
-
SHA1
9d08c813ce59ab863c6ec3c68c336eed265c5e8a
-
SHA256
74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
-
SHA512
c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4040
127.0.0.1:4449
vydiplhdlyjvmj
-
delay
1
-
install
true
-
install_file
PageEditor.exe
-
install_folder
%Temp%
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral3/memory/4420-0-0x0000017C872B0000-0x0000017C872F4000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts GuiLoader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 discord.com 7 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
pid Process 1288 timeout.exe 3464 timeout.exe 3164 timeout.exe 2796 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3620 wmic.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2084 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2568 C11Setup.exe 2568 C11Setup.exe 4420 GuiLoader.exe 2856 powershell.exe 2856 powershell.exe 1028 powershell.exe 1028 powershell.exe 5044 powershell.exe 5044 powershell.exe 4544 powershell.exe 4544 powershell.exe 1996 powershell.exe 1996 powershell.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe 2568 C11Setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2072 PageEditor.exe Token: SeDebugPrivilege 2568 C11Setup.exe Token: SeDebugPrivilege 4420 GuiLoader.exe Token: SeIncreaseQuotaPrivilege 5056 wmic.exe Token: SeSecurityPrivilege 5056 wmic.exe Token: SeTakeOwnershipPrivilege 5056 wmic.exe Token: SeLoadDriverPrivilege 5056 wmic.exe Token: SeSystemProfilePrivilege 5056 wmic.exe Token: SeSystemtimePrivilege 5056 wmic.exe Token: SeProfSingleProcessPrivilege 5056 wmic.exe Token: SeIncBasePriorityPrivilege 5056 wmic.exe Token: SeCreatePagefilePrivilege 5056 wmic.exe Token: SeBackupPrivilege 5056 wmic.exe Token: SeRestorePrivilege 5056 wmic.exe Token: SeShutdownPrivilege 5056 wmic.exe Token: SeDebugPrivilege 5056 wmic.exe Token: SeSystemEnvironmentPrivilege 5056 wmic.exe Token: SeRemoteShutdownPrivilege 5056 wmic.exe Token: SeUndockPrivilege 5056 wmic.exe Token: SeManageVolumePrivilege 5056 wmic.exe Token: 33 5056 wmic.exe Token: 34 5056 wmic.exe Token: 35 5056 wmic.exe Token: 36 5056 wmic.exe Token: SeIncreaseQuotaPrivilege 5056 wmic.exe Token: SeSecurityPrivilege 5056 wmic.exe Token: SeTakeOwnershipPrivilege 5056 wmic.exe Token: SeLoadDriverPrivilege 5056 wmic.exe Token: SeSystemProfilePrivilege 5056 wmic.exe Token: SeSystemtimePrivilege 5056 wmic.exe Token: SeProfSingleProcessPrivilege 5056 wmic.exe Token: SeIncBasePriorityPrivilege 5056 wmic.exe Token: SeCreatePagefilePrivilege 5056 wmic.exe Token: SeBackupPrivilege 5056 wmic.exe Token: SeRestorePrivilege 5056 wmic.exe Token: SeShutdownPrivilege 5056 wmic.exe Token: SeDebugPrivilege 5056 wmic.exe Token: SeSystemEnvironmentPrivilege 5056 wmic.exe Token: SeRemoteShutdownPrivilege 5056 wmic.exe Token: SeUndockPrivilege 5056 wmic.exe Token: SeManageVolumePrivilege 5056 wmic.exe Token: 33 5056 wmic.exe Token: 34 5056 wmic.exe Token: 35 5056 wmic.exe Token: 36 5056 wmic.exe Token: SeIncreaseQuotaPrivilege 2072 PageEditor.exe Token: SeSecurityPrivilege 2072 PageEditor.exe Token: SeTakeOwnershipPrivilege 2072 PageEditor.exe Token: SeLoadDriverPrivilege 2072 PageEditor.exe Token: SeSystemProfilePrivilege 2072 PageEditor.exe Token: SeSystemtimePrivilege 2072 PageEditor.exe Token: SeProfSingleProcessPrivilege 2072 PageEditor.exe Token: SeIncBasePriorityPrivilege 2072 PageEditor.exe Token: SeCreatePagefilePrivilege 2072 PageEditor.exe Token: SeBackupPrivilege 2072 PageEditor.exe Token: SeRestorePrivilege 2072 PageEditor.exe Token: SeShutdownPrivilege 2072 PageEditor.exe Token: SeDebugPrivilege 2072 PageEditor.exe Token: SeSystemEnvironmentPrivilege 2072 PageEditor.exe Token: SeRemoteShutdownPrivilege 2072 PageEditor.exe Token: SeUndockPrivilege 2072 PageEditor.exe Token: SeManageVolumePrivilege 2072 PageEditor.exe Token: 33 2072 PageEditor.exe Token: 34 2072 PageEditor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2568 C11Setup.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1288 3000 cmd.exe 80 PID 3000 wrote to memory of 1288 3000 cmd.exe 80 PID 3000 wrote to memory of 3464 3000 cmd.exe 82 PID 3000 wrote to memory of 3464 3000 cmd.exe 82 PID 3000 wrote to memory of 3164 3000 cmd.exe 83 PID 3000 wrote to memory of 3164 3000 cmd.exe 83 PID 3000 wrote to memory of 1588 3000 cmd.exe 84 PID 3000 wrote to memory of 1588 3000 cmd.exe 84 PID 3000 wrote to memory of 2796 3000 cmd.exe 85 PID 3000 wrote to memory of 2796 3000 cmd.exe 85 PID 3000 wrote to memory of 2568 3000 cmd.exe 86 PID 3000 wrote to memory of 2568 3000 cmd.exe 86 PID 3000 wrote to memory of 4420 3000 cmd.exe 87 PID 3000 wrote to memory of 4420 3000 cmd.exe 87 PID 3000 wrote to memory of 2072 3000 cmd.exe 88 PID 3000 wrote to memory of 2072 3000 cmd.exe 88 PID 4420 wrote to memory of 5056 4420 GuiLoader.exe 89 PID 4420 wrote to memory of 5056 4420 GuiLoader.exe 89 PID 4420 wrote to memory of 3640 4420 GuiLoader.exe 95 PID 4420 wrote to memory of 3640 4420 GuiLoader.exe 95 PID 4420 wrote to memory of 2856 4420 GuiLoader.exe 97 PID 4420 wrote to memory of 2856 4420 GuiLoader.exe 97 PID 4420 wrote to memory of 1028 4420 GuiLoader.exe 99 PID 4420 wrote to memory of 1028 4420 GuiLoader.exe 99 PID 4420 wrote to memory of 5044 4420 GuiLoader.exe 101 PID 4420 wrote to memory of 5044 4420 GuiLoader.exe 101 PID 4420 wrote to memory of 4544 4420 GuiLoader.exe 103 PID 4420 wrote to memory of 4544 4420 GuiLoader.exe 103 PID 4420 wrote to memory of 5064 4420 GuiLoader.exe 105 PID 4420 wrote to memory of 5064 4420 GuiLoader.exe 105 PID 4420 wrote to memory of 1640 4420 GuiLoader.exe 107 PID 4420 wrote to memory of 1640 4420 GuiLoader.exe 107 PID 4420 wrote to memory of 4508 4420 GuiLoader.exe 109 PID 4420 wrote to memory of 4508 4420 GuiLoader.exe 109 PID 4420 wrote to memory of 1996 4420 GuiLoader.exe 111 PID 4420 wrote to memory of 1996 4420 GuiLoader.exe 111 PID 4420 wrote to memory of 3620 4420 GuiLoader.exe 113 PID 4420 wrote to memory of 3620 4420 GuiLoader.exe 113 PID 4420 wrote to memory of 2132 4420 GuiLoader.exe 115 PID 4420 wrote to memory of 2132 4420 GuiLoader.exe 115 PID 2132 wrote to memory of 2084 2132 cmd.exe 117 PID 2132 wrote to memory of 2084 2132 cmd.exe 117 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3640 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\IndependenciesInstallation.bat"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:1288
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:3464
-
-
C:\Windows\system32\timeout.exetimeout /t 32⤵
- Delays execution with timeout.exe
PID:3164
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"2⤵PID:1588
-
-
C:\Windows\system32\timeout.exetimeout /t 42⤵
- Delays execution with timeout.exe
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exeC11Setup.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exeGuiLoader.exe2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"3⤵
- Views/modifies file attributes
PID:3640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵PID:5064
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:1640
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:3620
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:2084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exePageEditor.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD538ecc5b95c11e5a77558753102979c51
SHA1c0759b08ef377df9979d8835d8a7e464cd8eaf6b
SHA2562eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e
SHA5129bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
948B
MD545741c307af2576c6437c5fdb24ef9ce
SHA1a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf
SHA2567887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2
SHA51239fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b