Overview
overview
10Static
static
10C11Bootstr...up.exe
windows7-x64
10C11Bootstr...up.exe
windows10-2004-x64
10C11Bootstr...er.exe
windows7-x64
10C11Bootstr...er.exe
windows10-2004-x64
10C11Bootstr...on.bat
windows7-x64
10C11Bootstr...on.bat
windows10-2004-x64
10C11Bootstr...or.exe
windows7-x64
10C11Bootstr...or.exe
windows10-2004-x64
10C11Bootstr...ox.vbs
windows7-x64
1C11Bootstr...ox.vbs
windows10-2004-x64
1C11Bootstr...rt.bat
windows7-x64
1C11Bootstr...rt.bat
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 20:56
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/C11Setup.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/C11Setup.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
C11Bootstrapper/Properties/msgbox.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
C11Bootstrapper/Properties/msgbox.vbs
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
C11Bootstrapper/Start.bat
Resource
win7-20231129-en
windows7-x64
General
-
Target
C11Bootstrapper/Properties/GuiLoader.exe
-
Size
246KB
-
MD5
1bb249792e56063762f5adb2d94fc8c9
-
SHA1
9a1fa4886ed023f864c06345b639a121f6359cd1
-
SHA256
f61483bd59316dff21d5bc3fc8f32811dd8ddca826a84255ab5ea2cdfef3d7ae
-
SHA512
d8a2af35713bf4ce979440375c460b9f7b3f2849abc9cdf0d2fdb5e891a5bab36ed101da94f6b57d3dc775c3a0fdeffbaeab8981965ec72fe56adfa5dab501ba
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4kgOZGCg/7I7R0STTKvYb8e1mZzi:joZtL+EP8kgOZGCg/7I7R0STTKIX
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral3/memory/2240-0-0x0000000001090000-0x00000000010D4000-memory.dmp family_umbral behavioral3/memory/2240-2-0x0000000000DF0000-0x0000000000E70000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2240 GuiLoader.exe Token: SeIncreaseQuotaPrivilege 2724 wmic.exe Token: SeSecurityPrivilege 2724 wmic.exe Token: SeTakeOwnershipPrivilege 2724 wmic.exe Token: SeLoadDriverPrivilege 2724 wmic.exe Token: SeSystemProfilePrivilege 2724 wmic.exe Token: SeSystemtimePrivilege 2724 wmic.exe Token: SeProfSingleProcessPrivilege 2724 wmic.exe Token: SeIncBasePriorityPrivilege 2724 wmic.exe Token: SeCreatePagefilePrivilege 2724 wmic.exe Token: SeBackupPrivilege 2724 wmic.exe Token: SeRestorePrivilege 2724 wmic.exe Token: SeShutdownPrivilege 2724 wmic.exe Token: SeDebugPrivilege 2724 wmic.exe Token: SeSystemEnvironmentPrivilege 2724 wmic.exe Token: SeRemoteShutdownPrivilege 2724 wmic.exe Token: SeUndockPrivilege 2724 wmic.exe Token: SeManageVolumePrivilege 2724 wmic.exe Token: 33 2724 wmic.exe Token: 34 2724 wmic.exe Token: 35 2724 wmic.exe Token: SeIncreaseQuotaPrivilege 2724 wmic.exe Token: SeSecurityPrivilege 2724 wmic.exe Token: SeTakeOwnershipPrivilege 2724 wmic.exe Token: SeLoadDriverPrivilege 2724 wmic.exe Token: SeSystemProfilePrivilege 2724 wmic.exe Token: SeSystemtimePrivilege 2724 wmic.exe Token: SeProfSingleProcessPrivilege 2724 wmic.exe Token: SeIncBasePriorityPrivilege 2724 wmic.exe Token: SeCreatePagefilePrivilege 2724 wmic.exe Token: SeBackupPrivilege 2724 wmic.exe Token: SeRestorePrivilege 2724 wmic.exe Token: SeShutdownPrivilege 2724 wmic.exe Token: SeDebugPrivilege 2724 wmic.exe Token: SeSystemEnvironmentPrivilege 2724 wmic.exe Token: SeRemoteShutdownPrivilege 2724 wmic.exe Token: SeUndockPrivilege 2724 wmic.exe Token: SeManageVolumePrivilege 2724 wmic.exe Token: 33 2724 wmic.exe Token: 34 2724 wmic.exe Token: 35 2724 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2724 2240 GuiLoader.exe 28 PID 2240 wrote to memory of 2724 2240 GuiLoader.exe 28 PID 2240 wrote to memory of 2724 2240 GuiLoader.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-