Analysis
-
max time kernel
1800s -
max time network
1170s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 21:10
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
General
-
Target
C11Bootstrapper/Properties/PageEditor.exe
-
Size
31KB
-
MD5
562ecb03ac667bc785b4a9ecc3930e00
-
SHA1
7aabba8964d3682dfc29342b57dcf5ec5a4175f9
-
SHA256
a8ae08cf54ebef47f9c19167ea989cfc6fa4536124d53bd79cd8a19063c98c0b
-
SHA512
566f622b4a623c49cf9945e2f0b42dd07678084b7fb78d1f81b8e5190c7f68298ff0e6bd2cac5a0c745c3614ecf7370161370910c228eea410ebacc2afe57cf5
-
SSDEEP
768:/zCBqdzNB0zx/6Lgnm3eXdvCTQmIDUu0tifej:K6KzpUQVkPj
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2188 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d2e440703ae716f1154fa98bacb513a.exe C11Setup.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d2e440703ae716f1154fa98bacb513a.exe C11Setup.exe -
Executes dropped EXE 1 IoCs
pid Process 2132 C11Setup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d2e440703ae716f1154fa98bacb513a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C11Setup.exe\" .." C11Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9d2e440703ae716f1154fa98bacb513a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C11Setup.exe\" .." C11Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe 552 PageEditor.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2132 C11Setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 552 PageEditor.exe Token: SeDebugPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe Token: 33 2132 C11Setup.exe Token: SeIncBasePriorityPrivilege 2132 C11Setup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 552 wrote to memory of 2132 552 PageEditor.exe 84 PID 552 wrote to memory of 2132 552 PageEditor.exe 84 PID 552 wrote to memory of 2132 552 PageEditor.exe 84 PID 2132 wrote to memory of 2188 2132 C11Setup.exe 85 PID 2132 wrote to memory of 2188 2132 C11Setup.exe 85 PID 2132 wrote to memory of 2188 2132 C11Setup.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\C11Setup.exe" "C11Setup.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2188
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5562ecb03ac667bc785b4a9ecc3930e00
SHA17aabba8964d3682dfc29342b57dcf5ec5a4175f9
SHA256a8ae08cf54ebef47f9c19167ea989cfc6fa4536124d53bd79cd8a19063c98c0b
SHA512566f622b4a623c49cf9945e2f0b42dd07678084b7fb78d1f81b8e5190c7f68298ff0e6bd2cac5a0c745c3614ecf7370161370910c228eea410ebacc2afe57cf5