Analysis
-
max time kernel
1800s -
max time network
1560s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 21:10
Behavioral task
behavioral1
Sample
C11Bootstrapper/Properties/GuiLoader.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
C11Bootstrapper/Properties/IndependenciesInstallation.bat
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
C11Bootstrapper/Properties/PageEditor.exe
Resource
win11-20240412-en
General
-
Target
C11Bootstrapper/Start.bat
-
Size
1KB
-
MD5
4e3179e79f11708b60c3af67718cc0ae
-
SHA1
e22536c444427ce73dcc50091c28477c44e23210
-
SHA256
6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d
-
SHA512
aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
chhphkahmfnasuyziqc
-
delay
1
-
install
false
-
install_folder
%Temp%
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral4/memory/3080-0-0x000001F826620000-0x000001F826664000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts GuiLoader.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1508 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d2e440703ae716f1154fa98bacb513a.exe C11Setup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d2e440703ae716f1154fa98bacb513a.exe C11Setup.exe -
Executes dropped EXE 1 IoCs
pid Process 1980 C11Setup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d2e440703ae716f1154fa98bacb513a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C11Setup.exe\" .." C11Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9d2e440703ae716f1154fa98bacb513a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C11Setup.exe\" .." C11Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 12 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
pid Process 3336 timeout.exe 2228 timeout.exe 5084 timeout.exe 4616 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2272 wmic.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe 2100 PageEditor.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1980 C11Setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 764 C11Setup.exe Token: SeDebugPrivilege 3080 GuiLoader.exe Token: SeDebugPrivilege 2100 PageEditor.exe Token: SeIncreaseQuotaPrivilege 3852 wmic.exe Token: SeSecurityPrivilege 3852 wmic.exe Token: SeTakeOwnershipPrivilege 3852 wmic.exe Token: SeLoadDriverPrivilege 3852 wmic.exe Token: SeSystemProfilePrivilege 3852 wmic.exe Token: SeSystemtimePrivilege 3852 wmic.exe Token: SeProfSingleProcessPrivilege 3852 wmic.exe Token: SeIncBasePriorityPrivilege 3852 wmic.exe Token: SeCreatePagefilePrivilege 3852 wmic.exe Token: SeBackupPrivilege 3852 wmic.exe Token: SeRestorePrivilege 3852 wmic.exe Token: SeShutdownPrivilege 3852 wmic.exe Token: SeDebugPrivilege 3852 wmic.exe Token: SeSystemEnvironmentPrivilege 3852 wmic.exe Token: SeRemoteShutdownPrivilege 3852 wmic.exe Token: SeUndockPrivilege 3852 wmic.exe Token: SeManageVolumePrivilege 3852 wmic.exe Token: 33 3852 wmic.exe Token: 34 3852 wmic.exe Token: 35 3852 wmic.exe Token: 36 3852 wmic.exe Token: SeIncreaseQuotaPrivilege 3852 wmic.exe Token: SeSecurityPrivilege 3852 wmic.exe Token: SeTakeOwnershipPrivilege 3852 wmic.exe Token: SeLoadDriverPrivilege 3852 wmic.exe Token: SeSystemProfilePrivilege 3852 wmic.exe Token: SeSystemtimePrivilege 3852 wmic.exe Token: SeProfSingleProcessPrivilege 3852 wmic.exe Token: SeIncBasePriorityPrivilege 3852 wmic.exe Token: SeCreatePagefilePrivilege 3852 wmic.exe Token: SeBackupPrivilege 3852 wmic.exe Token: SeRestorePrivilege 3852 wmic.exe Token: SeShutdownPrivilege 3852 wmic.exe Token: SeDebugPrivilege 3852 wmic.exe Token: SeSystemEnvironmentPrivilege 3852 wmic.exe Token: SeRemoteShutdownPrivilege 3852 wmic.exe Token: SeUndockPrivilege 3852 wmic.exe Token: SeManageVolumePrivilege 3852 wmic.exe Token: 33 3852 wmic.exe Token: 34 3852 wmic.exe Token: 35 3852 wmic.exe Token: 36 3852 wmic.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 4040 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 1980 C11Setup.exe Token: 33 1980 C11Setup.exe Token: SeIncBasePriorityPrivilege 1980 C11Setup.exe Token: SeIncreaseQuotaPrivilege 3164 wmic.exe Token: SeSecurityPrivilege 3164 wmic.exe Token: SeTakeOwnershipPrivilege 3164 wmic.exe Token: SeLoadDriverPrivilege 3164 wmic.exe Token: SeSystemProfilePrivilege 3164 wmic.exe Token: SeSystemtimePrivilege 3164 wmic.exe Token: SeProfSingleProcessPrivilege 3164 wmic.exe Token: SeIncBasePriorityPrivilege 3164 wmic.exe Token: SeCreatePagefilePrivilege 3164 wmic.exe Token: SeBackupPrivilege 3164 wmic.exe Token: SeRestorePrivilege 3164 wmic.exe Token: SeShutdownPrivilege 3164 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 764 C11Setup.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3056 1656 cmd.exe 82 PID 1656 wrote to memory of 3056 1656 cmd.exe 82 PID 3056 wrote to memory of 3336 3056 cmd.exe 84 PID 3056 wrote to memory of 3336 3056 cmd.exe 84 PID 3056 wrote to memory of 2228 3056 cmd.exe 85 PID 3056 wrote to memory of 2228 3056 cmd.exe 85 PID 3056 wrote to memory of 5084 3056 cmd.exe 86 PID 3056 wrote to memory of 5084 3056 cmd.exe 86 PID 3056 wrote to memory of 3584 3056 cmd.exe 87 PID 3056 wrote to memory of 3584 3056 cmd.exe 87 PID 3056 wrote to memory of 4616 3056 cmd.exe 88 PID 3056 wrote to memory of 4616 3056 cmd.exe 88 PID 3056 wrote to memory of 764 3056 cmd.exe 89 PID 3056 wrote to memory of 764 3056 cmd.exe 89 PID 3056 wrote to memory of 3080 3056 cmd.exe 90 PID 3056 wrote to memory of 3080 3056 cmd.exe 90 PID 3056 wrote to memory of 2100 3056 cmd.exe 91 PID 3056 wrote to memory of 2100 3056 cmd.exe 91 PID 3056 wrote to memory of 2100 3056 cmd.exe 91 PID 3080 wrote to memory of 3852 3080 GuiLoader.exe 92 PID 3080 wrote to memory of 3852 3080 GuiLoader.exe 92 PID 3080 wrote to memory of 4344 3080 GuiLoader.exe 95 PID 3080 wrote to memory of 4344 3080 GuiLoader.exe 95 PID 3080 wrote to memory of 540 3080 GuiLoader.exe 97 PID 3080 wrote to memory of 540 3080 GuiLoader.exe 97 PID 3080 wrote to memory of 1044 3080 GuiLoader.exe 99 PID 3080 wrote to memory of 1044 3080 GuiLoader.exe 99 PID 3080 wrote to memory of 4040 3080 GuiLoader.exe 101 PID 3080 wrote to memory of 4040 3080 GuiLoader.exe 101 PID 3080 wrote to memory of 2552 3080 GuiLoader.exe 103 PID 3080 wrote to memory of 2552 3080 GuiLoader.exe 103 PID 2100 wrote to memory of 1980 2100 PageEditor.exe 105 PID 2100 wrote to memory of 1980 2100 PageEditor.exe 105 PID 2100 wrote to memory of 1980 2100 PageEditor.exe 105 PID 1980 wrote to memory of 1508 1980 C11Setup.exe 106 PID 1980 wrote to memory of 1508 1980 C11Setup.exe 106 PID 1980 wrote to memory of 1508 1980 C11Setup.exe 106 PID 3080 wrote to memory of 3164 3080 GuiLoader.exe 108 PID 3080 wrote to memory of 3164 3080 GuiLoader.exe 108 PID 3080 wrote to memory of 3392 3080 GuiLoader.exe 110 PID 3080 wrote to memory of 3392 3080 GuiLoader.exe 110 PID 3080 wrote to memory of 492 3080 GuiLoader.exe 112 PID 3080 wrote to memory of 492 3080 GuiLoader.exe 112 PID 3080 wrote to memory of 1536 3080 GuiLoader.exe 114 PID 3080 wrote to memory of 1536 3080 GuiLoader.exe 114 PID 3080 wrote to memory of 2272 3080 GuiLoader.exe 116 PID 3080 wrote to memory of 2272 3080 GuiLoader.exe 116 PID 3080 wrote to memory of 712 3080 GuiLoader.exe 118 PID 3080 wrote to memory of 712 3080 GuiLoader.exe 118 PID 712 wrote to memory of 4996 712 cmd.exe 120 PID 712 wrote to memory of 4996 712 cmd.exe 120 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4344 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Start.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K IndependenciesInstallation.bat2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:3336
-
-
C:\Windows\system32\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:2228
-
-
C:\Windows\system32\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:5084
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"3⤵PID:3584
-
-
C:\Windows\system32\timeout.exetimeout /t 43⤵
- Delays execution with timeout.exe
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exeC11Setup.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exeGuiLoader.exe3⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"4⤵
- Views/modifies file attributes
PID:4344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵PID:3392
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵PID:1536
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:2272
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe" && pause4⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:4996
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exePageEditor.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"C:\Users\Admin\AppData\Local\Temp\C11Setup.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\C11Setup.exe" "C11Setup.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:1508
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD553a9a623b43fc4a86029d5513c06204e
SHA1cdd289c28325f087821786ad678f2c6979aae9d0
SHA256423344c2f239f8e4ea04fa18441233fb06dd7a20e4d6627ff108bb8ba224e2e4
SHA5125047f950a9da39df99972c5a153ad97709a65b5d8073f25039c81bd3ad8ea772ca0fbc15433f502f80413dee7473057ab6a77e47e0bb699f4fb122c90a2feacf
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
948B
MD545741c307af2576c6437c5fdb24ef9ce
SHA1a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf
SHA2567887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2
SHA51239fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941
-
Filesize
1KB
MD5cd5b2555a0e703bc746e242654a09c2f
SHA14021bfba22c0fce16709bfa6140d11272b7bd8b4
SHA25673679042b477828c6c8400590ca1434f5f6b7379aede1442f80bb9ede3bc7811
SHA512404a94bbc1cbcf98dba90160ab65a8acc5a1660d801bf7425ab1fe641599bda1b6494d4d6b65c6584e4ca6c1dea4b1acfde88e4a6d216194dca3b6ae6ca605f1
-
Filesize
31KB
MD5562ecb03ac667bc785b4a9ecc3930e00
SHA17aabba8964d3682dfc29342b57dcf5ec5a4175f9
SHA256a8ae08cf54ebef47f9c19167ea989cfc6fa4536124d53bd79cd8a19063c98c0b
SHA512566f622b4a623c49cf9945e2f0b42dd07678084b7fb78d1f81b8e5190c7f68298ff0e6bd2cac5a0c745c3614ecf7370161370910c228eea410ebacc2afe57cf5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82