Analysis
-
max time kernel
1793s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 16:03
Behavioral task
behavioral1
Sample
C37boot/C37Bootstrapper.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
4 signatures
1800 seconds
General
-
Target
C37boot/C37Bootstrapper.exe
-
Size
405KB
-
MD5
c8294556e29920bfcc619529da141096
-
SHA1
7dad1b482c1d3baeade911400027e615e2ea52ff
-
SHA256
26deb9a0264cccfdef387610235e9e9032144c8e73561c3d0007c248a6c84dc3
-
SHA512
1ac29a6ecdf761d85d3b1b64910f7edd865238d1d6b159532efb8260fa9af35c7db06892359ba9efe7bd571ec2bd259a0621721666fd5b085e92f68848f63af6
-
SSDEEP
6144:nloZM+rIkd8g+EtXHkv/iD4w85EFzQEb3CzFQMpFlb8e1mBiEqkRH:loZtL+EP8w85EFzQEb3CzFQMpfvEJ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4964-1-0x00000122FD960000-0x00000122FD9CC000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
C37Bootstrapper.exewmic.exesvchost.exedescription pid process Token: SeDebugPrivilege 4964 C37Bootstrapper.exe Token: SeIncreaseQuotaPrivilege 1264 wmic.exe Token: SeSecurityPrivilege 1264 wmic.exe Token: SeTakeOwnershipPrivilege 1264 wmic.exe Token: SeLoadDriverPrivilege 1264 wmic.exe Token: SeSystemProfilePrivilege 1264 wmic.exe Token: SeSystemtimePrivilege 1264 wmic.exe Token: SeProfSingleProcessPrivilege 1264 wmic.exe Token: SeIncBasePriorityPrivilege 1264 wmic.exe Token: SeCreatePagefilePrivilege 1264 wmic.exe Token: SeBackupPrivilege 1264 wmic.exe Token: SeRestorePrivilege 1264 wmic.exe Token: SeShutdownPrivilege 1264 wmic.exe Token: SeDebugPrivilege 1264 wmic.exe Token: SeSystemEnvironmentPrivilege 1264 wmic.exe Token: SeRemoteShutdownPrivilege 1264 wmic.exe Token: SeUndockPrivilege 1264 wmic.exe Token: SeManageVolumePrivilege 1264 wmic.exe Token: 33 1264 wmic.exe Token: 34 1264 wmic.exe Token: 35 1264 wmic.exe Token: 36 1264 wmic.exe Token: SeIncreaseQuotaPrivilege 1264 wmic.exe Token: SeSecurityPrivilege 1264 wmic.exe Token: SeTakeOwnershipPrivilege 1264 wmic.exe Token: SeLoadDriverPrivilege 1264 wmic.exe Token: SeSystemProfilePrivilege 1264 wmic.exe Token: SeSystemtimePrivilege 1264 wmic.exe Token: SeProfSingleProcessPrivilege 1264 wmic.exe Token: SeIncBasePriorityPrivilege 1264 wmic.exe Token: SeCreatePagefilePrivilege 1264 wmic.exe Token: SeBackupPrivilege 1264 wmic.exe Token: SeRestorePrivilege 1264 wmic.exe Token: SeShutdownPrivilege 1264 wmic.exe Token: SeDebugPrivilege 1264 wmic.exe Token: SeSystemEnvironmentPrivilege 1264 wmic.exe Token: SeRemoteShutdownPrivilege 1264 wmic.exe Token: SeUndockPrivilege 1264 wmic.exe Token: SeManageVolumePrivilege 1264 wmic.exe Token: 33 1264 wmic.exe Token: 34 1264 wmic.exe Token: 35 1264 wmic.exe Token: 36 1264 wmic.exe Token: SeManageVolumePrivilege 1292 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
C37Bootstrapper.exedescription pid process target process PID 4964 wrote to memory of 1264 4964 C37Bootstrapper.exe wmic.exe PID 4964 wrote to memory of 1264 4964 C37Bootstrapper.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3608 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-5-0x00000184C6090000-0x00000184C60A0000-memory.dmpFilesize
64KB
-
memory/1292-21-0x00000184C6190000-0x00000184C61A0000-memory.dmpFilesize
64KB
-
memory/1292-37-0x00000184CE500000-0x00000184CE501000-memory.dmpFilesize
4KB
-
memory/1292-39-0x00000184CE530000-0x00000184CE531000-memory.dmpFilesize
4KB
-
memory/1292-40-0x00000184CE530000-0x00000184CE531000-memory.dmpFilesize
4KB
-
memory/1292-41-0x00000184CE640000-0x00000184CE641000-memory.dmpFilesize
4KB
-
memory/4964-0-0x00007FF8A2363000-0x00007FF8A2365000-memory.dmpFilesize
8KB
-
memory/4964-1-0x00000122FD960000-0x00000122FD9CC000-memory.dmpFilesize
432KB
-
memory/4964-2-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB
-
memory/4964-4-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB