Analysis
-
max time kernel
456s -
max time network
1176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 16:14
Behavioral task
behavioral1
Sample
C37boot/C37Bootstrapper.exe
Resource
win10v2004-20240426-en
General
-
Target
C37boot/C37Bootstrapper.exe
-
Size
405KB
-
MD5
c8294556e29920bfcc619529da141096
-
SHA1
7dad1b482c1d3baeade911400027e615e2ea52ff
-
SHA256
26deb9a0264cccfdef387610235e9e9032144c8e73561c3d0007c248a6c84dc3
-
SHA512
1ac29a6ecdf761d85d3b1b64910f7edd865238d1d6b159532efb8260fa9af35c7db06892359ba9efe7bd571ec2bd259a0621721666fd5b085e92f68848f63af6
-
SSDEEP
6144:nloZM+rIkd8g+EtXHkv/iD4w85EFzQEb3CzFQMpFlb8e1mBiEqkRH:loZtL+EP8w85EFzQEb3CzFQMpfvEJ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1660-0-0x000001558D210000-0x000001558D27C000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4856 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts C37Bootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 discord.com 24 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2632 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2024 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1660 C37Bootstrapper.exe 4856 powershell.exe 4856 powershell.exe 2368 powershell.exe 2368 powershell.exe 4352 powershell.exe 4352 powershell.exe 2192 powershell.exe 2192 powershell.exe 3416 powershell.exe 3416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1660 C37Bootstrapper.exe Token: SeIncreaseQuotaPrivilege 3696 wmic.exe Token: SeSecurityPrivilege 3696 wmic.exe Token: SeTakeOwnershipPrivilege 3696 wmic.exe Token: SeLoadDriverPrivilege 3696 wmic.exe Token: SeSystemProfilePrivilege 3696 wmic.exe Token: SeSystemtimePrivilege 3696 wmic.exe Token: SeProfSingleProcessPrivilege 3696 wmic.exe Token: SeIncBasePriorityPrivilege 3696 wmic.exe Token: SeCreatePagefilePrivilege 3696 wmic.exe Token: SeBackupPrivilege 3696 wmic.exe Token: SeRestorePrivilege 3696 wmic.exe Token: SeShutdownPrivilege 3696 wmic.exe Token: SeDebugPrivilege 3696 wmic.exe Token: SeSystemEnvironmentPrivilege 3696 wmic.exe Token: SeRemoteShutdownPrivilege 3696 wmic.exe Token: SeUndockPrivilege 3696 wmic.exe Token: SeManageVolumePrivilege 3696 wmic.exe Token: 33 3696 wmic.exe Token: 34 3696 wmic.exe Token: 35 3696 wmic.exe Token: 36 3696 wmic.exe Token: SeIncreaseQuotaPrivilege 3696 wmic.exe Token: SeSecurityPrivilege 3696 wmic.exe Token: SeTakeOwnershipPrivilege 3696 wmic.exe Token: SeLoadDriverPrivilege 3696 wmic.exe Token: SeSystemProfilePrivilege 3696 wmic.exe Token: SeSystemtimePrivilege 3696 wmic.exe Token: SeProfSingleProcessPrivilege 3696 wmic.exe Token: SeIncBasePriorityPrivilege 3696 wmic.exe Token: SeCreatePagefilePrivilege 3696 wmic.exe Token: SeBackupPrivilege 3696 wmic.exe Token: SeRestorePrivilege 3696 wmic.exe Token: SeShutdownPrivilege 3696 wmic.exe Token: SeDebugPrivilege 3696 wmic.exe Token: SeSystemEnvironmentPrivilege 3696 wmic.exe Token: SeRemoteShutdownPrivilege 3696 wmic.exe Token: SeUndockPrivilege 3696 wmic.exe Token: SeManageVolumePrivilege 3696 wmic.exe Token: 33 3696 wmic.exe Token: 34 3696 wmic.exe Token: 35 3696 wmic.exe Token: 36 3696 wmic.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeIncreaseQuotaPrivilege 4268 wmic.exe Token: SeSecurityPrivilege 4268 wmic.exe Token: SeTakeOwnershipPrivilege 4268 wmic.exe Token: SeLoadDriverPrivilege 4268 wmic.exe Token: SeSystemProfilePrivilege 4268 wmic.exe Token: SeSystemtimePrivilege 4268 wmic.exe Token: SeProfSingleProcessPrivilege 4268 wmic.exe Token: SeIncBasePriorityPrivilege 4268 wmic.exe Token: SeCreatePagefilePrivilege 4268 wmic.exe Token: SeBackupPrivilege 4268 wmic.exe Token: SeRestorePrivilege 4268 wmic.exe Token: SeShutdownPrivilege 4268 wmic.exe Token: SeDebugPrivilege 4268 wmic.exe Token: SeSystemEnvironmentPrivilege 4268 wmic.exe Token: SeRemoteShutdownPrivilege 4268 wmic.exe Token: SeUndockPrivilege 4268 wmic.exe Token: SeManageVolumePrivilege 4268 wmic.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3696 1660 C37Bootstrapper.exe 83 PID 1660 wrote to memory of 3696 1660 C37Bootstrapper.exe 83 PID 1660 wrote to memory of 2608 1660 C37Bootstrapper.exe 88 PID 1660 wrote to memory of 2608 1660 C37Bootstrapper.exe 88 PID 1660 wrote to memory of 4856 1660 C37Bootstrapper.exe 90 PID 1660 wrote to memory of 4856 1660 C37Bootstrapper.exe 90 PID 1660 wrote to memory of 2368 1660 C37Bootstrapper.exe 92 PID 1660 wrote to memory of 2368 1660 C37Bootstrapper.exe 92 PID 1660 wrote to memory of 4352 1660 C37Bootstrapper.exe 94 PID 1660 wrote to memory of 4352 1660 C37Bootstrapper.exe 94 PID 1660 wrote to memory of 2192 1660 C37Bootstrapper.exe 96 PID 1660 wrote to memory of 2192 1660 C37Bootstrapper.exe 96 PID 1660 wrote to memory of 4268 1660 C37Bootstrapper.exe 100 PID 1660 wrote to memory of 4268 1660 C37Bootstrapper.exe 100 PID 1660 wrote to memory of 1068 1660 C37Bootstrapper.exe 102 PID 1660 wrote to memory of 1068 1660 C37Bootstrapper.exe 102 PID 1660 wrote to memory of 4048 1660 C37Bootstrapper.exe 104 PID 1660 wrote to memory of 4048 1660 C37Bootstrapper.exe 104 PID 1660 wrote to memory of 3416 1660 C37Bootstrapper.exe 106 PID 1660 wrote to memory of 3416 1660 C37Bootstrapper.exe 106 PID 1660 wrote to memory of 2632 1660 C37Bootstrapper.exe 108 PID 1660 wrote to memory of 2632 1660 C37Bootstrapper.exe 108 PID 1660 wrote to memory of 3516 1660 C37Bootstrapper.exe 111 PID 1660 wrote to memory of 3516 1660 C37Bootstrapper.exe 111 PID 3516 wrote to memory of 2024 3516 cmd.exe 113 PID 3516 wrote to memory of 2024 3516 cmd.exe 113 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2608 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe"2⤵
- Views/modifies file attributes
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:1068
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:2632
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C37boot\C37Bootstrapper.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD5e017179ec69926b671b38e74dc57c815
SHA1133a0d59b796baaa15dd0df7a17565458ff159ee
SHA25653f5a2a4fa0f6f0acfaaa4ec479d7efd0625014ffc8660fe642c2a4f822188ee
SHA512ac305c8798b7fe36c9433f8941308cc017b1a565b04beebbf7925716a1a1dfe1d3854ea4a97891dc31da4fdf5c013dddf67eb587ed588931b2ff44bb1969709b
-
Filesize
948B
MD50b8cb2e6dd5794b6a56a4bdbbd430fd7
SHA12b08e348c3489c6a35761af073018e3784c12074
SHA256bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f
SHA51215ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5e3162109ea3d725ddc747eaa0ef699cb
SHA1d9ba745670bb86fd131e30f221080821b637093d
SHA2567171ee5d24fc23e988883b912d3dac7b79e7b9fa68005d18c4bf39c4af67a592
SHA512968cb5b347c8680738088a4e66a3b9a16d27bfe400866e7905fd00176ed21d7c7dcb0131d209869753a401eaa6c5d9eebea4c1ba9575172b67d446872c063e7d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82