General
-
Target
C37Bootstrapper.exe
-
Size
407KB
-
Sample
240605-wdz6rsdc9w
-
MD5
2a25b9d935c4fe0a9f85251ecabfd923
-
SHA1
bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2
-
SHA256
b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498
-
SHA512
08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf
-
SSDEEP
6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J
Behavioral task
behavioral1
Sample
C37Bootstrapper.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1240608431912648746/0xO8j0CKqDNLBbrrGwB4Di4ZwKK6d-HUusc2YnRBbbd4ysQkmEvxp1Nbx9O5yHNNZk95
Targets
-
-
Target
C37Bootstrapper.exe
-
Size
407KB
-
MD5
2a25b9d935c4fe0a9f85251ecabfd923
-
SHA1
bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2
-
SHA256
b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498
-
SHA512
08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf
-
SSDEEP
6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J
-
Detect Umbral payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-