Analysis

  • max time kernel
    458s
  • max time network
    1178s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-06-2024 17:49

General

  • Target

    C37Bootstrapper.exe

  • Size

    407KB

  • MD5

    2a25b9d935c4fe0a9f85251ecabfd923

  • SHA1

    bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2

  • SHA256

    b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498

  • SHA512

    08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf

  • SSDEEP

    6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3452
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1076
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:4180
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4468
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:3256

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        165028802699ec2b8fdaa6920bf4dace

        SHA1

        234d23f5658f9a2ac2f00b5f1311b32e35ea963b

        SHA256

        60c3c9ddbe9a45657e895357e0abdf426655ac2ca3256f378e3ca83cf4a26033

        SHA512

        66f19b8cc7e6752ec18a3a64fce1335ecd19f1bd6f27bd7c60324953753a665217f4bfb20bfe649cf3f02a10b8e61b8b77139e20ecf8f58d79faf143ea301bc8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        ed6f17e13c0654979a4c7673c20ca8ec

        SHA1

        0295ab73ec0b415f93206f44e8fef38b1d05059a

        SHA256

        66a90f7beaaa14c629fbd53754873b19ed99db9469566c43d0ca810ca48662f1

        SHA512

        1eb7e9be650cf837d74546f24d62263df4b89c985bd208ed52870afd7726f08c9e7412bb5a2dfae2cae01aeec156a2c28d4dc1398b84a5c7fc4035cb84c697d8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        7332074ae2b01262736b6fbd9e100dac

        SHA1

        22f992165065107cc9417fa4117240d84414a13c

        SHA256

        baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

        SHA512

        4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        0f42400f857d31971f37d17d20531b73

        SHA1

        059d39da2ff623b88ac80000a9ca28e88dfdd99f

        SHA256

        81f919f78467a290982f500765b3a0aaf78c59f853bc57b91a1214170121bb65

        SHA512

        cb3cdaefe5b93d3adf67c72ac0143505cad3039bda3a608278a19c825cc73bf56011846db2f942f020ac0aeb795929210c71cbb3b57cabce8df85d6f4673610d

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_op4d4kjy.fnk.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/2920-67-0x000001E51B3E0000-0x000001E51B3EA000-memory.dmp

        Filesize

        40KB

      • memory/2920-33-0x000001E51B3C0000-0x000001E51B3DE000-memory.dmp

        Filesize

        120KB

      • memory/2920-85-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

        Filesize

        10.8MB

      • memory/2920-68-0x000001E51B750000-0x000001E51B762000-memory.dmp

        Filesize

        72KB

      • memory/2920-2-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

        Filesize

        10.8MB

      • memory/2920-31-0x000001E51B6D0000-0x000001E51B746000-memory.dmp

        Filesize

        472KB

      • memory/2920-32-0x000001E51B650000-0x000001E51B6A0000-memory.dmp

        Filesize

        320KB

      • memory/2920-0-0x000001E500E90000-0x000001E500EFC000-memory.dmp

        Filesize

        432KB

      • memory/2920-1-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp

        Filesize

        8KB

      • memory/4856-14-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

        Filesize

        10.8MB

      • memory/4856-12-0x0000027E405B0000-0x0000027E405D2000-memory.dmp

        Filesize

        136KB

      • memory/4856-3-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

        Filesize

        10.8MB

      • memory/4856-13-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

        Filesize

        10.8MB

      • memory/4856-17-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

        Filesize

        10.8MB