Analysis
-
max time kernel
458s -
max time network
1178s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-06-2024 17:49
Behavioral task
behavioral1
Sample
C37Bootstrapper.exe
Resource
win10v2004-20240508-en
General
-
Target
C37Bootstrapper.exe
-
Size
407KB
-
MD5
2a25b9d935c4fe0a9f85251ecabfd923
-
SHA1
bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2
-
SHA256
b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498
-
SHA512
08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf
-
SSDEEP
6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/2920-0-0x000001E500E90000-0x000001E500EFC000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4856 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts C37Bootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 discord.com 6 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3256 wmic.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2920 C37Bootstrapper.exe 4856 powershell.exe 4856 powershell.exe 5020 powershell.exe 5020 powershell.exe 3760 powershell.exe 3760 powershell.exe 848 powershell.exe 848 powershell.exe 4468 powershell.exe 4468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2920 C37Bootstrapper.exe Token: SeIncreaseQuotaPrivilege 752 wmic.exe Token: SeSecurityPrivilege 752 wmic.exe Token: SeTakeOwnershipPrivilege 752 wmic.exe Token: SeLoadDriverPrivilege 752 wmic.exe Token: SeSystemProfilePrivilege 752 wmic.exe Token: SeSystemtimePrivilege 752 wmic.exe Token: SeProfSingleProcessPrivilege 752 wmic.exe Token: SeIncBasePriorityPrivilege 752 wmic.exe Token: SeCreatePagefilePrivilege 752 wmic.exe Token: SeBackupPrivilege 752 wmic.exe Token: SeRestorePrivilege 752 wmic.exe Token: SeShutdownPrivilege 752 wmic.exe Token: SeDebugPrivilege 752 wmic.exe Token: SeSystemEnvironmentPrivilege 752 wmic.exe Token: SeRemoteShutdownPrivilege 752 wmic.exe Token: SeUndockPrivilege 752 wmic.exe Token: SeManageVolumePrivilege 752 wmic.exe Token: 33 752 wmic.exe Token: 34 752 wmic.exe Token: 35 752 wmic.exe Token: 36 752 wmic.exe Token: SeIncreaseQuotaPrivilege 752 wmic.exe Token: SeSecurityPrivilege 752 wmic.exe Token: SeTakeOwnershipPrivilege 752 wmic.exe Token: SeLoadDriverPrivilege 752 wmic.exe Token: SeSystemProfilePrivilege 752 wmic.exe Token: SeSystemtimePrivilege 752 wmic.exe Token: SeProfSingleProcessPrivilege 752 wmic.exe Token: SeIncBasePriorityPrivilege 752 wmic.exe Token: SeCreatePagefilePrivilege 752 wmic.exe Token: SeBackupPrivilege 752 wmic.exe Token: SeRestorePrivilege 752 wmic.exe Token: SeShutdownPrivilege 752 wmic.exe Token: SeDebugPrivilege 752 wmic.exe Token: SeSystemEnvironmentPrivilege 752 wmic.exe Token: SeRemoteShutdownPrivilege 752 wmic.exe Token: SeUndockPrivilege 752 wmic.exe Token: SeManageVolumePrivilege 752 wmic.exe Token: 33 752 wmic.exe Token: 34 752 wmic.exe Token: 35 752 wmic.exe Token: 36 752 wmic.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeIncreaseQuotaPrivilege 3452 wmic.exe Token: SeSecurityPrivilege 3452 wmic.exe Token: SeTakeOwnershipPrivilege 3452 wmic.exe Token: SeLoadDriverPrivilege 3452 wmic.exe Token: SeSystemProfilePrivilege 3452 wmic.exe Token: SeSystemtimePrivilege 3452 wmic.exe Token: SeProfSingleProcessPrivilege 3452 wmic.exe Token: SeIncBasePriorityPrivilege 3452 wmic.exe Token: SeCreatePagefilePrivilege 3452 wmic.exe Token: SeBackupPrivilege 3452 wmic.exe Token: SeRestorePrivilege 3452 wmic.exe Token: SeShutdownPrivilege 3452 wmic.exe Token: SeDebugPrivilege 3452 wmic.exe Token: SeSystemEnvironmentPrivilege 3452 wmic.exe Token: SeRemoteShutdownPrivilege 3452 wmic.exe Token: SeUndockPrivilege 3452 wmic.exe Token: SeManageVolumePrivilege 3452 wmic.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2920 wrote to memory of 752 2920 C37Bootstrapper.exe 78 PID 2920 wrote to memory of 752 2920 C37Bootstrapper.exe 78 PID 2920 wrote to memory of 4856 2920 C37Bootstrapper.exe 81 PID 2920 wrote to memory of 4856 2920 C37Bootstrapper.exe 81 PID 2920 wrote to memory of 5020 2920 C37Bootstrapper.exe 83 PID 2920 wrote to memory of 5020 2920 C37Bootstrapper.exe 83 PID 2920 wrote to memory of 3760 2920 C37Bootstrapper.exe 85 PID 2920 wrote to memory of 3760 2920 C37Bootstrapper.exe 85 PID 2920 wrote to memory of 848 2920 C37Bootstrapper.exe 87 PID 2920 wrote to memory of 848 2920 C37Bootstrapper.exe 87 PID 2920 wrote to memory of 3452 2920 C37Bootstrapper.exe 89 PID 2920 wrote to memory of 3452 2920 C37Bootstrapper.exe 89 PID 2920 wrote to memory of 1076 2920 C37Bootstrapper.exe 91 PID 2920 wrote to memory of 1076 2920 C37Bootstrapper.exe 91 PID 2920 wrote to memory of 4180 2920 C37Bootstrapper.exe 93 PID 2920 wrote to memory of 4180 2920 C37Bootstrapper.exe 93 PID 2920 wrote to memory of 4468 2920 C37Bootstrapper.exe 95 PID 2920 wrote to memory of 4468 2920 C37Bootstrapper.exe 95 PID 2920 wrote to memory of 3256 2920 C37Bootstrapper.exe 97 PID 2920 wrote to memory of 3256 2920 C37Bootstrapper.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:1076
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:4180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:3256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5165028802699ec2b8fdaa6920bf4dace
SHA1234d23f5658f9a2ac2f00b5f1311b32e35ea963b
SHA25660c3c9ddbe9a45657e895357e0abdf426655ac2ca3256f378e3ca83cf4a26033
SHA51266f19b8cc7e6752ec18a3a64fce1335ecd19f1bd6f27bd7c60324953753a665217f4bfb20bfe649cf3f02a10b8e61b8b77139e20ecf8f58d79faf143ea301bc8
-
Filesize
948B
MD5ed6f17e13c0654979a4c7673c20ca8ec
SHA10295ab73ec0b415f93206f44e8fef38b1d05059a
SHA25666a90f7beaaa14c629fbd53754873b19ed99db9469566c43d0ca810ca48662f1
SHA5121eb7e9be650cf837d74546f24d62263df4b89c985bd208ed52870afd7726f08c9e7412bb5a2dfae2cae01aeec156a2c28d4dc1398b84a5c7fc4035cb84c697d8
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
1KB
MD50f42400f857d31971f37d17d20531b73
SHA1059d39da2ff623b88ac80000a9ca28e88dfdd99f
SHA25681f919f78467a290982f500765b3a0aaf78c59f853bc57b91a1214170121bb65
SHA512cb3cdaefe5b93d3adf67c72ac0143505cad3039bda3a608278a19c825cc73bf56011846db2f942f020ac0aeb795929210c71cbb3b57cabce8df85d6f4673610d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82