Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 17:57
Behavioral task
behavioral1
Sample
C37Bootstrapper.exe
Resource
win7-20240508-en
General
-
Target
C37Bootstrapper.exe
-
Size
407KB
-
MD5
2a25b9d935c4fe0a9f85251ecabfd923
-
SHA1
bebbdce90e0ba9eb1cf388f0db17dbb97775e9e2
-
SHA256
b5015182ecaa7561f27090fb7b2aab0decbbffc94606225b12676dc720266498
-
SHA512
08f31d8e8867fcdadb209d28ad3f654b694fe5ec19a289871d758ab75d7759f08c4b8f01c789be22c2e83dafa8ec9e861479003e1e091038074471c701bf9dbf
-
SSDEEP
6144:oloZMLrIkd8g+EtXHkv/iD4I7lXrRiK1AwBzOurZpjb8e1mVi4qkRH:2oZ0L+EP8I7lXrRiK1AwBzOurzr4J
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2964-1-0x00000000008D0000-0x000000000093C000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2808 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts C37Bootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 308 wmic.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2964 C37Bootstrapper.exe 2808 powershell.exe 2812 powershell.exe 2564 powershell.exe 2772 powershell.exe 1036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2964 C37Bootstrapper.exe Token: SeIncreaseQuotaPrivilege 2128 wmic.exe Token: SeSecurityPrivilege 2128 wmic.exe Token: SeTakeOwnershipPrivilege 2128 wmic.exe Token: SeLoadDriverPrivilege 2128 wmic.exe Token: SeSystemProfilePrivilege 2128 wmic.exe Token: SeSystemtimePrivilege 2128 wmic.exe Token: SeProfSingleProcessPrivilege 2128 wmic.exe Token: SeIncBasePriorityPrivilege 2128 wmic.exe Token: SeCreatePagefilePrivilege 2128 wmic.exe Token: SeBackupPrivilege 2128 wmic.exe Token: SeRestorePrivilege 2128 wmic.exe Token: SeShutdownPrivilege 2128 wmic.exe Token: SeDebugPrivilege 2128 wmic.exe Token: SeSystemEnvironmentPrivilege 2128 wmic.exe Token: SeRemoteShutdownPrivilege 2128 wmic.exe Token: SeUndockPrivilege 2128 wmic.exe Token: SeManageVolumePrivilege 2128 wmic.exe Token: 33 2128 wmic.exe Token: 34 2128 wmic.exe Token: 35 2128 wmic.exe Token: SeIncreaseQuotaPrivilege 2128 wmic.exe Token: SeSecurityPrivilege 2128 wmic.exe Token: SeTakeOwnershipPrivilege 2128 wmic.exe Token: SeLoadDriverPrivilege 2128 wmic.exe Token: SeSystemProfilePrivilege 2128 wmic.exe Token: SeSystemtimePrivilege 2128 wmic.exe Token: SeProfSingleProcessPrivilege 2128 wmic.exe Token: SeIncBasePriorityPrivilege 2128 wmic.exe Token: SeCreatePagefilePrivilege 2128 wmic.exe Token: SeBackupPrivilege 2128 wmic.exe Token: SeRestorePrivilege 2128 wmic.exe Token: SeShutdownPrivilege 2128 wmic.exe Token: SeDebugPrivilege 2128 wmic.exe Token: SeSystemEnvironmentPrivilege 2128 wmic.exe Token: SeRemoteShutdownPrivilege 2128 wmic.exe Token: SeUndockPrivilege 2128 wmic.exe Token: SeManageVolumePrivilege 2128 wmic.exe Token: 33 2128 wmic.exe Token: 34 2128 wmic.exe Token: 35 2128 wmic.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2128 2964 C37Bootstrapper.exe 28 PID 2964 wrote to memory of 2128 2964 C37Bootstrapper.exe 28 PID 2964 wrote to memory of 2128 2964 C37Bootstrapper.exe 28 PID 2964 wrote to memory of 2808 2964 C37Bootstrapper.exe 31 PID 2964 wrote to memory of 2808 2964 C37Bootstrapper.exe 31 PID 2964 wrote to memory of 2808 2964 C37Bootstrapper.exe 31 PID 2964 wrote to memory of 2812 2964 C37Bootstrapper.exe 33 PID 2964 wrote to memory of 2812 2964 C37Bootstrapper.exe 33 PID 2964 wrote to memory of 2812 2964 C37Bootstrapper.exe 33 PID 2964 wrote to memory of 2564 2964 C37Bootstrapper.exe 35 PID 2964 wrote to memory of 2564 2964 C37Bootstrapper.exe 35 PID 2964 wrote to memory of 2564 2964 C37Bootstrapper.exe 35 PID 2964 wrote to memory of 2772 2964 C37Bootstrapper.exe 37 PID 2964 wrote to memory of 2772 2964 C37Bootstrapper.exe 37 PID 2964 wrote to memory of 2772 2964 C37Bootstrapper.exe 37 PID 2964 wrote to memory of 3004 2964 C37Bootstrapper.exe 39 PID 2964 wrote to memory of 3004 2964 C37Bootstrapper.exe 39 PID 2964 wrote to memory of 3004 2964 C37Bootstrapper.exe 39 PID 2964 wrote to memory of 1828 2964 C37Bootstrapper.exe 41 PID 2964 wrote to memory of 1828 2964 C37Bootstrapper.exe 41 PID 2964 wrote to memory of 1828 2964 C37Bootstrapper.exe 41 PID 2964 wrote to memory of 1032 2964 C37Bootstrapper.exe 43 PID 2964 wrote to memory of 1032 2964 C37Bootstrapper.exe 43 PID 2964 wrote to memory of 1032 2964 C37Bootstrapper.exe 43 PID 2964 wrote to memory of 1036 2964 C37Bootstrapper.exe 45 PID 2964 wrote to memory of 1036 2964 C37Bootstrapper.exe 45 PID 2964 wrote to memory of 1036 2964 C37Bootstrapper.exe 45 PID 2964 wrote to memory of 308 2964 C37Bootstrapper.exe 47 PID 2964 wrote to memory of 308 2964 C37Bootstrapper.exe 47 PID 2964 wrote to memory of 308 2964 C37Bootstrapper.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C37Bootstrapper.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:1828
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD575cb4f228666216860330eb87dfbcb93
SHA14dd851dfae30c7fdceb3e8b31f0f7b2a9f7fc460
SHA256bd30845d111b8cc4113e62ed6b60dc667386ef0e63955e56f151bd79315321a3
SHA512b1c071f45f29139aabfdae8fa2903e520388e9001a618949dc0bf2ff76be2533072be3adafd58344ed1e332941cf0757debabe8185c494f79a3dd7dfe78b7f7b