Overview
overview
8Static
static
7MatSploit.rar
windows7-x64
3MatSploit.rar
windows10-2004-x64
3BootsTrapperU.exe
windows7-x64
3BootsTrapperU.exe
windows10-2004-x64
8DiscordRPC.dll
windows7-x64
1DiscordRPC.dll
windows10-2004-x64
1ICSharpCod...it.dll
windows7-x64
1ICSharpCod...it.dll
windows10-2004-x64
1ICSharpCod...it.xml
windows7-x64
1ICSharpCod...it.xml
windows10-2004-x64
1MatSploit.exe
windows7-x64
6MatSploit.exe
windows10-2004-x64
8bin/Bootst...on.txt
windows7-x64
1bin/Bootst...on.txt
windows10-2004-x64
1bin/MatSploit.dll
windows7-x64
8bin/MatSploit.dll
windows10-2004-x64
8bin/UIVersion.txt
windows7-x64
1bin/UIVersion.txt
windows10-2004-x64
1bin/Zeus.exe
windows7-x64
1bin/Zeus.exe
windows10-2004-x64
1bin/lua.xml
windows7-x64
1bin/lua.xml
windows10-2004-x64
1bin/rbxfps...er.exe
windows7-x64
1bin/rbxfps...er.exe
windows10-2004-x64
3bin/version.txt
windows7-x64
1bin/version.txt
windows10-2004-x64
1bin/worksp...29.txt
windows7-x64
1bin/worksp...29.txt
windows10-2004-x64
1librarys/d...pc.dll
windows7-x64
3librarys/d...pc.dll
windows10-2004-x64
3scripts/LT2.js
windows7-x64
1scripts/LT2.js
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 16:41
Behavioral task
behavioral1
Sample
MatSploit.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MatSploit.rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
BootsTrapperU.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
BootsTrapperU.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
DiscordRPC.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
DiscordRPC.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
ICSharpCode.AvalonEdit.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
ICSharpCode.AvalonEdit.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral9
Sample
ICSharpCode.AvalonEdit.xml
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
ICSharpCode.AvalonEdit.xml
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
MatSploit.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
MatSploit.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
bin/BootstrapperVersion.txt
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
bin/BootstrapperVersion.txt
Resource
win10v2004-20230221-en
Behavioral task
behavioral15
Sample
bin/MatSploit.dll
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
bin/MatSploit.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
bin/UIVersion.txt
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
bin/UIVersion.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
bin/Zeus.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
bin/Zeus.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
bin/lua.xml
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
bin/lua.xml
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
bin/rbxfpsunlocker.exe
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
bin/rbxfpsunlocker.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral25
Sample
bin/version.txt
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
bin/version.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
bin/workspace/286090429.txt
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
bin/workspace/286090429.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
librarys/discordrpc.dll
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
librarys/discordrpc.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
scripts/LT2.js
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
scripts/LT2.js
Resource
win10v2004-20230220-en
General
-
Target
BootsTrapperU.exe
-
Size
165KB
-
MD5
8b57e3af9a6b863fbe0746db752eba75
-
SHA1
bca3c16f360dc795cb31882c04c9ff0ec4d20511
-
SHA256
ee6e94dcb0f4bb34d487919faee67b4c178daee696d5bc84b229a24c8cad1c6f
-
SHA512
1799155f917d2a47691745c71b9e5dcb5b21e05fd5a7ae3105a6375bf2a5b5fdf944fc773177f670ea051bf0098a5c9685e14dba67c676fb0a5cdb51f46e4add
-
SSDEEP
3072:wxhMfvkWEpAJvlOT/NAWCNsxi8fdMznFHTfgCkPbQN982cUJWVgVK5o6V9207o0+:wxCfvkWEe9hWc8fdMFHrsPbbo742wb3B
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BootsTrapperU.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation BootsTrapperU.exe -
Executes dropped EXE 1 IoCs
Processes:
MatSploit.exepid process 384 MatSploit.exe -
Loads dropped DLL 2 IoCs
Processes:
MatSploit.exepid process 384 MatSploit.exe 384 MatSploit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
BootsTrapperU.exepid process 2056 BootsTrapperU.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BootsTrapperU.exedescription pid process Token: SeDebugPrivilege 2056 BootsTrapperU.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
BootsTrapperU.exedescription pid process target process PID 2056 wrote to memory of 384 2056 BootsTrapperU.exe MatSploit.exe PID 2056 wrote to memory of 384 2056 BootsTrapperU.exe MatSploit.exe PID 2056 wrote to memory of 384 2056 BootsTrapperU.exe MatSploit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe"C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\MatSploit.exe"C:\Users\Admin\AppData\Local\Temp\MatSploit.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
604KB
MD585525afb01eafb7cd53e171344de4653
SHA165e4609b6e1d9d0de5568049687edd84fda6d2d3
SHA256b5180b33e6bb8f215d69d91a6fab46e2e633b222095bcfcafba2530beb181eab
SHA5123b30b7b4b32ab72ac0903e2053613bf0cd33c8f54879ca012dee12b319aa598e84329e59fc0edb19ad2b4ba6b6d25c12c88cbb78f655e3e6d6396ce909b10799
-
Filesize
604KB
MD585525afb01eafb7cd53e171344de4653
SHA165e4609b6e1d9d0de5568049687edd84fda6d2d3
SHA256b5180b33e6bb8f215d69d91a6fab46e2e633b222095bcfcafba2530beb181eab
SHA5123b30b7b4b32ab72ac0903e2053613bf0cd33c8f54879ca012dee12b319aa598e84329e59fc0edb19ad2b4ba6b6d25c12c88cbb78f655e3e6d6396ce909b10799
-
Filesize
2.5MB
MD5dcb25045813cf70b014e3b94f61fb1dd
SHA105677911206e6dcde403a6232f1dcb9f77abf959
SHA256366b2611923ce8255940aafc03c3c156f35b6d0dabe4c5b728233ac0d6c51822
SHA51223e14f7b2f45c8dddc64cd6d301b144748ac3599139c0ad518d2f75d648c746d80e02334cdc7b014f3efe09844a4d3809e7f3177e623a89033d8de948c12b2ce
-
Filesize
2.5MB
MD5dcb25045813cf70b014e3b94f61fb1dd
SHA105677911206e6dcde403a6232f1dcb9f77abf959
SHA256366b2611923ce8255940aafc03c3c156f35b6d0dabe4c5b728233ac0d6c51822
SHA51223e14f7b2f45c8dddc64cd6d301b144748ac3599139c0ad518d2f75d648c746d80e02334cdc7b014f3efe09844a4d3809e7f3177e623a89033d8de948c12b2ce