Overview

overview

8

Static

static

3

System99-B...er.exe

windows7-x64

8

System99-B...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 12:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    System99-Bootstrapper.exe

  • Size

    855KB

  • MD5

    dc6d365686fdefc10972b32f226f79df

  • SHA1

    dc44f556541b307035b3962ddfc5335e1d21f6cb

  • SHA256

    bc1820b92e6e103feaebc3c31d049f30a73bea472f75fee441823035128227a7

  • SHA512

    d1d9aea41949c0ff1f4290f7c55c7dff4c42cbd19d6f0583ee32cb09b481abf94669391e0185515f27deaa46ebe7c1cbacfca2bebf3f1b0133254f92c40271b9

  • SSDEEP

    12288:xTL/hRu+71W3Bad9PlePNfdPcC/buH5qRQvTAaIUfLrjpeMQOTh:pL/hRu+71WkdRlqpdr/6FMUfLrjsgh

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • cURL User-Agent 1 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Users\Admin\AppData\Local\Temp\System99-Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\System99-Bootstrapper.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "Win64ub" /tr Win64ub.exe /sc onstart /ru system /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "Win64ub" /tr Win64ub.exe /sc onstart /ru system /F
        3⤵
        • Creates scheduled task(s)
        PID:3280
    • C:\Windows\System32\Win64u.exe
      "C:\Windows\System32\Win64u.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2364

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System32\Win64u.exe
          Filesize

          278KB

          MD5

          44d13d4b7b2f6a26e7812e099072dbfa

          SHA1

          c9a21cdf0d7d392d579c61ee33cb9e68abe90591

          SHA256

          160831ba186338229a94f19f9ca96e9a4b42dcdb5c37d4777172d1a4b8b8b5a4

          SHA512

          684c145344aa8aaed204d2712100ddbc9b40abebaa4796e1c45b8b5fdc7f2ddae71b1d762316b4814685effe258aa2033404d5a7e1e886eaec1db83bf0486527

          Download Submit

        • memory/2364-6-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-9-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-10-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-11-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-12-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-13-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-14-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2364-15-0x0000006BDBAE0000-0x0000006BDBBE0000-memory.dmp

          Filesize

          1024KB

          Download