365d072ac4ef47f8774f4d2094108035e2291a0073702db25fa7797a30861fc9

Analysis

max time kernel
98s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rustup-init.exe
Size

8.2MB
MD5

b41bba88051691d3038e7c7cad44cd48
SHA1

ffd0dba9a1901022e0c73001a024186076a60fa4
SHA256

365d072ac4ef47f8774f4d2094108035e2291a0073702db25fa7797a30861fc9
SHA512

a8c62860e89af6127254aa9901e5cf970bb29a31430e5030a07a37805a88c8eee18f6c28bda5f872cc06743b3000c78778429da2e844075df71a5424b8b66cbc
SSDEEP

98304:QKuggmFI9hZTJE49bt/9l9w7R1l4B21tg2+QHVh:JhIzo4Rl9w7Ll20/p

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	vs_setup.exe

Executes dropped EXE 2 IoCs

pid	Process
5112	vs_setup.exe
1936	vs_setup_bootstrapper.exe

Loads dropped DLL 21 IoCs

pid	Process
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe
1936	vs_setup_bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	vs_setup_bootstrapper.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 5112	1540	rustup-init.exe	93
PID 1540 wrote to memory of 5112	1540	rustup-init.exe	93
PID 1540 wrote to memory of 5112	1540	rustup-init.exe	93
PID 5112 wrote to memory of 1936	5112	vs_setup.exe	94
PID 5112 wrote to memory of 1936	5112	vs_setup.exe	94
PID 5112 wrote to memory of 1936	5112	vs_setup.exe	94
PID 1936 wrote to memory of 2176	1936	vs_setup_bootstrapper.exe	95
PID 1936 wrote to memory of 2176	1936	vs_setup_bootstrapper.exe	95
PID 1936 wrote to memory of 2176	1936	vs_setup_bootstrapper.exe	95

C:\Users\Admin\AppData\Local\Temp\rustup-init.exe
"C:\Users\Admin\AppData\Local\Temp\rustup-init.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\rustup-visualstudioBTIr44\vs_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\rustup-visualstudioBTIr44\vs_setup.exe" --wait --focusedUi --addProductLang En-us --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 --add Microsoft.VisualStudio.Component.Windows11SDK.22000
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --wait --focusedUi --addProductLang En-us --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 --add Microsoft.VisualStudio.Component.Windows11SDK.22000 --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\rustup-visualstudioBTIr44\vs_setup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\getmac.exe
      "getmac"
      4⤵
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202402181550448336.json

Filesize
162B

MD5
ad891c3b02a02419dc60db8c273a8315

SHA1
141a08ca0e25d56bdb35fc71e1c767667079114a

SHA256
186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

SHA512
64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240218155048_1b48d53a7426404e85fd048dbdfd32b4.trn

Filesize
6KB

MD5
d2907dfc89c6ac7789e006e29a5eb402

SHA1
da906cd2004cebb42b3babac44dc0376dbabdc86

SHA256
b73124f1d459565e9fac0da9b10cf8c0e41f66ce424ea1a363f67c8af22afa02

SHA512
989cb03334346be8ed9364c242787c693960d1dfa31d7725de3bb2c04b9e9f1eb92e83e8a7cba0e2af254953586843521a63f501b5e979d083bd1f38c486fa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
18KB

MD5
92ccf238784d169df263b44021f61b65

SHA1
31aba26187c7ae53e70229f1a335da3a49af295f

SHA256
db54cbc9fd1ead3a52ca3f364b018f43d4ccae8b1f3e4ec0deaf69ecf73cc780

SHA512
dd409627cd2c1d42917c468377b3d0ea648a45cba5626de19d0ef19bb56386323f66b3e64e3429d39efa422fc4d647c6de967a38a6eae28dc4fd0dc856a053ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
115KB

MD5
dfc4e94a886a73d01e76ffa17c535194

SHA1
13fe0c46a467293012b34e27638dd0d595bca7db

SHA256
84c3a9b34ed1c9c78ab7aa3df30f3a67d11b4e088f8d40850dde162504fd6865

SHA512
1db848ec76d7b33d2652f5ff1e87c90a481fc3317cedd79cda44ee36faaeba37212cd9acce74e3f5440624a9c5fd5fd5554b81605c1df28940f9c4dbf2279e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
580KB

MD5
8c571eeafd729745640f0ef8e2fa4b31

SHA1
3948cc1de14aed74ffe2cf551bd6f159981dbe43

SHA256
0b7ff8d48e7c49150f9732a719bf87b7d4cdfcf7b4b5fbb54f6bb8a8cf2afef4

SHA512
0cb27ae4554e6ebd4e298809a63e962a7f599d35910d12bf36c91671a2c8fd9e1242e53c9f5c9929c46dd0b74b48b0ca6c8e986058b22dd491f4419a360cc87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
305KB

MD5
1c1350764f98b8b2edcc7491a036ea22

SHA1
72d9d13eb92a256f6b0301a21526a554f3b8818c

SHA256
c8d845afdbc568115ceb6ebfb1e33e01831128c8cc23f6d6c12b7b6957503ee7

SHA512
6df8237506b532a6dbf00232457c6d02e0e0c2033db4839ed3ae73b9ef808a3c31eeeeeb37ab4822f5f6c687b95f6c83c800393466be6adc30e8e5c35d568b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.4MB

MD5
9a07a7869d09a809d932a2fa682c4e6c

SHA1
234390e8b0e13763533a5c88440757872c3d7862

SHA256
a300343632491e350ee83f920910fbe3d5cb5fb15a54b9a17dd52429a75a54ef

SHA512
824ffe20e5717867b1721c059cb86308aa29f023ff1d4c645aafe94c6bb4bb0c27d9cd77248d0ff5e35f29c198c7f8fc9888ff8985cce62e79f9fe2ca07c3c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
995KB

MD5
bbcc8244db84ad2031ac010633abf798

SHA1
de0cb65ee877663da272b4162a55a64ab8669f74

SHA256
8fe17ff9da7932dc01a39ed27559d5cdfa9b97ba14cbaa9f719087a241c8b82d

SHA512
d5682ea1aa9d50e9a491f8dc25c82907cde24ead2842ea392242e8cdedf49f68f3035042442738e147b5aa29d6328ced68007732298f62466c78fd10b276b06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
62KB

MD5
2dc1dc66b267a3470add7fab88b78069

SHA1
dbe80047475b503791038ed7e47389c062c15c72

SHA256
b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c

SHA512
44ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\detection.json

Filesize
8KB

MD5
782f4beae90d11351db508f38271eb26

SHA1
f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

SHA256
c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

SHA512
0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\vs_setup_bootstrapper.config

Filesize
620B

MD5
c1405e503bb42b881d653c097dabc3ba

SHA1
1eedf7cc808de87de41ada684486d20255cdab86

SHA256
1fa98d6ea12d3a2af833b32f847dec6b22d40c25928468a64b388d86e5a735bf

SHA512
a8a973ebf2484e91a8175527b55111bc006c3d6ccdaab131a8d2ceea891f3c3dc16ad037461aef6204a414a76325f398bd49da3cc0fd764b078f2ba5422a3115

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
402KB

MD5
8ef840044ddde4e93305da13ffee519b

SHA1
dd578cc1a9c157a59f69a698d2f5fb6aba09cf4a

SHA256
9b5b36b07dec9667fe92f7318488d5ebdd4a7eec5f879c2ea291aa36b6a5ff8e

SHA512
1eab312d344e4992e5d99b01f931555705fb142791f4d2b5e4bbca88b116263d2b58f21ea1d6c3edd28bf933063999ad2db252e53225f57ed6d3b7e91d86c0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33dcf84d4b31bfc1d9e1162\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
2KB

MD5
d705d5ccc158f125dfbf4b1f06ea8966

SHA1
76486d41cb0a0316ee354cbfb59f697a43ab1489

SHA256
1e0f19e5f792fc97e1ab40d6a8259f19843c8a22c1ccc008effc3a771cae9b66

SHA512
c3b2ac8d186990c3c7d6755a641cf3bf0256e8ea3789942374c56fdd97de6a7fae516ee944880bc3ed31b0e569192d570db899847b9a8fadfe46d4ed150b480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rustup-visualstudioBTIr44\vs_setup.exe

Filesize
3.8MB

MD5
9b406d62ea834814235f98c44792ca66

SHA1
3f8dd69eea642d64f9f37a3a31030540634aef01

SHA256
e6824ab935793b933305d82beebb78897f7abd936fb3fbcf0a9c0a8a9d2313b9

SHA512
cf726ced0570fa79bbdc6996e9ccd3d1d87b3609b8124394687f0252b69e880fbd503ac6145215c40934ac00556a4fe22873484bf17e5fe8435d2eafd74e3bec

Download Submit
memory/1936-136-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/1936-173-0x00000000075D0000-0x0000000007B74000-memory.dmp

Filesize
5.6MB

Download
memory/1936-145-0x0000000005620000-0x00000000056D2000-memory.dmp

Filesize
712KB

Download
memory/1936-153-0x0000000005590000-0x00000000055B6000-memory.dmp

Filesize
152KB

Download
memory/1936-141-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-157-0x0000000005440000-0x0000000005448000-memory.dmp

Filesize
32KB

Download
memory/1936-140-0x00000000050A0000-0x00000000050F0000-memory.dmp

Filesize
320KB

Download
memory/1936-161-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/1936-132-0x00000000051A0000-0x000000000529C000-memory.dmp

Filesize
1008KB

Download
memory/1936-128-0x0000000005000000-0x0000000005094000-memory.dmp

Filesize
592KB

Download
memory/1936-124-0x0000000004CF0000-0x0000000004E52000-memory.dmp

Filesize
1.4MB

Download
memory/1936-169-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/1936-170-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/1936-171-0x0000000006B10000-0x0000000006B76000-memory.dmp

Filesize
408KB

Download
memory/1936-172-0x0000000006F80000-0x0000000007012000-memory.dmp

Filesize
584KB

Download
memory/1936-149-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/1936-174-0x0000000007B80000-0x0000000007C3A000-memory.dmp

Filesize
744KB

Download
memory/1936-120-0x0000000072B80000-0x0000000073330000-memory.dmp

Filesize
7.7MB

Download
memory/1936-178-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-179-0x0000000009C90000-0x0000000009C98000-memory.dmp

Filesize
32KB

Download
memory/1936-181-0x0000000009CC0000-0x0000000009CC8000-memory.dmp

Filesize
32KB

Download
memory/1936-180-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-182-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-185-0x000000000A4B0000-0x000000000A4E8000-memory.dmp

Filesize
224KB

Download
memory/1936-184-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-183-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-187-0x000000000A480000-0x000000000A48E000-memory.dmp

Filesize
56KB

Download
memory/1936-186-0x000000000A530000-0x000000000A630000-memory.dmp

Filesize
1024KB

Download
memory/1936-188-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1936-119-0x00000000000B0000-0x0000000000118000-memory.dmp

Filesize
416KB

Download
memory/1936-198-0x0000000072B80000-0x0000000073330000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads