596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe
Size

3.8MB
MD5

95d720f33e58dc43ab85dd5cd63ea999
SHA1

0b5a4ddbec1f752562058ef003d52de121b6b41a
SHA256

596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990
SHA512

7873c47447a5a80e2e4149630fffbb924aaf9c044de02731497c7c510c944990b2b2cf8ef47ee49b248aebc3aa31dee15a0f0a99fd48da9d15a40d207ff53196
SSDEEP

98304:kEbiZXJXEr5iDe6yj2tqz+EIBIuY8KZQoQkRKwEpZDa10L:oXawyi4x6pHodIwELag

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	vs_setup_bootstrapper.exe

Loads dropped DLL 26 IoCs

pid	Process
2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe
2636	vs_setup_bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	vs_setup_bootstrapper.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2460 wrote to memory of 2636	2460	596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe	28
PID 2636 wrote to memory of 2276	2636	vs_setup_bootstrapper.exe	29
PID 2636 wrote to memory of 2276	2636	vs_setup_bootstrapper.exe	29
PID 2636 wrote to memory of 2276	2636	vs_setup_bootstrapper.exe	29
PID 2636 wrote to memory of 2276	2636	vs_setup_bootstrapper.exe	29

C:\Users\Admin\AppData\Local\Temp\596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe
"C:\Users\Admin\AppData\Local\Temp\596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\getmac.exe
    "getmac"
    3⤵
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406021926097434.json

Filesize
165B

MD5
dae30b60e540cd3509d2f3abb6d4bec6

SHA1
6ad6db8516b6cbd77b5f709e04ff964991c9ae8a

SHA256
a6e6d2fe55f6b542960b26e095c71277a05852854b2e785a6bffb55aaa59a50a

SHA512
19595061aa05f7cb8898b0b84d8967e77ffd37e8edbe2eb82bf9de12c2f5a4abf2d6616f557db95955f0f2856674193d9822e01b18fdb17a27074b78eeb0db63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20240602192643_dfba1b84d0b74da1a99bbe1d175ab210.trn

Filesize
6KB

MD5
29f740ca4a0666c808bd59107d33d3f9

SHA1
c3d952696f9731bab1fd3e7912a919665eace175

SHA256
7179497b3a87c8cbdcd74cb3d95e09ed26de419669dbb0ff49e1fc94881eac82

SHA512
23b7f9af4398e53056da0ff50763b3e30a585f28a22d4abef7305a36731c643eb8b49e4d1a8524fcdf36b85e94540cb594104da2c3f06acffe036f84d23cc351

Download Submit
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
579KB

MD5
08645c50cb281af1371e8f0ded10ab67

SHA1
ae06060913c4be03af0e1736650d64e8cda7ad55

SHA256
7bfa4386a603b98af49099d67f5c5d1e7a50b15107f9780e7f7f50f39234bed9

SHA512
bfb8a02db556bd1e7808fcaed00bcb938758eefd21f04bd47c6c5a04293b781189ec88a31210efd6972be364334fd5e25ba6a83c972c5ec4cf0b8726cb4a77f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
306KB

MD5
8a9cbbe63d730d60ef5159bed516bc78

SHA1
130c25908dd4201db8e6a2f2319eafc86114b7c3

SHA256
4e94690f548ef43a279a1f55807713eb970fa7a0fc9e64602779595778766064

SHA512
102ed30752a61712b024c5460e895e161ba22f4583f1148f6c0704edaebf703eeb7b65bd393ffd056df837d5b57220b7b87bc635884b5aa1d6516afb36370c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.4MB

MD5
da8106a5723b5d66cd6b1713ece8b91b

SHA1
73bfd5942bdacc4c87b003c6c5555fea4ba6251f

SHA256
7c481dc4e4c2ed5df782a794f571808aec82a71c4fdb1054939a42c4b9f368aa

SHA512
eec20eb53e88e6a96ecaa8496256235176ce586563d8c29d1c3537b5e34213209bd225235ae253b60a7266aaac56e655af229ba6b89b87ad24f4ce4349f0cbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\detection.json

Filesize
8KB

MD5
782f4beae90d11351db508f38271eb26

SHA1
f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

SHA256
c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

SHA512
0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.config

Filesize
622B

MD5
a15d28f236710c6f051eaa6f9965d139

SHA1
3d134e1e4395bea6f5baf92757f49a7f83ae6e5e

SHA256
b593987c933ee765a347e5db460af67b94953de48b1c5075c6e24f8c970b8a61

SHA512
e07d0b56f9b6d1b531d6e28c343c47f0cacfd180ab57076210bcbe285e173c1738d436a9a3b294669d6410be544cb050b69aa4b08f3f0bb7c834b40cb0d42f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
2KB

MD5
c301859aef3bf4c0914914e5807f6a5b

SHA1
908827ce12d093d2aa3d1e8baa8caf8bfe204fbd

SHA256
781ec48ae412ba18c2cea1b67f5bc4a33245fd5f96dbb0e58b218c98ee03785d

SHA512
0b9eeb0288b01ddfde11404b15378694145978bdd664b68befe5f776f65f950d35f54b7f29662a64ff91feb4dc0e9bd537864e46a1f3f252e8113ddf95f32f0b

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
18KB

MD5
c5e7c4a539ea834661fe20f994330f7e

SHA1
e2ff1096f557212dde051887bfd4a450b23e9277

SHA256
bc53c6fb22f4bce970c87122579caf785f75cbc91d49f49e54229ba32ac7d447

SHA512
7f3f32146637e7393f3f906ece45780c1082ac661fc8f6d88f469e0ca951e9a6bcbac4be8959359559e097ebeec8eb048407cb3276f0a7007c50298ee1294a07

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
115KB

MD5
aabfd8a438ae79b4f236ec3b45544dd2

SHA1
32b026ab6dd4ce60c16fa48690f32632f7f4ac17

SHA256
95cb344b58ed754e25f60c44f32303de9e65da603db06a9321d137580b3657ca

SHA512
6eb438b1fa9bc62c1356d8f21b0706799d94024cf0c013fb435caaba82e0c6bbe3570edc91c71d36e906be0a28e1da854a47a377fa487aefcd5662eea85a1993

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
995KB

MD5
bbcc8244db84ad2031ac010633abf798

SHA1
de0cb65ee877663da272b4162a55a64ab8669f74

SHA256
8fe17ff9da7932dc01a39ed27559d5cdfa9b97ba14cbaa9f719087a241c8b82d

SHA512
d5682ea1aa9d50e9a491f8dc25c82907cde24ead2842ea392242e8cdedf49f68f3035042442738e147b5aa29d6328ced68007732298f62466c78fd10b276b06f

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
62KB

MD5
2dc1dc66b267a3470add7fab88b78069

SHA1
dbe80047475b503791038ed7e47389c062c15c72

SHA256
b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c

SHA512
44ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
404KB

MD5
4108506d8cdc3a03bb7e4496025ee902

SHA1
a02d206f205a1a45b5223a73bfe84e25b359d251

SHA256
f9bf0a30395e521d65fb1e39a6a76e19c061a8d3806653fc7f5b28b9fb327903

SHA512
b4a7aa0c65e3a3279d0845a02e896a85d5f5074a79ee3ab52a8aa422fab759d4fab177961c03f280ca7499e10678d29e951946283b26d2ca107d5be76c76e8e8

Download Submit
memory/2636-123-0x0000000004DD0000-0x0000000004ECC000-memory.dmp

Filesize
1008KB

Download
memory/2636-149-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/2636-141-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/2636-135-0x00000000054A0000-0x0000000005552000-memory.dmp

Filesize
712KB

Download
memory/2636-155-0x0000000004270000-0x0000000004280000-memory.dmp

Filesize
64KB

Download
memory/2636-145-0x0000000000A50000-0x0000000000A76000-memory.dmp

Filesize
152KB

Download
memory/2636-131-0x0000000001F80000-0x0000000001FD0000-memory.dmp

Filesize
320KB

Download
memory/2636-127-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2636-119-0x0000000004160000-0x00000000041F4000-memory.dmp

Filesize
592KB

Download
memory/2636-164-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2636-163-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2636-115-0x00000000049B0000-0x0000000004B16000-memory.dmp

Filesize
1.4MB

Download
memory/2636-166-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2636-111-0x0000000000850000-0x00000000008B8000-memory.dmp

Filesize
416KB

Download