Resubmissions

10-06-2024 19:27

240610-x569tsxhmk 9

10-06-2024 19:21

240610-x2qgxaxdnc 9

Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 19:21

General

  • Target

    E4Bootstrapper.exe

  • Size

    36KB

  • MD5

    dc618bb4a38e6e9347788e4aa58878b0

  • SHA1

    4ca204ca692bef38b5ba96bd74493be18bf68acd

  • SHA256

    9d7cf052119784f65aca998c6e0c87f662e9423e51e1a3475e83d24f3b3b47e3

  • SHA512

    57c15811aa70a2e3d4111aa45e02be778559a55703eea841e4a969cea48d4d8d05df8dd45009194b5103409b3db5848b4a9ff8235ad7c9ba52bfb5aac8e863b6

  • SSDEEP

    768:SpD7f29SqkmxqvmKtZjgtFJkkprUU2N9t096MYRrpYyah+:UD7ULo+KtZ0tj3prUdN3eK

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E4Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\E4Bootstrapper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\E4.exe
      "C:\Users\Admin\AppData\Local\Temp\E4.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\System32\attrib.exe
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\$77MicrosoftData"
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2772
      • C:\Windows\System32\attrib.exe
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe"
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2812
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1416
        • C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe
          "C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:940
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /query /TN $77$77svchost.exe.exe
            5⤵
              PID:1968
            • C:\Windows\system32\schtasks.exe
              "schtasks.exe" /Create /SC ONCE /TN "$77$77svchost.exe.exe" /TR "C:\Users\Admin\AppData\Roaming\$77MicrosoftData\$77$77svchost.exe.exe \"\$77$77svchost.exe.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:2200
            • C:\Windows\system32\schtasks.exe
              "schtasks.exe" /query /TN $77$77svchost.exe.exe
              5⤵
                PID:2704
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "$77svchost.exe_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
                5⤵
                • Creates scheduled task(s)
                PID:1604
        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2868

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        Filesize

        13KB

        MD5

        6557bd5240397f026e675afb78544a26

        SHA1

        839e683bf68703d373b6eac246f19386bb181713

        SHA256

        a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

        SHA512

        f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

      • C:\Users\Admin\AppData\Local\Temp\Tar8194.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp.bat
        Filesize

        178B

        MD5

        cd95562ee5697a8ba3b4d2ab06761856

        SHA1

        e42891d37a548c1c596ee99da46561fdb3e2596f

        SHA256

        0b1f988406d2f40ad5228a3d5859ea6be6a93af8ed2ceb5045cad1181d016bf2

        SHA512

        6e7c683ef7ab3fc175fb21e6dd2c891709c152c3d6f1c65bc9a34c1e5a295cb1d73aa41aea77f8739b7aa26f35acebf0f666d8c7bafac1df2ae202e5d4e228ee

      • \Users\Admin\AppData\Local\Temp\E4.exe
        Filesize

        40KB

        MD5

        1cfe818c59790fae5f9f14a9e8279216

        SHA1

        a59f41a6d3992e2cd1911fb753a56d60d42c924e

        SHA256

        8188936b9120d45b43047e23cd45ddd4f174454fbeba94d9cf4c3409b1419bc9

        SHA512

        d189823dbefd4e6d4532bb0be86bd6441802e20eef05d7e963943da6faad0070cf2a314b1f74a9b970bcd666a3c42a46f6d72d4c1a1a335fc55ccd45ef2681ef

      • memory/940-33-0x000000013F8F0000-0x000000013F8FE000-memory.dmp
        Filesize

        56KB

      • memory/2232-14-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
        Filesize

        9.9MB

      • memory/2232-18-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
        Filesize

        9.9MB

      • memory/2232-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp
        Filesize

        4KB

      • memory/2232-1-0x00000000002F0000-0x0000000000300000-memory.dmp
        Filesize

        64KB

      • memory/2252-13-0x000000013F800000-0x000000013F80E000-memory.dmp
        Filesize

        56KB

      • memory/2252-17-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
        Filesize

        9.9MB

      • memory/2252-28-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
        Filesize

        9.9MB

      • memory/2868-16-0x0000000000D30000-0x0000000000D3A000-memory.dmp
        Filesize

        40KB