Analysis Overview
SHA256
b568a346e301f5d5f0732e6e6305e2a3f43b45c0957859aa49663ce9053af618
Threat Level: Known bad
The file AeroBootstrapper.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Program crash
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 18:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 18:22
Reported
2024-06-17 18:23
Platform
win11-20240508-en
Max time kernel
40s
Max time network
49s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAcgBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcQB0ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%AppData%" /tr '"C:\Users\Admin\AppData\Roaming\%AppData%.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7AFC.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "C:\Users\Admin\AppData\Roaming" /tr '"C:\Users\Admin\AppData\Roaming\C:\Users\Admin\AppData\Roaming.exe"'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1488
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.nodejs.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
| MD5 | 3ef6a6f8a984c661f58c373081986213 |
| SHA1 | 13f18179a85ae650bcfa70b47d027b0b3fe84d6e |
| SHA256 | 0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e |
| SHA512 | e7c6bc2b7e4d5d252b4b05628cab64007e5c0cec15657ee533ec78c7cd4546afb27df7b5b6be82b5d8bda085b93463dadaae41b74ccd6061b0ee7b2f68de27df |
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 36b62ba7d1b5e149a2c297f11e0417ee |
| SHA1 | ce1b828476274375e632542c4842a6b002955603 |
| SHA256 | 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c |
| SHA512 | fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94 |
memory/4012-21-0x000000007319E000-0x000000007319F000-memory.dmp
memory/3904-23-0x00000000029C0000-0x00000000029F6000-memory.dmp
memory/4012-24-0x00000000008C0000-0x00000000008D8000-memory.dmp
memory/1952-25-0x0000000000C60000-0x0000000000D2E000-memory.dmp
memory/3904-26-0x0000000005100000-0x000000000572A000-memory.dmp
memory/3904-27-0x0000000073190000-0x0000000073941000-memory.dmp
memory/4012-28-0x00000000057F0000-0x0000000005D96000-memory.dmp
memory/3904-30-0x0000000073190000-0x0000000073941000-memory.dmp
memory/1952-31-0x0000000073190000-0x0000000073941000-memory.dmp
memory/3904-32-0x0000000004F80000-0x0000000004FA2000-memory.dmp
memory/3904-39-0x0000000005910000-0x0000000005976000-memory.dmp
memory/3904-43-0x0000000073190000-0x0000000073941000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wywwqmkn.qjc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3904-33-0x0000000005730000-0x0000000005796000-memory.dmp
memory/3904-44-0x0000000005A00000-0x0000000005D57000-memory.dmp
memory/4012-45-0x0000000073190000-0x0000000073941000-memory.dmp
memory/3904-47-0x0000000005E80000-0x0000000005ECC000-memory.dmp
memory/3904-46-0x0000000005E20000-0x0000000005E3E000-memory.dmp
memory/3904-49-0x0000000073A90000-0x0000000073ADC000-memory.dmp
memory/3904-58-0x0000000006E00000-0x0000000006E1E000-memory.dmp
memory/3904-48-0x0000000006DC0000-0x0000000006DF4000-memory.dmp
memory/3904-59-0x0000000006E30000-0x0000000006ED4000-memory.dmp
memory/3904-61-0x00000000071A0000-0x00000000071BA000-memory.dmp
memory/3904-60-0x00000000077D0000-0x0000000007E4A000-memory.dmp
memory/3904-62-0x0000000007210000-0x000000000721A000-memory.dmp
memory/3904-63-0x0000000007410000-0x00000000074A6000-memory.dmp
memory/3904-64-0x0000000007390000-0x00000000073A1000-memory.dmp
memory/4012-69-0x0000000073190000-0x0000000073941000-memory.dmp
memory/3904-70-0x00000000073D0000-0x00000000073DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7AFC.tmp.bat
| MD5 | 6918bb9ed24e0c2a7ce63564b89e678f |
| SHA1 | 4c95d6c6b3287e6796652313dc4cc2465cf780e2 |
| SHA256 | 38926805b9ce9dcf107b342a2a0e72a1d01a2c95f1793b553ea0c7a50a2facaf |
| SHA512 | ae630e7e36de75a59e6e47d0b31fe55f9bc85f2ac1f37c0025270966ae85bcdd2347d4cc1216dfc63477a09608506f3290005abff7fd198e8e1f638f89a229c6 |
memory/3904-72-0x00000000073E0000-0x00000000073F5000-memory.dmp
memory/3904-73-0x00000000074D0000-0x00000000074EA000-memory.dmp
memory/3904-74-0x00000000074C0000-0x00000000074C8000-memory.dmp
memory/3904-77-0x0000000073190000-0x0000000073941000-memory.dmp
memory/1952-78-0x0000000073190000-0x0000000073941000-memory.dmp