3eaae78d0fc85977b5b255dd9c94ad684049ef8f927205202ec264f0eb8538f4

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

930KB
MD5

c9a401d6c0e482b97b31f69eef1d2d3a
SHA1

1f3e86ad2606f45aa3318e289c4ec526e791c5c8
SHA256

3eaae78d0fc85977b5b255dd9c94ad684049ef8f927205202ec264f0eb8538f4
SHA512

75a57e1dd045189aadd8234540747dcaa841d1c7368e6bd05d3e6f512fa24138ed7ff55048d2a2bf71364f31e9ce86a518347eb135017ea9bfca6350c1425380
SSDEEP

24576:PFOa2a98hIBdjSoeQDj/VNpZdZIznBpgh:tCoeQDjdNpZv

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2168	bootstrapper.exe
2336	icsys.icn.exe
2224	explorer.exe
2420	spoolsv.exe
2688	svchost.exe
2880	spoolsv.exe

Loads dropped DLL 11 IoCs

pid	Process
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2336	icsys.icn.exe
2224	explorer.exe
2420	spoolsv.exe
2688	svchost.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Bootstrapper.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2168	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1768	schtasks.exe
776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2224	explorer.exe
2688	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	bootstrapper.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2408	Bootstrapper.exe
2408	Bootstrapper.exe
2336	icsys.icn.exe
2336	icsys.icn.exe
2224	explorer.exe
2224	explorer.exe
2420	spoolsv.exe
2420	spoolsv.exe
2688	svchost.exe
2688	svchost.exe
2880	spoolsv.exe
2880	spoolsv.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2168	2408	Bootstrapper.exe	28
PID 2408 wrote to memory of 2168	2408	Bootstrapper.exe	28
PID 2408 wrote to memory of 2168	2408	Bootstrapper.exe	28
PID 2408 wrote to memory of 2168	2408	Bootstrapper.exe	28
PID 2408 wrote to memory of 2336	2408	Bootstrapper.exe	30
PID 2408 wrote to memory of 2336	2408	Bootstrapper.exe	30
PID 2408 wrote to memory of 2336	2408	Bootstrapper.exe	30
PID 2408 wrote to memory of 2336	2408	Bootstrapper.exe	30
PID 2336 wrote to memory of 2224	2336	icsys.icn.exe	31
PID 2336 wrote to memory of 2224	2336	icsys.icn.exe	31
PID 2336 wrote to memory of 2224	2336	icsys.icn.exe	31
PID 2336 wrote to memory of 2224	2336	icsys.icn.exe	31
PID 2224 wrote to memory of 2420	2224	explorer.exe	32
PID 2224 wrote to memory of 2420	2224	explorer.exe	32
PID 2224 wrote to memory of 2420	2224	explorer.exe	32
PID 2224 wrote to memory of 2420	2224	explorer.exe	32
PID 2420 wrote to memory of 2688	2420	spoolsv.exe	33
PID 2420 wrote to memory of 2688	2420	spoolsv.exe	33
PID 2420 wrote to memory of 2688	2420	spoolsv.exe	33
PID 2420 wrote to memory of 2688	2420	spoolsv.exe	33
PID 2688 wrote to memory of 2880	2688	svchost.exe	34
PID 2688 wrote to memory of 2880	2688	svchost.exe	34
PID 2688 wrote to memory of 2880	2688	svchost.exe	34
PID 2688 wrote to memory of 2880	2688	svchost.exe	34
PID 2224 wrote to memory of 2656	2224	explorer.exe	35
PID 2224 wrote to memory of 2656	2224	explorer.exe	35
PID 2224 wrote to memory of 2656	2224	explorer.exe	35
PID 2224 wrote to memory of 2656	2224	explorer.exe	35
PID 2688 wrote to memory of 2728	2688	svchost.exe	36
PID 2688 wrote to memory of 2728	2688	svchost.exe	36
PID 2688 wrote to memory of 2728	2688	svchost.exe	36
PID 2688 wrote to memory of 2728	2688	svchost.exe	36
PID 2168 wrote to memory of 2616	2168	bootstrapper.exe	39
PID 2168 wrote to memory of 2616	2168	bootstrapper.exe	39
PID 2168 wrote to memory of 2616	2168	bootstrapper.exe	39
PID 2168 wrote to memory of 2616	2168	bootstrapper.exe	39
PID 2688 wrote to memory of 1768	2688	svchost.exe	42
PID 2688 wrote to memory of 1768	2688	svchost.exe	42
PID 2688 wrote to memory of 1768	2688	svchost.exe	42
PID 2688 wrote to memory of 1768	2688	svchost.exe	42
PID 2688 wrote to memory of 776	2688	svchost.exe	44
PID 2688 wrote to memory of 776	2688	svchost.exe	44
PID 2688 wrote to memory of 776	2688	svchost.exe	44
PID 2688 wrote to memory of 776	2688	svchost.exe	44

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- \??\c:\users\admin\appdata\local\temp\bootstrapper.exe
  c:\users\admin\appdata\local\temp\bootstrapper.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 616
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2616
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2420
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 16:04 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 16:05 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 16:06 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:776
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bootstrapper.exe

Filesize
795KB

MD5
365971e549352a15e150b60294ec2e57

SHA1
2932242b427e81b1b4ac8c11fb17793eae0939f7

SHA256
faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

SHA512
f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c8104c844343576dc807ae59b06d645b

SHA1
90f221d82d7da4646e72e014ddff6a9f7925c342

SHA256
1a47ca487fbff515b9bcf006d51fa2cc07b2e7fc7449ff129c00732fd83d2221

SHA512
27d813ded485316f38c8aebd0b39435cb29d634452c9afd89315fde1dab8ba9d8f7737e7f8b8da103fc8a94c17b2b120ac9e01247696e8567046bca4fd4986ef

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
afddb83bcf36d165aec40146f7639415

SHA1
c3feb76ea0fb6676b417eff30985ae15faef7dd0

SHA256
f84d40c0eee6883ee2bdccc01e03362af4b8566c47aae4a71c91c99b292e088d

SHA512
fdb7649a6791130fd2a44269ad5cb08cf2d1c703eb4217c3c055fb0f2a17b643d928a69f770444449c5e8d8ccbe2c740f55a80ebeb4893ad7c2acf6eab194934

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c8a7cef79e5d793c2457aa37d9aac0f7

SHA1
d308f389a8c43902b3984423411cafd666be0da6

SHA256
796ba821c6b6c5a97eac190827fd4acc53be4e4bda1ad9be3e812563b52839e0

SHA512
5c87a7c5c8cff9852fa1ac8946d608dea3b0925f3dc343492a8f937965d531d3e0cfd6e521c090455a9dd2a07573ee4bffc9d616919036629faf1a3f19a7c689

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
db5d871004c2c3b77a4b7de92a9955dc

SHA1
b0e3276d7a47aa68f87164bf0b4d9f3637e19d13

SHA256
a68f0804530c2e51c45e234865b61017da71247ff7b985a149ef5377917367c1

SHA512
8c74a8c23a243d62986111f2272cc2fbc4d4659bd3bc3ca054c9223497ec75cad7fcde6f827a62d6c272a2e168df9c3c645ba8f3914329d9fd36fe1efbd3c9b2

Download Submit
memory/2168-69-0x0000000073F0E000-0x0000000073F0F000-memory.dmp

Filesize
4KB

Download
memory/2168-58-0x0000000000D80000-0x0000000000E4E000-memory.dmp

Filesize
824KB

Download
memory/2168-43-0x0000000073F0E000-0x0000000073F0F000-memory.dmp

Filesize
4KB

Download
memory/2336-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2336-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2408-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2408-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2408-13-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2420-50-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2420-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download