Overview

overview

8

Static

static

3

Bootstrapper.exe

windows7-x64

6

Bootstrapper.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    793KB

  • MD5

    7d9914483a2f5ae005d4f11f7ca786cb

  • SHA1

    e39e7916c3fff339df9a068bc108d4f7b770d232

  • SHA256

    acc5fec0885cda45e8d3f235f0dbb7fd6f1a3f83a427f29ee18a33533aa125a7

  • SHA512

    708d1ea1824c6ce5b7b933fb3142b276004541f6d34d1067fa90cffa0b64597d41403a42cb07ba826ad7d78eec4fa7ae3c079143f069f1180ef82b86e105aa34

  • SSDEEP

    12288:xJzpLYI40INR++Qwa0FvXocH9j6d8emgauKrmP23qSpmyr8:zGIt8R+wvXocH9j6qemgaut

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4008
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3448
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff97216cc40,0x7ff97216cc4c,0x7ff97216cc58
      2⤵
        PID:2408
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1860 /prefetch:2
        2⤵
          PID:5084
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2368 /prefetch:3
          2⤵
            PID:4084
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2624 /prefetch:8
            2⤵
              PID:384
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
              2⤵
                PID:2304
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
                2⤵
                  PID:5032
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:1
                  2⤵
                    PID:1772
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4052 /prefetch:8
                    2⤵
                      PID:4388
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,5067619358773524247,14926975222624094703,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:8
                      2⤵
                        PID:4780
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
                        2⤵
                        • Drops file in Program Files directory
                        PID:4604
                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff773064698,0x7ff7730646a4,0x7ff7730646b0
                          3⤵
                          • Drops file in Program Files directory
                          PID:4596
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:4944
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        1⤵
                          PID:1352

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          356B

                          MD5

                          93b5d7b17bbb8a98f8d7ad25662a8c36

                          SHA1

                          e546a9f265c883e041cf4eb58a4068aec82254ad

                          SHA256

                          2d1c133dbcd6482d06038880422b1644c8efbf248c6d976e5ada48c78e0d68c6

                          SHA512

                          bb84b687af84e940a4ad85f73ff2e784d3eacae20ba2f0f7aa264e68acc04477a630e76aeea9c1c8b09c56ec63d19246dee5127e361322784f1663cc32dd31e2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          7KB

                          MD5

                          d0ade9559efb4acf85c9d766f8473943

                          SHA1

                          761437da61993e6cf09abae5cadb519e5b58915c

                          SHA256

                          f7a54d459bc220bd1ba21522e6f35a783e04ab2209fd9182138200659da176d2

                          SHA512

                          44ecde01e3aca614454bac423f67ff00c84058e551b4b2f83203a8e3a20b78f72012bfc37fbfb97cedea54c7ba4c20c79399179b2fc44c983cf805e049c6085b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          7KB

                          MD5

                          64139f1d1f23fef79163581bcca7812b

                          SHA1

                          645669443ecb45ee2cc3c11d4763fc1d69d256a5

                          SHA256

                          9ff82d79ff009fdf2c6930511fed1f73f2bdccd701f67be82b72706cf6fd91c8

                          SHA512

                          4ba891824bcc653ddc4291b1abda369e79c5f871de4e23abbd06230adbf093d81a776ad0a838222d2fac883cb7f26730c145e8e85f8c6c45b44ee3b9fc6495b5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          195KB

                          MD5

                          85427f21a0b11f372ebc97a14a6234f1

                          SHA1

                          409d7e44d30ed978449935ef48e0971831cf310d

                          SHA256

                          4ed41faab4cf5d78dbaccf3a13922003e20a0882c2af72e74103df3cfcde5ed3

                          SHA512

                          4c74926e08e56b1160326d1b9d6734cc7e36111983a5cec78a6c9d8fecaac5b0f788d0534993e039aaee87f323afee7c26a93c51f8b712a73a31b009c1ebcc96

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe
                          Filesize

                          795KB

                          MD5

                          365971e549352a15e150b60294ec2e57

                          SHA1

                          2932242b427e81b1b4ac8c11fb17793eae0939f7

                          SHA256

                          faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

                          SHA512

                          f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
                          Filesize

                          1.5MB

                          MD5

                          cf7fa4babf20b3d11f76f15785a02a59

                          SHA1

                          c6d8dcb6f0253e44e8f644d497b4f261f178554b

                          SHA256

                          acae948ed87ed3146049e7009c133cf34b01deea85b163ca1c58967f1f8542e4

                          SHA512

                          552ad9758944143e7fada78dd9d922896d7fac450d6296fad83fb3a6e5bbd22ef2a1e47e478f674d87a9f18505703286faa7a3ece770255cde8eeaccac421963

                          Download Submit

                        • memory/872-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/872-1-0x0000000000A20000-0x0000000000AEC000-memory.dmp

                          Filesize

                          816KB

                          Download

                        • memory/872-2-0x0000000074DC0000-0x0000000075570000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/872-3-0x0000000005E70000-0x0000000005E92000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/872-4-0x0000000005EA0000-0x00000000061F4000-memory.dmp

                          Filesize

                          3.3MB

                          Download

                        • memory/872-17-0x0000000074DC0000-0x0000000075570000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/2968-18-0x00000000007C0000-0x000000000088E000-memory.dmp

                          Filesize

                          824KB

                          Download

                        • memory/2968-428-0x0000000074DC0000-0x0000000075570000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/2968-26-0x0000000000E20000-0x0000000000E32000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/2968-24-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2968-19-0x0000000074DC0000-0x0000000075570000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/2968-21-0x0000000074DC0000-0x0000000075570000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/2968-20-0x0000000074DC0000-0x0000000075570000-memory.dmp

                          Filesize

                          7.7MB

                          Download