Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Bootstrapper1-9.exe

windows7-x64

7

Bootstrapper1-9.exe

windows10-2004-x64

9

Resubmissions

14/08/2024, 19:18

240814-xz7neazana 10

14/08/2024, 19:15

240814-xyhynayhnb 10

14/08/2024, 19:11

240814-xv3tnaygkh 10

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper1-9.exe

  • Size

    11.0MB

  • MD5

    6e216e2e8eceb0755a07a025e601340b

  • SHA1

    0db1d5e73e57ea2ca44f73ee82e30dde25d626d1

  • SHA256

    a1d978b40325c7dfd7dc738b7403de289ece01dfceb93ade84c4e96f015793a2

  • SHA512

    1be35f284f7962c1ef9e4de696ab620b8d3c7918e3cbbc602cb52741c6549d5c1096f0a13c9331881e447a8875bab6ccabd358ffb31309ce9e71cbdf06a20984

  • SSDEEP

    98304:d+EtdFBCkamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RgOuAK8v3yy:ddFIFeN/FJMIDJf0gsAGK4RruAK8fR

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 34 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe"
      2⤵
      • Loads dropped DLL
      PID:2192
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4e4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2776
  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper1-9.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2384
  • C:\Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe
    "C:\Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe"
    1⤵
    • Executes dropped EXE
    PID:2976
  • C:\Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe
    "C:\Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe"
    1⤵
    • Executes dropped EXE
    PID:2628
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\_MEI30362\libcrypto-1_1.dll
    1⤵
    • Modifies registry class
    PID:272
  • C:\Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe
    "C:\Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe"
    1⤵
    • Executes dropped EXE
    PID:2528
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\base_library\collections\__init__.pyc
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\base_library\collections\__init__.pyc
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI12122\python310.dll
    Filesize

    1.4MB

    MD5

    178a0f45fde7db40c238f1340a0c0ec0

    SHA1

    dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

    SHA256

    9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

    SHA512

    4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI30362\rarreg.key
    Filesize

    456B

    MD5

    4531984cad7dacf24c086830068c4abe

    SHA1

    fa7c8c46677af01a83cf652ef30ba39b2aae14c3

    SHA256

    58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

    SHA512

    00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI30362\libcrypto-1_1.dll
    Filesize

    1.1MB

    MD5

    daa2eed9dceafaef826557ff8a754204

    SHA1

    27d668af7015843104aa5c20ec6bbd30f673e901

    SHA256

    4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

    SHA512

    7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI30362\rar.exe
    Filesize

    615KB

    MD5

    9c223575ae5b9544bc3d69ac6364f75e

    SHA1

    8a1cb5ee02c742e937febc57609ac312247ba386

    SHA256

    90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

    SHA512

    57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

    Download Submit

  • memory/2192-23-0x000007FEF68D0000-0x000007FEF6D3E000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2384-67-0x000007FEF6090000-0x000007FEF64FE000-memory.dmp

    Filesize

    4.4MB

    Download