e1d2362f0bf622de97c99833516fa7c50ebce8bc6e824a7a3dedd3f8b487c679

Resubmissions

01/09/2024, 14:15

240901-rkpldssgrl 7

Analysis

max time kernel
301s
max time network
290s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrap Studio.exe
Size

168.9MB
MD5

1a825e6aacf1f7ddfdbee79d95e3e470
SHA1

4a3ca9cfc59163f9b6dd9b158f912b22c0900294
SHA256

1a27d9f8869d5b443ba850fd250188efb1a74c582701edc1ae0928bf6797fc4d
SHA512

3b9fc79dfbf8b464c8259f6743d0c5585a0ea5986ba6ca5349a567b7b5331b5cafdd2ec790219040219d870a74920d130e49dd684ced97429350312b4278783b
SSDEEP

3145728:wWUw7YjyTqqqqqqqqqqqqqqqqqqqqqqAaAK:wWUw4ar

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	Bootstrap Studio.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
3376	Bootstrap Studio.exe
4012	Bootstrap Studio.exe
4012	Bootstrap Studio.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe
Token: SeShutdownPrivilege	3376	Bootstrap Studio.exe
Token: SeCreatePagefilePrivilege	3376	Bootstrap Studio.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2596	3376	Bootstrap Studio.exe	82
PID 3376 wrote to memory of 2320	3376	Bootstrap Studio.exe	83
PID 3376 wrote to memory of 2320	3376	Bootstrap Studio.exe	83
PID 3376 wrote to memory of 2848	3376	Bootstrap Studio.exe	84
PID 3376 wrote to memory of 2848	3376	Bootstrap Studio.exe	84
PID 3376 wrote to memory of 5000	3376	Bootstrap Studio.exe	85
PID 3376 wrote to memory of 5000	3376	Bootstrap Studio.exe	85
PID 3376 wrote to memory of 4012	3376	Bootstrap Studio.exe	95
PID 3376 wrote to memory of 4012	3376	Bootstrap Studio.exe	95

C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Bootstrap Studio" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1696,i,7239574941709077398,3433768888322190136,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1688 /prefetch:2
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\bstudio" --field-trial-handle=2104,i,7239574941709077398,3433768888322190136,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bstudio" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2484,i,7239574941709077398,3433768888322190136,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:1
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bstudio" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,7239574941709077398,3433768888322190136,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrap Studio.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\bstudio" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2416,i,7239574941709077398,3433768888322190136,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\bstudio\Network\Network Persistent State

Filesize
380B

MD5
a59456b9f23851c74eeccf46d131488c

SHA1
e6f55262b2f53c414ffa5365d06855b5cbb4a2a0

SHA256
5e5b0d932380e963097a21268ebff29254f5500b1c37f41a24b2030ae0a5bacf

SHA512
37c551792bf7f914f147d212e3405f336e6bc3f22617ed91507e8828bcbb66a00a8eec9aec9daa8e429b446c174dd5e67cc6253fd531dcfc600d402419556458

Download Submit
C:\Users\Admin\AppData\Roaming\bstudio\Network\Network Persistent State~RFe58dd1c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\bstudio\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\bstudio\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/4012-101-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-100-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-99-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-108-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-110-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-109-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-107-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-106-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-105-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download
memory/4012-111-0x0000023116A10000-0x0000023116A11000-memory.dmp

Filesize
4KB

Download