7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659 | Triage

Resubmissions

03-09-2024 15:35

240903-s1shnazgpk 7

03-09-2024 15:33

240903-szgd1a1glf 7

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 15:35

Sharing

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

796KB
MD5

4b94b989b0fe7bec6311153b309dfe81
SHA1

bb50a4bb8a66f0105c5b74f32cd114c672010b22
SHA256

7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659
SHA512

fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d
SSDEEP

12288:jHeLH6iTPSE54sgweI9oaQaj3T+piq+77xOZ+eMm:jHeLHdTSEeyoaQaj3apiq+77xd

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	Bootstrapper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2900	2728	Bootstrapper.exe	31
PID 2728 wrote to memory of 2900	2728	Bootstrapper.exe	31
PID 2728 wrote to memory of 2900	2728	Bootstrapper.exe	31

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2728 -s 976
  2⤵
  PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2728-1-0x0000000000D80000-0x0000000000E4E000-memory.dmp

Filesize
824KB

Download
memory/2728-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-3-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download