7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659 | Triage

Resubmissions

03-09-2024 19:02

240903-xp9p1stglm 7

03-09-2024 19:01

240903-xpql5stgkn 7

Analysis

max time kernel
5s
max time network
1s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 19:01

Sharing

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

796KB
MD5

4b94b989b0fe7bec6311153b309dfe81
SHA1

bb50a4bb8a66f0105c5b74f32cd114c672010b22
SHA256

7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659
SHA512

fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d
SSDEEP

12288:jHeLH6iTPSE54sgweI9oaQaj3T+piq+77xOZ+eMm:jHeLHdTSEeyoaQaj3apiq+77xd

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	Bootstrapper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2732	2980	Bootstrapper.exe	31
PID 2980 wrote to memory of 2732	2980	Bootstrapper.exe	31
PID 2980 wrote to memory of 2732	2980	Bootstrapper.exe	31

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2980 -s 976
  2⤵
  PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-2-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-1-0x0000000000FC0000-0x000000000108E000-memory.dmp

Filesize
824KB

Download
memory/2980-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2980-3-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download