dc67b264b90e29cf5cffed4453de4567398faa7f3bf18e69e84033c5b33ab05c

Analysis

max time kernel
1443s
max time network
1444s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 19:43

Target

Bootstrapper.exe
Size

971KB
MD5

2458f330cda521460cc077238ab01b25
SHA1

13312b4dffbdda09da2f1848cc713bbe781c5543
SHA256

dc67b264b90e29cf5cffed4453de4567398faa7f3bf18e69e84033c5b33ab05c
SHA512

8f027ebd96901f5a22aad34191244b1786dfb66843cbe05a8470d930415d85d86430267da09e7f1a69b8011b170d229e7fb25ecf0bf7d9209d7b910b2cbab48b
SSDEEP

12288:SKAnSKWYWXlX12QmVdooRkajphRdP7E10TjHeApBH:vAVWbm0oRkajjRZ7Q0PHeS

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	Bootstrapper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2192	2524	Bootstrapper.exe	30
PID 2524 wrote to memory of 2192	2524	Bootstrapper.exe	30
PID 2524 wrote to memory of 2192	2524	Bootstrapper.exe	30

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2524 -s 1076
  2⤵
  PID:2192

memory/2524-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000000190000-0x000000000028A000-memory.dmp

Filesize
1000KB

Download
memory/2524-2-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-3-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2524-4-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download