Analysis
-
max time kernel
114s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper_1725724037599_1sly5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bootstrapper_1725724037599_1sly5.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Bootstrapper_1725724037599_1sly5.exe
Resource
win10v2004-20240802-en
General
-
Target
Bootstrapper_1725724037599_1sly5.exe
-
Size
146KB
-
MD5
bc832d4fef741681578a87eb5d95b292
-
SHA1
75a89d287b15af8c6b8bcd9fa7887badc1850c5d
-
SHA256
5aa9d099dfc103dc52a33655e57845c6084b5d6bfab65abf4f3daea9911c613a
-
SHA512
270298becb80e7398ee608c780185caa6cfe1b48319c87302efd1fbc17f73f5acf9926295420e3dc8caeaa6e80f57db235e0d9adc2e37dda674d6d85c01be4f8
-
SSDEEP
3072:8PCyYwC+M2FEv80IZOA/CyYwC+M2FEv80IZOAU80IZOA4:ghY7X2Kvh4hY7X2Kvhvh
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2696 powershell.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2696 powershell.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2696 powershell.exe 30 -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 744 powershell.exe 2584 powershell.exe 2572 powershell.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2972 2752 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper_1725724037599_1sly5.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 744 powershell.exe 2584 powershell.exe 2572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 744 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2752 Bootstrapper_1725724037599_1sly5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2972 2752 Bootstrapper_1725724037599_1sly5.exe 37 PID 2752 wrote to memory of 2972 2752 Bootstrapper_1725724037599_1sly5.exe 37 PID 2752 wrote to memory of 2972 2752 Bootstrapper_1725724037599_1sly5.exe 37 PID 2752 wrote to memory of 2972 2752 Bootstrapper_1725724037599_1sly5.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725724037599_1sly5.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725724037599_1sly5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 19242⤵
- Program crash
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Sola'"1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users'"1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HXSVCNG9Q7EEAHP1CKIQ.temp
Filesize7KB
MD5b1d079d967308c258d2b5a9f4cc39807
SHA118616da8d97390511e0407dff5d75ca7eff3f8e9
SHA2562e2b174d7f7a14a01fca492f5ffc22070b77c4d7b88ccf4c258573f9fe18a4d0
SHA5122fd30b9226b13c1dbb3678c34e7a1837e4f776f1a3889137513ecbcc9478fa9af50e50383189e59d9686bc435f53a4e214acfffcf95a26c35e89ed78106dd7ac