5aa9d099dfc103dc52a33655e57845c6084b5d6bfab65abf4f3daea9911c613a

General

Target

Bootstrapper_1725724037599_1sly5.exe
Size

146KB
MD5

bc832d4fef741681578a87eb5d95b292
SHA1

75a89d287b15af8c6b8bcd9fa7887badc1850c5d
SHA256

5aa9d099dfc103dc52a33655e57845c6084b5d6bfab65abf4f3daea9911c613a
SHA512

270298becb80e7398ee608c780185caa6cfe1b48319c87302efd1fbc17f73f5acf9926295420e3dc8caeaa6e80f57db235e0d9adc2e37dda674d6d85c01be4f8
SSDEEP

3072:8PCyYwC+M2FEv80IZOA/CyYwC+M2FEv80IZOAU80IZOA4:ghY7X2Kvh4hY7X2Kvhvh

Score

10^/10

discovery execution

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2696	powershell.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2696	powershell.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2696	powershell.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
744	powershell.exe
2584	powershell.exe
2572	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	2752	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper_1725724037599_1sly5.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
744	powershell.exe
2584	powershell.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2752	Bootstrapper_1725724037599_1sly5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2972	2752	Bootstrapper_1725724037599_1sly5.exe	37
PID 2752 wrote to memory of 2972	2752	Bootstrapper_1725724037599_1sly5.exe	37
PID 2752 wrote to memory of 2972	2752	Bootstrapper_1725724037599_1sly5.exe	37
PID 2752 wrote to memory of 2972	2752	Bootstrapper_1725724037599_1sly5.exe	37

C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725724037599_1sly5.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725724037599_1sly5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1924
  2⤵
  - Program crash
  PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Sola'"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HXSVCNG9Q7EEAHP1CKIQ.temp

Filesize
7KB

MD5
b1d079d967308c258d2b5a9f4cc39807

SHA1
18616da8d97390511e0407dff5d75ca7eff3f8e9

SHA256
2e2b174d7f7a14a01fca492f5ffc22070b77c4d7b88ccf4c258573f9fe18a4d0

SHA512
2fd30b9226b13c1dbb3678c34e7a1837e4f776f1a3889137513ecbcc9478fa9af50e50383189e59d9686bc435f53a4e214acfffcf95a26c35e89ed78106dd7ac

Download Submit
memory/744-14-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/744-12-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2752-4-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2752-3-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2752-0-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/2752-2-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2752-1-0x0000000001290000-0x00000000012BA000-memory.dmp

Filesize
168KB

Download
memory/2752-19-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2752-20-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/2752-21-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2752-22-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2752-23-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2752-24-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2752-25-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing