7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

Analysis

max time kernel
87s
max time network
85s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 00:53

Target

Bootstrapper.exe
Size

796KB
MD5

4b94b989b0fe7bec6311153b309dfe81
SHA1

bb50a4bb8a66f0105c5b74f32cd114c672010b22
SHA256

7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659
SHA512

fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d
SSDEEP

12288:jHeLH6iTPSE54sgweI9oaQaj3T+piq+77xOZ+eMm:jHeLHdTSEeyoaQaj3apiq+77xd

Score

1^/10

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2096	2720	Bootstrapper.exe	31
PID 2720 wrote to memory of 2096	2720	Bootstrapper.exe	31
PID 2720 wrote to memory of 2096	2720	Bootstrapper.exe	31
PID 2268 wrote to memory of 800	2268	Bootstrapper.exe	41
PID 2268 wrote to memory of 800	2268	Bootstrapper.exe	41
PID 2268 wrote to memory of 800	2268	Bootstrapper.exe	41
PID 832 wrote to memory of 1540	832	Bootstrapper.exe	44
PID 832 wrote to memory of 1540	832	Bootstrapper.exe	44
PID 832 wrote to memory of 1540	832	Bootstrapper.exe	44

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2720 -s 1068
  2⤵
  PID:2096

C:\Users\Admin\Downloads\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2268 -s 1068
  2⤵
  PID:800

C:\Users\Admin\Downloads\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 832 -s 1072
  2⤵
  PID:1540

memory/832-6-0x00000000001C0000-0x000000000028E000-memory.dmp

Filesize
824KB

Download
memory/2268-5-0x0000000000F60000-0x000000000102E000-memory.dmp

Filesize
824KB

Download
memory/2720-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000000040000-0x000000000010E000-memory.dmp

Filesize
824KB

Download
memory/2720-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2720-3-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2720-4-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download