Overview

overview

8

Static

static

3

Bootstrapper.exe

windows7-x64

1

Bootstrapper.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    125s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    796KB

  • MD5

    b75a8d6732141aafe1e47bda7405d710

  • SHA1

    f4ef3bf2e980583c0d46e8ba17b8916d6a45c642

  • SHA256

    12b47fe6997b6f91e3ebf8ecb94ccaf893de4f9784b4d79ba9996fb0ae43417c

  • SHA512

    0dd4910b8964f2a08a43cab6238eeef3b0123952f3e00e138217fe9426f607a7177b1f5de2c3332b723bfc4bd1dc2970f6e5582883699ef8877d8e5ed9231b3e

  • SSDEEP

    12288:EpdnCT28YS8yAsggrctoaQDj+QcuWEPdC64ALLb9Z6:EpdnCapSlrKoaQDj+nubPdC64ALX

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3144
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4508,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
    1⤵
      PID:4864
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Modifies data under HKEY_USERS
      • Modifies registry class
      PID:1368
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 120FA78D28DCBEBE8E86D8973E9736E0
        2⤵
          PID:4608
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 20842F9E8EA63D242B2CC04384722618
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2328
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding DFB8339FB32A41EF2226BD675DE33AC7 E Global\MSI0000
          2⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3864
          • C:\Windows\SysWOW64\wevtutil.exe
            "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3612
            • C:\Windows\System32\wevtutil.exe
              "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5048

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\nodejs\node_etw_provider.man
        Filesize

        8KB

        MD5

        d3bc164e23e694c644e0b1ce3e3f9910

        SHA1

        1849f8b1326111b5d4d93febc2bafb3856e601bb

        SHA256

        1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

        SHA512

        91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

        Download Submit

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
        Filesize

        168B

        MD5

        db7dbbc86e432573e54dedbcc02cb4a1

        SHA1

        cff9cfb98cff2d86b35dc680b405e8036bbbda47

        SHA256

        7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

        SHA512

        8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe
        Filesize

        971KB

        MD5

        2458f330cda521460cc077238ab01b25

        SHA1

        13312b4dffbdda09da2f1848cc713bbe781c5543

        SHA256

        dc67b264b90e29cf5cffed4453de4567398faa7f3bf18e69e84033c5b33ab05c

        SHA512

        8f027ebd96901f5a22aad34191244b1786dfb66843cbe05a8470d930415d85d86430267da09e7f1a69b8011b170d229e7fb25ecf0bf7d9209d7b910b2cbab48b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DISCORD
        Filesize

        103B

        MD5

        5aa26de003aeebae624a08de919c52b5

        SHA1

        ff1a4dd7673a6b604324e1363738658cc4d565c0

        SHA256

        335052f362ac50a1d52e8268ebc4323f59644ef7988cb29ea485d57745667bd2

        SHA512

        43220140c68668fd309ce343c06e22910dbe6b74818a9a0f07da052cd8d6020524311c6c00201fc3bceb6f18743ba07ae65e2d4900dd79fab7218bef5caf192c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
        Filesize

        30.1MB

        MD5

        0e4e9aa41d24221b29b19ba96c1a64d0

        SHA1

        231ade3d5a586c0eb4441c8dbfe9007dc26b2872

        SHA256

        5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

        SHA512

        e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

        Download Submit

      • memory/1452-0-0x00007FF947573000-0x00007FF947575000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1452-16-0x00007FF947570000-0x00007FF948031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1452-4-0x000001E41C760000-0x000001E41C782000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1452-1-0x000001E41C220000-0x000001E41C2EE000-memory.dmp

        Filesize

        824KB

        Download

      • memory/1452-2-0x00007FF947570000-0x00007FF948031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2568-18-0x000002C2AEC30000-0x000002C2AED2A000-memory.dmp

        Filesize

        1000KB

        Download

      • memory/2568-22-0x00007FF9475A0000-0x00007FF948061000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2568-21-0x00007FF9475A3000-0x00007FF9475A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2568-19-0x00007FF9475A0000-0x00007FF948061000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2568-52-0x000002C2B0AC0000-0x000002C2B0ACA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2568-54-0x000002C2B0C90000-0x000002C2B0CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2568-458-0x00007FF9475A0000-0x00007FF948061000-memory.dmp

        Filesize

        10.8MB

        Download