Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows10-1703_x64 -
resource
win10-20240611-es -
resource tags
-
submitted
19-09-2024 21:56
General
-
Target
https://solarabest.com/Bootstrapper
Malware Config
Extracted
rhadamanthys
https://135.181.4.162:2423/97e9fc994198e76/02dgpgfn.5rkt4
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://solarabest.com/Bootstrapper"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://solarabest.com/Bootstrapper2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.0.1571534192\1053565747" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebeb69d3-a9e4-4771-ab49-6512af6afa35} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 1780 274910bc758 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.1.1123971574\261405778" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21706 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acbba6be-b6cb-411e-91df-513246248c41} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 2156 27490ff9558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.2.674240517\1688024558" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 21809 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7712289e-4225-4ed3-ba16-b2c62847a0d0} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 2868 2749105ab58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.3.1332800036\1794237648" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb5a59e3-755d-4b64-8507-b210c86572cb} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 3656 274966fa858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.4.1163578279\1064930099" -childID 3 -isForBrowser -prefsHandle 4448 -prefMapHandle 4612 -prefsLen 26524 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c2cf521-7280-41e2-9138-2deeff3a37b5} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 4584 2749752db58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.5.471417920\275397503" -childID 4 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 26524 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c71b44fc-92a5-4c17-acc7-a6f056f7c470} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 4712 27498706a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.6.1308460912\1662034521" -childID 5 -isForBrowser -prefsHandle 5180 -prefMapHandle 5136 -prefsLen 26564 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92c4edd8-ed88-46f1-90d5-7a40f23ad5d4} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 5200 2749887ae58 tab3⤵
-
-
C:\Users\Admin\Downloads\Bootstraper.exe"C:\Users\Admin\Downloads\Bootstraper.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\SGDT\soles.exe"C:\SGDT\soles.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Public\Desktop\BootstrapperV1.16.exe"C:\Users\Public\Desktop\BootstrapperV1.16.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DISCORD2⤵
-
-
C:\Users\Public\Desktop\BootstrapperV1.16.exe"C:\Users\Public\Desktop\BootstrapperV1.16.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Desktop\BootstrapperV1.16.exe"C:\Users\Public\Desktop\BootstrapperV1.16.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\Desktop\BootstrapperV1.16.exe"C:\Users\Public\Desktop\BootstrapperV1.16.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5844b868dabe70a2748c5f86c327e9391
SHA11d5ec1aa30faef047cda55d09b528046f275b9ff
SHA256c339bc88c7ecc7c7d099e8457e16a7094fc2243e68ec30041d048b4f97b224c1
SHA51292d93457a93969dbe3b8fcfb120be7cec97fc38646aa5b08b926ed2c909f3872ed00ff27f0b8423e7ad1d8dedb72511893504e8a6658cd9c35de0ce7c9151859
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD5ccbee3362095c6b0fbf572b2c9831046
SHA17fa7ba6fa7001cac40f902572946770297637073
SHA256129e1fd993e0bb4c03676dec872b068b29982a655e39a4cdfc2ea96bf9d3f7c3
SHA5125119d3be9b9009f91de64e75206764e143891e8554c1fc14ad45a7bab9533ac8ad426094849a270f8d949a70db4807f3c42ab81219162df4b4046efdfb241218
-
Filesize
18KB
MD574dbd52fa497c8b49c964a6298fc155e
SHA15516f07d75b43094960d015ce42d191841f52da3
SHA2565ebe55f94fec19ca1c9987e08632c0447650c238f022f344d7da43135f7c3afa
SHA51212ae1cd1b254f99a67c3eda8d9e8e48e87293d46a785f02067c781e310002e3d158b2de7f22523127c20e86989723fdd0637cb6b4293f47832b9c0ed0854a2dd
-
Filesize
7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2KB
MD5a1952e4576089281ab69b8eb7d25ab29
SHA1e27acf9a6e5901ed779198c88219ad7149b4146f
SHA256cab97728af3d8e13362c31cda75291d15bc8e028498683ed85f701bee82716ec
SHA512d883f6e50f9e03208c16076598a89422d978205d78b8367e7f4b421102f675dd4d4894ad7976dbd7cf25b8e4d44184887a39da80a64204f0c93f9b6daf6358c8
-
Filesize
2KB
MD5008a7083267b76913aca82854e1a90cb
SHA1601d46b7c79cf073d89290fba61a4ce925feb1fc
SHA256b823422e09482f21ab31e3900047788883c0b6c95586a4e042bda99e70df1a28
SHA512645cc8d472babf9190224f523f54e133070adc42b42d8dc371412a688c69906383714ed7153a091b0dd2dbcbf55c0a1d95dbf2fe7116b617778ece2d1df3c6ef
-
Filesize
746B
MD5738ab1fa42589949873a2bcc56d651fe
SHA1cf4446f6264ebd9abdc5beaf51111bb616784511
SHA2562eeef2660efbf91b97c98bbb14471bb22fc217384a7a85f925e1b9753a3d2361
SHA5129d25b46b52b68b791881dd1662744069c9b4970bd5c414319b1ec72a8d72d28c7d78831913390fc898e61d3c5a1da14ff746809b627dd0029135cc7970b99aab
-
Filesize
10KB
MD5405a6d2606cc8014f20a57c7f303d4c4
SHA19795415a31027e92035632d29f5f6c5528dcef98
SHA25664dac15a102aad98ea50e99063d0aace2cb1027b46141b3b446206220b0bb6c5
SHA5128b1e187e780267c15b4747ba03a919cd46fc4cf633c1b33f77d513e07dad3213150cc6a2e81ce76fe26cea97dc1a341ef3d272dc9c5404b61a9111e91df4d127
-
Filesize
6KB
MD5dea5bde11181e25fb548d3ba64975eca
SHA1327e289450b139d7fef2ac8d89d1443838102c0c
SHA2562f8e69efb8e0b323d4c45dc71663cf75e73080eabd11f82f0a24d43786b122b4
SHA512033497f45fa270d896ffa85409b576b9c0509c6ae0ef5d0fb606184f14f43ac34dc3e961387eba67367a168b8bb84c4015a55e161aa0d7aada08b946aab87271
-
Filesize
6KB
MD57f2434aa62620cbce11de2dbf0587dec
SHA11890370aef905c9ee16c05f27efcce00bf44b4b8
SHA256b49a86da5d25614e1f07f2adbb51e564f8bc2ce67503143cd8338eda8c5d07f8
SHA5120d4d8d013fe08d9c3624c6bc2775eeae57baf8e777b08c9720c5251cd7e56a5740dc917152d0fc7d438a9ec4a753767412dd72b7a0c6c6fbc4796b593c2f622c
-
Filesize
996B
MD5d7714cea3a9745be082627131012cb8f
SHA1ccee857effef7716b5d220d20df7b74abfe1456f
SHA256fb4384cbd59d845e1f6d2ac413ba5ec07e910e9bc0d657c03775f5132cbdc14a
SHA512264455c268961f5969f8742546bfa6893491097751a438e6129db1445139ee904e71e0960260e7113c225dc5eb39e77a34a78a982ea5d85f87c957777758952e
-
Filesize
184KB
MD5a844f94c0cc8610d71f4dc0403bb8566
SHA1f45b62f345ce0e7c514e9bf86d163f3b544273f4
SHA2569900dcd59cd9a450eb93c38a80f4325dbc4fef929e405c05410187d553c5be97
SHA512c56093c2d2d04f64c631841b595239f354f041a9176d259375a9df4784631d53871cef66d161eba7c65c8c4100bd820e54e50dce916e504bc2e6d50a63c9a3b6
-
Filesize
103B
MD5487ab53955a5ea101720115f32237a45
SHA1c59d22f8bc8005694505addef88f7968c8d393d3
SHA256d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368
SHA512468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c
-
Filesize
118KB
MD56c2155fc3751b9c84b0445a1697899b9
SHA1c699d5bf75c64aad4c34fe69c48a1f531d177128
SHA2568d12e065d2cc7d56bfe77dbd432611aedbb8ef05a45a237160d855cef15bb6d6
SHA512a49ec4b24885979c1fd84a8aafe9f41cc653a40949e9f2109d39a943ac0c49c5c038f6446bfb7dfff5eb8c7d4efc6669482849ce45987c57d1354ec8153d3198
-
Filesize
724KB
MD5c50467b5fb84d76fe915c8c175be02b8
SHA1f90df72fc5195ad11be36dddf8543b2381d585aa
SHA25683eeb9b2ba7a602cc27d74322423e42d75d41aa9e0a65799841ab900ebacdfa4
SHA51217131d92f50ad6313ab5a3cecd7b897ea2ec01ffe02f9cd4d08b2af1f7fb928d430fb618061dab2071625663c075796a58925213598cf875244b5dfb3b4a9ec8
-
Filesize
796KB
MD576639ab92661f5c384302899934051ab
SHA19b33828f8ad3a686ff02b1a4569b8ae38128caed
SHA2566bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178
SHA512928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee
-
Filesize
1.8MB
-
Filesize
4.0MB
-
Filesize
1.9MB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
4.0MB
-
Filesize
300KB
-
Filesize
296KB
-
Filesize
660KB
-
Filesize
520KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
204KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
300KB
-
Filesize
1.0MB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
6.9MB
-
Filesize
4.0MB
-
Filesize
36KB
-
Filesize
1.8MB
-
Filesize
1.9MB
-
Filesize
256KB
-
Filesize
1.0MB
-
Filesize
824KB