b3be2c71193c51251c00720bb597e931f6650f5484d0fea28500acfcf0c84291

Analysis

max time kernel
28s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-09-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

3.5MB
MD5

04c7a2ff19228353eb7767f267bf04c8
SHA1

c71c84cd6d037397138538af1f65a48623e791e2
SHA256

b3be2c71193c51251c00720bb597e931f6650f5484d0fea28500acfcf0c84291
SHA512

da31f0ea07ac32ee02d8514b10a0de39b2ac9f91f60f8106f9958c26876cd3341c12d51b663d3994f074f67a2d9e140fd4e8b69bde16139f487a477a42520443
SSDEEP

98304:72AFpZr36YRzYP0XQ71xuNBk6IkRSe6eBuIXiHF1uraMfeJD:9hYP0g7ru7kroZ6eBuIXYF1zg

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bootstrapper.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bootstrapper.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2200-5-0x0000000000400000-0x0000000000D2C000-memory.dmp	themida
behavioral1/memory/2200-6-0x0000000000400000-0x0000000000D2C000-memory.dmp	themida
behavioral1/memory/2200-2381-0x0000000000400000-0x0000000000D2C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bootstrapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2200	Bootstrapper.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	Bootstrapper.exe
2200	Bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	Bootstrapper.exe

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\base\browser\ui\iconLabel\iconHoverDelegate.js

Filesize
368B

MD5
dff5cd240217dc0e722c27be242db91d

SHA1
244d1e7b3a10bb26e52ad9019e0e20f8bb3a72aa

SHA256
151caa77914089aa02273bb851f4b9a198eaab38da7eb9e4bdd7af8075c2dc57

SHA512
e6033e28f65f29ec3a7fc2e367bb6dd2909e38e5e5ccd267fe920e82c25de00c3cf5593db022dc1664ec00652882d5093121f2686788ee3eb60d0b2d87fef6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\language\json\_deps\vscode-languageserver-textdocument\lib\esm\main.js

Filesize
10KB

MD5
722df93c13e5a9e4b3a42c515d6281e3

SHA1
e046b8875a0373f38e8135f6500bc9deb9b1cc34

SHA256
bb9e7de4f27538b132cd593302a62f8a42f433e1b0e04a1edb4472a97d6ddf46

SHA512
6e1db81e7286e7762cce5c281c1ddab227ab374c5c33ff45a5031275592a84fd47547b6ad496f302bbca0bbdc01ed899ff8ed87f22bb8b88973a257e345b70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\language\json\_deps\vscode-languageserver-types\main.js

Filesize
66KB

MD5
f80215fcc9a89ba7be3bc0b32cacb094

SHA1
8449846cc76fc770a31e310882454f5d6beae342

SHA256
1adcb7cc0756472bc16ace850f3f5b6d5746ea4af2d75ad0785b967dd07bf9f1

SHA512
7187397ff691dfe558c00a8393d4d3d86b7ab8fdbed8b40ecd43c8ba3af40f8ceab0f78d001cc892ea0d5b5a36be4a559715a4385b39a6db1ce473b2883513b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\language\json\_deps\vscode-uri\index.js

Filesize
11KB

MD5
db7069b3b398babf3a2a97e7f7c3aa65

SHA1
2208bc3bb4548247d672cbd3368dbb992ce6d312

SHA256
15fce1bc78e59f11f36c62e31b6db98d10cf5810fcb8fceeecf9cbdd2ac9742d

SHA512
326716687bed34d862a71df1c7259988de21ef78af8829d2253f099988818200477df7e13f97fa78671d426a856feaa651d1c8350f7edac5d59ec9bc13f354d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\language\json\fillers\monaco-editor-core.d.ts

Filesize
37B

MD5
604924c7fd140e65f677cff5c06ea77e

SHA1
60adb20bf4cac895df6b31a4da98a4d2267ca3e6

SHA256
87b3728d7af0f6c25f9cdbedfbc093f5e46a24371910199a638a1a13e3444668

SHA512
34affd619893b93ebfeb0d19daf6c4768b0e3de7d4d8272058cd41608ef9a1f5ceb5951b0b8a7732dd4e3e020d51bda9c9509eed4a3a5705d3a1ad396d610af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\language\json\fillers\monaco-editor-core.js

Filesize
404B

MD5
40fc593844c4ee88ff8e87481824dda0

SHA1
c2d8bed92d90e685576812d7c62ac2db28af2185

SHA256
a27649c652a7abcefe0b54567eb64f1cdf9be521bab22cfb71718e816b160375

SHA512
0457cf90d188e803401555e57a24647e592830ddad9e9e73d64a89889ec6b40eb15d2330ba507c6bad2faceb6c14bb643b4557db1e68896354aa6a19a99ae357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\language\json\fillers\vscode-nls.js

Filesize
1KB

MD5
1e2ca4b54776b992ed920a66940bca7a

SHA1
86ed5c8360d31c4763c05184fa4e7cc46cfa9354

SHA256
539191b86cffb8607fc04d0369756281f63bcb884cbe6ea729a668edf4018059

SHA512
fb249812b6587078d8a715d4c684af62db0ed05f6d80afb3374fe1f1e0a0a11b2c2551fcb738f3383b88152f95ca889c7c81543da7575d8d8b161d5c9ffea07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\esm\vs\platform\telemetry\common\gdprTypings.js

Filesize
12B

MD5
5c7f99e3d4eaae821996a487acc6a5e2

SHA1
9ff99e6a0a31241fe503c3c76a340bedfe2902b7

SHA256
f761c91419d0a89422a0004ef1a92929dd4d2d5e5c16758654d8b0467d1998c6

SHA512
9247b46a096ad45b486e4b83bb880a7d4e0da7731e3e64b8ba41513a0632932d3bfcf132b2d20e81e363c2595aa9a38d486111dc6365c0f014c1af25ec0be839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scythex-main\Monaco\package\min\vs\base\browser\ui\codicons\codicon\codicon.ttf

Filesize
63KB

MD5
b13daaad214ef227a36fefd95d924380

SHA1
95791fc8733a4bae907859b1a46bd1115f90c983

SHA256
774c4acc42f27289850537e2b6e9b85f67fde54145f6f41876dc4f65b45a4a20

SHA512
ad05613494a490e01504a30e34d7fb5bc2e535d70b5e5d5154a81ad1acaa51c0e368a6fae6aaa0a42faaae63f7e751a98748a7c291056100b7ad687ff6ae687d

Download Submit
memory/2200-6-0x0000000000400000-0x0000000000D2C000-memory.dmp

Filesize
9.2MB

Download
memory/2200-0-0x0000000000400000-0x0000000000D2C000-memory.dmp

Filesize
9.2MB

Download
memory/2200-13-0x0000000006870000-0x000000000687A000-memory.dmp

Filesize
40KB

Download
memory/2200-14-0x0000000006880000-0x0000000006892000-memory.dmp

Filesize
72KB

Download
memory/2200-9-0x0000000076050000-0x0000000076140000-memory.dmp

Filesize
960KB

Download
memory/2200-8-0x0000000076066000-0x0000000076067000-memory.dmp

Filesize
4KB

Download
memory/2200-7-0x0000000000400000-0x0000000000D2C000-memory.dmp

Filesize
9.2MB

Download
memory/2200-11-0x0000000076050000-0x0000000076140000-memory.dmp

Filesize
960KB

Download
memory/2200-5-0x0000000000400000-0x0000000000D2C000-memory.dmp

Filesize
9.2MB

Download
memory/2200-4-0x0000000076050000-0x0000000076140000-memory.dmp

Filesize
960KB

Download
memory/2200-3-0x0000000076050000-0x0000000076140000-memory.dmp

Filesize
960KB

Download
memory/2200-2-0x0000000076050000-0x0000000076140000-memory.dmp

Filesize
960KB

Download
memory/2200-1-0x0000000076066000-0x0000000076067000-memory.dmp

Filesize
4KB

Download
memory/2200-2381-0x0000000000400000-0x0000000000D2C000-memory.dmp

Filesize
9.2MB

Download
memory/2200-2382-0x0000000076050000-0x0000000076140000-memory.dmp

Filesize
960KB

Download