dc67b264b90e29cf5cffed4453de4567398faa7f3bf18e69e84033c5b33ab05c

Analysis

max time kernel
132s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-10-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.18.exe
Size

971KB
MD5

2458f330cda521460cc077238ab01b25
SHA1

13312b4dffbdda09da2f1848cc713bbe781c5543
SHA256

dc67b264b90e29cf5cffed4453de4567398faa7f3bf18e69e84033c5b33ab05c
SHA512

8f027ebd96901f5a22aad34191244b1786dfb66843cbe05a8470d930415d85d86430267da09e7f1a69b8011b170d229e7fb25ecf0bf7d9209d7b910b2cbab48b
SSDEEP

12288:SKAnSKWYWXlX12QmVdooRkajphRdP7E10TjHeApBH:vAVWbm0oRkajjRZ7Q0PHeS

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
5	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	BootstrapperV1.18.exe
228	BootstrapperV1.18.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	BootstrapperV1.18.exe
Token: SeShutdownPrivilege	2092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2092	msiexec.exe
Token: SeSecurityPrivilege	2168	msiexec.exe
Token: SeCreateTokenPrivilege	2092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2092	msiexec.exe
Token: SeLockMemoryPrivilege	2092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2092	msiexec.exe
Token: SeMachineAccountPrivilege	2092	msiexec.exe
Token: SeTcbPrivilege	2092	msiexec.exe
Token: SeSecurityPrivilege	2092	msiexec.exe
Token: SeTakeOwnershipPrivilege	2092	msiexec.exe
Token: SeLoadDriverPrivilege	2092	msiexec.exe
Token: SeSystemProfilePrivilege	2092	msiexec.exe
Token: SeSystemtimePrivilege	2092	msiexec.exe
Token: SeProfSingleProcessPrivilege	2092	msiexec.exe
Token: SeIncBasePriorityPrivilege	2092	msiexec.exe
Token: SeCreatePagefilePrivilege	2092	msiexec.exe
Token: SeCreatePermanentPrivilege	2092	msiexec.exe
Token: SeBackupPrivilege	2092	msiexec.exe
Token: SeRestorePrivilege	2092	msiexec.exe
Token: SeShutdownPrivilege	2092	msiexec.exe
Token: SeDebugPrivilege	2092	msiexec.exe
Token: SeAuditPrivilege	2092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2092	msiexec.exe
Token: SeChangeNotifyPrivilege	2092	msiexec.exe
Token: SeRemoteShutdownPrivilege	2092	msiexec.exe
Token: SeUndockPrivilege	2092	msiexec.exe
Token: SeSyncAgentPrivilege	2092	msiexec.exe
Token: SeEnableDelegationPrivilege	2092	msiexec.exe
Token: SeManageVolumePrivilege	2092	msiexec.exe
Token: SeImpersonatePrivilege	2092	msiexec.exe
Token: SeCreateGlobalPrivilege	2092	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2092	228	BootstrapperV1.18.exe	79
PID 228 wrote to memory of 2092	228	BootstrapperV1.18.exe	79

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
1.1MB

MD5
e251d8c00bbc4ee631087712b03a4bfe

SHA1
0a579ce3b8b47a5030e8db57a4070cdc90cad267

SHA256
4c78f44cd4885e4e5fdb494d05842a2fc260d590df820866e19ebbef2cb26e3b

SHA512
14fe74f1080ed9c5f04ec8ffc16f61e360710b9c5d64ce65788cd82905efce00685fc83368d9652921fa166cec26f50238b3e65598c66519540bfebee975ea55

Download Submit
memory/228-1-0x00007FFDFD9B3000-0x00007FFDFD9B5000-memory.dmp

Filesize
8KB

Download
memory/228-0-0x000002AA44680000-0x000002AA4477A000-memory.dmp

Filesize
1000KB

Download
memory/228-2-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

Filesize
10.8MB

Download
memory/228-4-0x000002AA463F0000-0x000002AA46412000-memory.dmp

Filesize
136KB

Download
memory/228-5-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

Filesize
10.8MB

Download
memory/228-8-0x000002AA5ED80000-0x000002AA5ED8A000-memory.dmp

Filesize
40KB

Download
memory/228-10-0x000002AA5EDB0000-0x000002AA5EDC2000-memory.dmp

Filesize
72KB

Download
memory/228-416-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

Filesize
10.8MB

Download