Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-10-2024 19:36
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Bootstrapper.exe
Resource
win11-20240802-en
General
-
Target
Bootstrapper.exe
-
Size
972KB
-
MD5
90fd25ced85fe6db28d21ae7d1f02e2c
-
SHA1
e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056
-
SHA256
97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f
-
SHA512
1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa
-
SSDEEP
24576:DIbp4sZotkNjFC/4qxp+k+kPFoHZvPrSMc:cvotkNjg/lhqZvG
Malware Config
Signatures
-
Loads dropped DLL 7 IoCs
pid Process 3772 MsiExec.exe 3772 MsiExec.exe 3656 MsiExec.exe 3656 MsiExec.exe 3656 MsiExec.exe 3656 MsiExec.exe 3656 MsiExec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 14 4888 msiexec.exe 15 4888 msiexec.exe 16 4888 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 6 pastebin.com -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\nodejs\corepack.cmd msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI1891.tmp msiexec.exe File created C:\Windows\Installer\e5a0c75.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF92.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1000.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF649EBD826AF30935.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI1011.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF8FF9A5906B38066B.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI1486.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a0c75.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1552.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1582.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1871.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 8 Bootstrapper.exe 8 Bootstrapper.exe 4888 msiexec.exe 4888 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 8 Bootstrapper.exe Token: SeShutdownPrivilege 3268 msiexec.exe Token: SeIncreaseQuotaPrivilege 3268 msiexec.exe Token: SeSecurityPrivilege 4888 msiexec.exe Token: SeCreateTokenPrivilege 3268 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3268 msiexec.exe Token: SeLockMemoryPrivilege 3268 msiexec.exe Token: SeIncreaseQuotaPrivilege 3268 msiexec.exe Token: SeMachineAccountPrivilege 3268 msiexec.exe Token: SeTcbPrivilege 3268 msiexec.exe Token: SeSecurityPrivilege 3268 msiexec.exe Token: SeTakeOwnershipPrivilege 3268 msiexec.exe Token: SeLoadDriverPrivilege 3268 msiexec.exe Token: SeSystemProfilePrivilege 3268 msiexec.exe Token: SeSystemtimePrivilege 3268 msiexec.exe Token: SeProfSingleProcessPrivilege 3268 msiexec.exe Token: SeIncBasePriorityPrivilege 3268 msiexec.exe Token: SeCreatePagefilePrivilege 3268 msiexec.exe Token: SeCreatePermanentPrivilege 3268 msiexec.exe Token: SeBackupPrivilege 3268 msiexec.exe Token: SeRestorePrivilege 3268 msiexec.exe Token: SeShutdownPrivilege 3268 msiexec.exe Token: SeDebugPrivilege 3268 msiexec.exe Token: SeAuditPrivilege 3268 msiexec.exe Token: SeSystemEnvironmentPrivilege 3268 msiexec.exe Token: SeChangeNotifyPrivilege 3268 msiexec.exe Token: SeRemoteShutdownPrivilege 3268 msiexec.exe Token: SeUndockPrivilege 3268 msiexec.exe Token: SeSyncAgentPrivilege 3268 msiexec.exe Token: SeEnableDelegationPrivilege 3268 msiexec.exe Token: SeManageVolumePrivilege 3268 msiexec.exe Token: SeImpersonatePrivilege 3268 msiexec.exe Token: SeCreateGlobalPrivilege 3268 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 8 wrote to memory of 3268 8 Bootstrapper.exe 79 PID 8 wrote to memory of 3268 8 Bootstrapper.exe 79 PID 4888 wrote to memory of 3772 4888 msiexec.exe 83 PID 4888 wrote to memory of 3772 4888 msiexec.exe 83 PID 4888 wrote to memory of 3656 4888 msiexec.exe 84 PID 4888 wrote to memory of 3656 4888 msiexec.exe 84 PID 4888 wrote to memory of 3656 4888 msiexec.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A4409F8415E76CC4728A8AB4A3A8D51B2⤵
- Loads dropped DLL
PID:3772
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EC015C5740F3761282A56BC35B4814282⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176