Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-10-2024 19:36

General

  • Target

    Bootstrapper.exe

  • Size

    972KB

  • MD5

    90fd25ced85fe6db28d21ae7d1f02e2c

  • SHA1

    e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056

  • SHA256

    97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f

  • SHA512

    1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa

  • SSDEEP

    24576:DIbp4sZotkNjFC/4qxp+k+kPFoHZvPrSMc:cvotkNjg/lhqZvG

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 7 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3268
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding A4409F8415E76CC4728A8AB4A3A8D51B
      2⤵
      • Loads dropped DLL
      PID:3772
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EC015C5740F3761282A56BC35B481428
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

    Filesize

    30.1MB

    MD5

    0e4e9aa41d24221b29b19ba96c1a64d0

    SHA1

    231ade3d5a586c0eb4441c8dbfe9007dc26b2872

    SHA256

    5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

    SHA512

    e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

  • C:\Windows\Installer\MSI1011.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\MSI1552.tmp

    Filesize

    297KB

    MD5

    7a86ce1a899262dd3c1df656bff3fb2c

    SHA1

    33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

    SHA256

    b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

    SHA512

    421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

  • C:\Windows\Installer\MSIF92.tmp

    Filesize

    122KB

    MD5

    9fe9b0ecaea0324ad99036a91db03ebb

    SHA1

    144068c64ec06fc08eadfcca0a014a44b95bb908

    SHA256

    e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

    SHA512

    906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

  • memory/8-0-0x00007FFECF253000-0x00007FFECF255000-memory.dmp

    Filesize

    8KB

  • memory/8-1-0x000002BC9A7E0000-0x000002BC9A8DA000-memory.dmp

    Filesize

    1000KB

  • memory/8-2-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

    Filesize

    10.8MB

  • memory/8-4-0x00007FFECF253000-0x00007FFECF255000-memory.dmp

    Filesize

    8KB

  • memory/8-5-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

    Filesize

    10.8MB

  • memory/8-6-0x000002BC9C590000-0x000002BC9C5B2000-memory.dmp

    Filesize

    136KB