Analysis
-
max time kernel
65s -
max time network
68s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
10-10-2024 03:24
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper_V1.22.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Bootstrapper_V1.22.exe
Resource
win10v2004-20241007-en
General
-
Target
Bootstrapper_V1.22.exe
-
Size
2.8MB
-
MD5
683ac286394c119539b3c7c2af6474f1
-
SHA1
13b442ad04c3afb0fc3c49b3cda5c15e05e0af47
-
SHA256
a4d4485ba8aeaff121b500fbe29d597228521b2613b82f072ffe924119f91faa
-
SHA512
b6282aeeb7000b3c41621f823b07b204d77e685f6ff8d650386422f27f8b09c2eaaaf97cf84be2b31189fb45cdce7db3f54b66470ce25afa7222ecfe0e3595e5
-
SSDEEP
49152:Osnd9LIpizPyJgj+GM7CR+5J3oFNBdYL80fWOjB+7/k/2QK13FJA9utkul+hwPD:OEd9kcPyel5snoFNYL8YbI7y2313wN/
Malware Config
Extracted
stealc
7140196255
http://178.63.215.77
-
url_path
/031d77089be01fd8.php
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
SecondFile.exeBootstrapperV1.16.exeBootstrapperV1.16.exepid Process 3724 SecondFile.exe 5008 BootstrapperV1.16.exe 1724 BootstrapperV1.16.exe -
Loads dropped DLL 2 IoCs
Processes:
SecondFile.exepid Process 3724 SecondFile.exe 3724 SecondFile.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 7 raw.githubusercontent.com 8 raw.githubusercontent.com 9 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bootstrapper_V1.22.exepowershell.exeSecondFile.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper_V1.22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecondFile.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecondFile.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecondFile.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecondFile.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exeSecondFile.exepid Process 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3724 SecondFile.exe 3724 SecondFile.exe 3724 SecondFile.exe 3724 SecondFile.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeBootstrapper_V1.22.exeBootstrapperV1.16.exeBootstrapperV1.16.exedescription pid Process Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 4512 Bootstrapper_V1.22.exe Token: SeDebugPrivilege 5008 BootstrapperV1.16.exe Token: SeDebugPrivilege 1724 BootstrapperV1.16.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Bootstrapper_V1.22.exedescription pid Process procid_target PID 4512 wrote to memory of 3828 4512 Bootstrapper_V1.22.exe 73 PID 4512 wrote to memory of 3828 4512 Bootstrapper_V1.22.exe 73 PID 4512 wrote to memory of 3828 4512 Bootstrapper_V1.22.exe 73 PID 4512 wrote to memory of 3724 4512 Bootstrapper_V1.22.exe 76 PID 4512 wrote to memory of 3724 4512 Bootstrapper_V1.22.exe 76 PID 4512 wrote to memory of 3724 4512 Bootstrapper_V1.22.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V1.22.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V1.22.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Add-MpPreference -ExclusionPath 'C:\Solara' Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop' Add-MpPreference -ExclusionPath 'C:\Users' "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Solara\SecondFile.exe"C:\Solara\SecondFile.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3724
-
-
C:\Users\Admin\Desktop\BootstrapperV1.16.exe"C:\Users\Admin\Desktop\BootstrapperV1.16.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
C:\Users\Admin\Desktop\BootstrapperV1.16.exe"C:\Users\Admin\Desktop\BootstrapperV1.16.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD562f90cd0cb366fa5daa8aafcdcd16235
SHA157fd35c5ba228b3b9127dc42ce3c9db3a8848ea9
SHA256c5307c86c06edb2d3aa14c90563cb59ef865ebbe1eae6a4e2d78db35dfdd79e0
SHA5122b9661e8a02846fe00cd1ede37e96ae56bad04b8943d714beaa3b6e7548121412a14260805863fa61a9bf13bd8378af8d5eca657464b2c3b82eb5c8e5e14f8d2
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
972KB
MD590fd25ced85fe6db28d21ae7d1f02e2c
SHA1e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056
SHA25697572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f
SHA5121c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa
-
Filesize
103B
MD5487ab53955a5ea101720115f32237a45
SHA1c59d22f8bc8005694505addef88f7968c8d393d3
SHA256d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368
SHA512468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571