Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 19:05
Behavioral task
behavioral1
Sample
boltchecker.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
boltchecker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
boltchecker.pyc
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
boltchecker.pyc
Resource
win10v2004-20241007-en
General
-
Target
boltchecker.pyc
-
Size
239KB
-
MD5
251fbdc89d2e7e1caeccbd006e5ee89c
-
SHA1
eb08bb07177e8785accb4e72230c2f78416c560e
-
SHA256
92b59ba79341ed9bdd5b7c7b76c027a898255e6ec518198283f8698431dc9b70
-
SHA512
b9c6a17d47bb601aa8946592e06cc77271955a69c831fb252401cd0c90a842ce3b28f3672d28797dbc8bdfe37bee3cd50b60cef6c5637a6fc26d97c04740d03b
-
SSDEEP
3072:JmLzPvNjhyltG43ILbd/x0GhhegKoXoH9E4XV2jKZ:JmLDrp0xUhegKoXoH9E4XV2jS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2764 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2764 AcroRd32.exe 2764 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2204 wrote to memory of 2720 2204 cmd.exe rundll32.exe PID 2204 wrote to memory of 2720 2204 cmd.exe rundll32.exe PID 2204 wrote to memory of 2720 2204 cmd.exe rundll32.exe PID 2720 wrote to memory of 2764 2720 rundll32.exe AcroRd32.exe PID 2720 wrote to memory of 2764 2720 rundll32.exe AcroRd32.exe PID 2720 wrote to memory of 2764 2720 rundll32.exe AcroRd32.exe PID 2720 wrote to memory of 2764 2720 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\boltchecker.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\boltchecker.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\boltchecker.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50701261a3312e6801054ef15e114d097
SHA170a0c1fe1955786f00e4d6964a46fd1e34982f76
SHA256cec6f65db6c6f36d94a4a23221fde3aabe673dd2b73c11d129fe10ac3cceb8d7
SHA51291e65467b47e7cc543f4e97772087c754af8978ef5b6e2393772ca9030f84b5cab801e42700a34078b159980da5935d07095d36837c56b82bb7fd30f625a2635