Overview

overview

10

Static

static

10

Bootstrapper.exe

windows7-x64

10

Bootstrapper.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    37KB

  • MD5

    e08d7967557238a0ee488e405f7865dd

  • SHA1

    b4428239dff65be117076a6d2169c1f5488e098e

  • SHA256

    3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

  • SHA512

    f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

  • SSDEEP

    384:71/yi00nCVpd3vVmyhKrrvFcCRYc2/efurAF+rMRTyN/0L+EcoinblneHQM3epzR:xHANVdhKr7FcRB/eWrM+rMRa8NuGItN

Score
8/10
discoveryevasionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\RtkAudioService64.exe
      "C:\Users\Admin\RtkAudioService64.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\RtkAudioService64.exe" "RtkAudioService64.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4084
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd5666cc40,0x7ffd5666cc4c,0x7ffd5666cc58
      2⤵
        PID:232
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
        2⤵
          PID:1704
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2040 /prefetch:3
          2⤵
            PID:3252
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
            2⤵
              PID:936
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
              2⤵
                PID:2856
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
                2⤵
                  PID:4036
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3724 /prefetch:1
                  2⤵
                    PID:4460
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
                    2⤵
                      PID:4388
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
                      2⤵
                        PID:2212
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
                        2⤵
                          PID:4240
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,1282694725377984306,17558277105549070466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
                          2⤵
                            PID:4188
                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                          1⤵
                            PID:3636
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                            1⤵
                              PID:4656
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\system32\cmd.exe"
                              1⤵
                                PID:4240

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Replication Through Removable Media

                              1
                              T1091

                              Execution

                              Persistence

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Create or Modify System Process

                              1
                              T1543

                              Windows Service

                              1
                              T1543.003

                              Event Triggered Execution

                              1
                              T1546

                              Netsh Helper DLL

                              1
                              T1546.007

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Create or Modify System Process

                              1
                              T1543

                              Windows Service

                              1
                              T1543.003

                              Event Triggered Execution

                              1
                              T1546

                              Netsh Helper DLL

                              1
                              T1546.007

                              Defense Evasion

                              Impair Defenses

                              1
                              T1562

                              Disable or Modify System Firewall

                              1
                              T1562.004

                              Modify Registry

                              1
                              T1112

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Replication Through Removable Media

                              1
                              T1091

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                Filesize

                                649B

                                MD5

                                a63e432804e90fa71e8eb196ac11e735

                                SHA1

                                8b73d7555bb13cbc6340dc8027861477a9059984

                                SHA256

                                01e947547ef1d5d1e3c6b221b1c921f7103d66a2949e8eb074a748b11db947f4

                                SHA512

                                987e354f70a4005b295597106ee36c440e567478d5a88dbc3ae10c3c38eda4262382d5823ed5aa77c75a07fe899b0b600ab1ba74d91cf21bb4eda9d3278c5633

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                Filesize

                                2KB

                                MD5

                                4f236cb2006c09861f210fc7860ee926

                                SHA1

                                036d8b1eefe135a51f25f48c38a1de3d765a1af3

                                SHA256

                                c896977a24baa18bcba85b6dfb416a81515d7961508fd87d3b2579b561435457

                                SHA512

                                9cada7db5d17bae4fb8e7c4f59478d8b84efe230ce8152165d9b82efb18dff10f01edc774eb8e388b89f664d0ebbb8b0097d1eb351ae9172443fc26677c25427

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                Filesize

                                356B

                                MD5

                                306866f40b3c4e07ad105923b665e5fb

                                SHA1

                                26f0ed2888628238d7541c54abd1a4619c7d9841

                                SHA256

                                84214a834e881febc3964d7c3c8f4509adb922c6411243e833f3a7bc755d122c

                                SHA512

                                79ecacb317879d9e2a4caeba3daec2dee9314959bbcca0cd0cec1fcbc30b884fd001581a1a6d13b76eb784c67bffe96dc59d77ccfc93f560b67c964d322ce24c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                950545de92a7bebeaa8458e0fcb789c7

                                SHA1

                                12ab901c94cf96231fde4c4baba2c2eaacf718b5

                                SHA256

                                d2a2f09068af846b26c4aa573109505edb9bc8ed32b29fd4f6223288a619f3c3

                                SHA512

                                9d5dec5264b15412e3d5b703f3f688f53c3efa88f03fefdffd8807ff4b88832dfa026f7bfa2b32f75685ce7d45f020f33433344a1640816d4147543895642c3e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                Filesize

                                15KB

                                MD5

                                d2d16430b02c7d57bdda689fa013b1b3

                                SHA1

                                cc6874da2d594e53645a18853063758ff02d43ff

                                SHA256

                                70eff3578c86ce9eb8588be4a611574e1e5102435ac76ab7796a99564723ccd2

                                SHA512

                                8d8e35edb8742602ee6fcc1c30f8b9985125f23929e708302301f58c8af02e0b9ff3fb4f9b36059216717e24327be609228e9363961a270fb1b4dbb59176e152

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                231KB

                                MD5

                                7b71e304ba3280cc5bf380f36a2d8866

                                SHA1

                                a9d78c0a3118904cbb20009badf31f8036f4fcac

                                SHA256

                                d4ba2fc476f99bcaf33dd2e1806d2d7cd19793ea571c7a4184f921cb3e1ff548

                                SHA512

                                38a22ba6e40d2ba105228724064ddfe5566de65edf390f9de44d9caf33dca654702533424c11b266a13ac572881de2b5d3d6edad5f47315a879613f7de6d8f63

                                Download Submit

                              • C:\Users\Admin\RtkAudioService64.exe
                                Filesize

                                37KB

                                MD5

                                e08d7967557238a0ee488e405f7865dd

                                SHA1

                                b4428239dff65be117076a6d2169c1f5488e098e

                                SHA256

                                3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

                                SHA512

                                f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

                                Download Submit

                              • memory/972-62-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/972-65-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/972-61-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/972-23-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/972-22-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/4848-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4848-21-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/4848-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/4848-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

                                Filesize

                                5.7MB

                                Download