Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 10:57
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bootstrapper.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Luna/Bootstrapper.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Luna/Bootstrapper.exe
Resource
win10v2004-20241007-en
General
-
Target
Bootstrapper.zip
-
Size
5.5MB
-
MD5
9ba94ac44294258328b5b23e6fbcaf4a
-
SHA1
3ef50da71c5800f02680733b184bb11bb0ca309b
-
SHA256
a9e76b770fb8a61f793a61ca6701e1f76ea95282d5a3647d8dfccf1b560f401a
-
SHA512
52e3118e8e40d621275d0ce3157138bb0e9a4d56c1c570666930de60e46e8050af8e0c377aea2e5ccee2ff78c427576bd4954226a0f800eac6cabbaa70f267ce
-
SSDEEP
98304:HUxBxVYLNchCiExF8pIV/hIy3D25GmoQ5ReIpL6Xh+SC+rnM/BnspjhlvkHeBA:0/biriUei/+boQ5EIpLoznI/tsp1lsHr
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2628 Bootstrapper.exe 2940 Bootstrapper.exe 2836 Bootstrapper.exe -
Loads dropped DLL 9 IoCs
pid Process 3060 7zFM.exe 3060 7zFM.exe 2640 Process not Found 3060 7zFM.exe 3060 7zFM.exe 2184 Process not Found 3060 7zFM.exe 3060 7zFM.exe 2440 Process not Found -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3060 7zFM.exe 3060 7zFM.exe 3060 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3060 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3060 7zFM.exe Token: 35 3060 7zFM.exe Token: SeSecurityPrivilege 3060 7zFM.exe Token: SeSecurityPrivilege 3060 7zFM.exe Token: SeSecurityPrivilege 3060 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3060 7zFM.exe 3060 7zFM.exe 3060 7zFM.exe 3060 7zFM.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2628 3060 7zFM.exe 31 PID 3060 wrote to memory of 2628 3060 7zFM.exe 31 PID 3060 wrote to memory of 2628 3060 7zFM.exe 31 PID 3060 wrote to memory of 2940 3060 7zFM.exe 33 PID 3060 wrote to memory of 2940 3060 7zFM.exe 33 PID 3060 wrote to memory of 2940 3060 7zFM.exe 33 PID 3060 wrote to memory of 2836 3060 7zFM.exe 35 PID 3060 wrote to memory of 2836 3060 7zFM.exe 35 PID 3060 wrote to memory of 2836 3060 7zFM.exe 35
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.zip"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\7zO4FB62217\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zO4FB62217\Bootstrapper.exe"2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4FBE6977\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zO4FBE6977\Bootstrapper.exe"2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4FB3E047\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zO4FB3E047\Bootstrapper.exe"2⤵
- Executes dropped EXE
PID:2836
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.4MB
MD5f2a6133b7f38fc49f792ae799d1b4750
SHA16bef46ddde325f45a0e9ff123112c96bbd47c795
SHA25637bde6655e1272e159b9c2e3a7eee3f4e9a837c0f04240645d3991d112287f8d
SHA512f9611bed83b4bce1841868880a42dacb6b8f7e8859be1d85b3c8d3a365a0244566cbfb12294c7b2c82b15d6c0e47095d8246a95d522c3a064a0d8511b2411254