Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 12:28

General

  • Target

    Bootstrapper.exe

  • Size

    37KB

  • MD5

    e08d7967557238a0ee488e405f7865dd

  • SHA1

    b4428239dff65be117076a6d2169c1f5488e098e

  • SHA256

    3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

  • SHA512

    f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

  • SSDEEP

    384:71/yi00nCVpd3vVmyhKrrvFcCRYc2/efurAF+rMRTyN/0L+EcoinblneHQM3epzR:xHANVdhKr7FcRB/eWrM+rMRa8NuGItN

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\RtkAudioService64.exe
      "C:\Users\Admin\RtkAudioService64.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\RtkAudioService64.exe" "RtkAudioService64.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4972
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\ApproveStep.mpeg2

      Filesize

      456KB

      MD5

      4fa2ece0821abec812001680f8909254

      SHA1

      6774845be8591fa9738d1e1f18ade4d80f8b69a5

      SHA256

      cb5623fde9492b0c2c8ff35d3b593cb4f48610427f023ee71096831005a632a6

      SHA512

      5be1b5f3c72feab20766e3b53b17930adb873cde76bd704bea2df1009af4ae4716a9e2036d3116af0a3de9e3899769cf89486e0a2affe9e18654e8089dd96b16

    • C:\Users\Admin\Desktop\BackupHide.xhtml

      Filesize

      266KB

      MD5

      30eb7e1f3307f10cfee24baaeae36206

      SHA1

      bdd177473eda0ad3c42f9e823881d7b25ca295c4

      SHA256

      973a55420a0ccbef95a131856a9e94cd2bbea444aad3e88b4eafc73519441dd4

      SHA512

      13eb6eac18a935efb225d1d521b930250085b865ae80e49913b43f96bc0c7b49d711e9ea3c716bf9037791f48fa91adfe5041c8a07d9f449bd120732b389014d

    • C:\Users\Admin\Desktop\CompleteTest.jpg

      Filesize

      323KB

      MD5

      2c909b5e34512a654e234740436cd5ca

      SHA1

      beb77e0f0123b88a193efde47387f88c586e77b6

      SHA256

      005f736dcc118dd3b9e717322a4a6fa1a9c84c0d435f67eb7a8568776a913c11

      SHA512

      dbf8ea76c25aa11997641b11c98d561967c37a990c2eb1a65d6c1254abd5acb44bf43e52b1cb92b9011aeee325d7a6dc8bc0d895c51ba470f64214a839dfb7e7

    • C:\Users\Admin\Desktop\ConfirmGet.avi

      Filesize

      399KB

      MD5

      f1f97d8736a2802c70cc6cc895ce62bf

      SHA1

      3d958b9e06eedca344431cfc5089a8db15da4dec

      SHA256

      1fcf3134b4159f0d7d395b11373bb4dafa117e654b57deb556c7b9e79a4d3b62

      SHA512

      dbdb79621faf2f2ac11716b8d571f3f9a1c79234e8f857a80ad64e74c4408c16457024ceb873ae7ba7f0be959f548414775cd7c990a3392b73cbd14ab40e8612

    • C:\Users\Admin\Desktop\ConfirmUnprotect.cr2

      Filesize

      285KB

      MD5

      c03aa837049e58fedc68c63aa26f99de

      SHA1

      a6fa40c64eaa8294e41528548656b3a30c8ab7fd

      SHA256

      2e485b404f4bbb98d020b82f84c6bffdef91bcc262073a2c792645241bf7eaec

      SHA512

      c04a79a7e29d86f768a31ac7286495dc152c29b0d24870b7172e92905824225b66d9a25dd4dbd8f9f15e26543a6374863665600a995cca0ff5186f357535db6d

    • C:\Users\Admin\Desktop\DisconnectUnlock.xlt

      Filesize

      247KB

      MD5

      65f72de3e44933fc04b641f43d2018b7

      SHA1

      62be8554ddf61521cc528907200c662a76f1605c

      SHA256

      7bb1fbd42b417f5c60b0ea4b2563a459aacfa9eaf577f65d2d1f6b489d21d3ec

      SHA512

      ca5d7c81301d7d12ce83bb044756c02160d78bca751bd69ebdbc05d3f4b3ada33819b27e0f04d8b2a30ad81d25c960e4102ac7ba295239400c61749ef142f6b3

    • C:\Users\Admin\Desktop\EditSend.txt

      Filesize

      342KB

      MD5

      9659c05db583a26dad011ce1db907cab

      SHA1

      6cf880c385c310a6f4f1fcd2f5037715dd096575

      SHA256

      b16668e70795461ec02addca1308b10c19292ed3a1ed6be0431ee173886192ae

      SHA512

      e1a461a1423f56526c6a073e8c80bcaf93ac6f9a71dcfa98b483b7994394ec4417b0351e76fbc5525c5a585fc4f218cdb050f2e03c7a944dd741923b84168933

    • C:\Users\Admin\Desktop\EnableCompare.vbs

      Filesize

      552KB

      MD5

      5ad04c3c925321be47ec78c152d290bd

      SHA1

      5010b6000db6cf3c056922c94e9cbaff14c7ec82

      SHA256

      88e23a7a7ac3f710b0c8973d906811f9f31cdfe4994f4690780ae13a0e6d01f8

      SHA512

      c6d0f9e976b19e50b6153e8de05dc26dafd6c37d63eaddc4639f5c194d6522d7ce5e5828b6a092df2c043819dcd94c68c000a763d10aaa1fada23aacf340b5b8

    • C:\Users\Admin\Desktop\ExitUnprotect.ps1xml

      Filesize

      818KB

      MD5

      0953bed919392b056fa8363340dc5e52

      SHA1

      521b52364c81e65c6e28f887255cd9dae3e8f077

      SHA256

      a22084ffb32a735d6136bbc0efa09f66eedbaa071d8cf45fb6f6affbb64aba5c

      SHA512

      e6e5330c3c4be7161bfedb10b4889b80848eed6178a6cc6452f1241ab17834ece00d499357436540ed54605374fe4c6183be4b2ec26e6122327e7e25a91afbb6

    • C:\Users\Admin\Desktop\FormatUnblock.docx

      Filesize

      12KB

      MD5

      a84ed163b8b3fc8ab1816164d908c21a

      SHA1

      eed0e3303c21d062a1cb470813ffe998034cccf0

      SHA256

      b4a67b2cbefcc9febfe63510b9fa596ecbd310bab99cbb4f6ed6d4ee6dda7e0a

      SHA512

      0e36f56f3e54e4a635257b44af12f77a9c72a65429c4cb81614e387f27b23de65b9b50f47dec99ece394ccddb475e56b87246972fe7149a1897655d7bc0983a1

    • C:\Users\Admin\Desktop\FormatUninstall.potx

      Filesize

      437KB

      MD5

      669bfc960fd9c3c572d8baba669b8728

      SHA1

      f17aee9db73b055bde5739166ad61a86f0c1b6af

      SHA256

      db594fa1c5abc1b3722ae89c304c65cf4e0ac4f2a28991ce3bc0c7708248e2b2

      SHA512

      5e43b02ef2df667d3abd9e19b3de50916354a55be62fad9e755950b67bf0b1d98c4d8a291b1d4b867f8a3946bc16b261c330a8b4bceeb6d34589da02ca578ab7

    • C:\Users\Admin\Desktop\Microsoft Edge.lnk

      Filesize

      2KB

      MD5

      c15af8e436d04bb72a7d7a9187a73080

      SHA1

      3ea0b4613779245befedae543afa050102e4dde4

      SHA256

      0bec71cd66731ada6fad8cbe744874e1558c5c440247938bd3c07e9c1d07e83e

      SHA512

      3f12c8cf5b95e3eb7863f6e1a16bc0ba50dcb2d1d87ceeaf7b24049e07ab64e019a743d10624262fbb9472f38c15b4455c219a44f3d007992eeaa8d0ae8cb9a3

    • C:\Users\Admin\Desktop\MountStart.bin

      Filesize

      514KB

      MD5

      9f5e54d80b2dcc87a2fdb8d94063cf6c

      SHA1

      b905e6c8b3d9af94b81dcaf4f9b28ce3100c97ce

      SHA256

      a2f18a2099d1f7f3f3abaa7d0fbb1344e43eaba4055d25e425b7e3ea6dcbb3c7

      SHA512

      5756fabfbf5f099a75250c3c4841af288a8fb8c322d545db4da1df7cb8bb08a421231de0b5cb60c9020af9d5347773de01947364cc04bbcebca11f3e27611a48

    • C:\Users\Admin\Desktop\MoveBlock.sql

      Filesize

      495KB

      MD5

      5afcdda2c4ef32ef6de5fde47019d725

      SHA1

      7d05405ddcab88c50cdf94c0715557063755f26c

      SHA256

      7ed64854606296efaba3d5370ce58d4b6d9cec863dda587b519cd323e53ec899

      SHA512

      f2c46ea839b49b577a68e328e0dfa9dfaed5b022100dbe8cd35bb890004d5cb9ade0789795499e96b63f03cf44b8afd33a5f5aa8f78eefcc94cab18a6bb84cb2

    • C:\Users\Admin\Desktop\MoveConfirm.xlsx

      Filesize

      10KB

      MD5

      91e18ce84127d01f11b90d3908f66b5c

      SHA1

      a28dede2af40885de2105dd0075e378a83d609da

      SHA256

      6792be90329909bb509f4c3c1c117bb7bc72e43d0aa71f9d3baf4c9a608bde68

      SHA512

      dd6b947ea4dbec74f57dcb1d11e78d97d5a9d5f26ac24bcf4701070e5d19a31f064197a3cbf45ee55d935924dc8b0d52b771ec07ad6d648c7dedc6f75378e9cf

    • C:\Users\Admin\Desktop\NewFind.dwfx

      Filesize

      476KB

      MD5

      e400bbef65790e59f57023c6a2c8823b

      SHA1

      4832b6e19e8e915fee508af322979c97b86d87c9

      SHA256

      d70352198fafd2ebed1d2fdc53b84e007201829999b9b135ca71aaeba190f8ef

      SHA512

      48e9deab392085ba4b9dd772dd7242bafddc233eeef32dfa4adecb9a6f0485e904af64619fba0953a7afec1adb842232bc3c475598443b946949935b9d265cbb

    • C:\Users\Admin\Desktop\OptimizeInstall.7z

      Filesize

      304KB

      MD5

      3918956a829e9464f9072bea3223ee72

      SHA1

      3a33764adc09e50fe3b3a02aa8d19ed71877b71b

      SHA256

      dc83e97f4fa1bdd373babd6a45d2ddf07332378c4f856ce7d24aa4a3c9e7191e

      SHA512

      65bbb21820af41c02899f66910fb1fd25fef31aab3a2a87fa04681873a9405ee0d80be46d757830dadf66c3652894bb881337c3e5ab28cd48b93d03357561936

    • C:\Users\Admin\Desktop\RequestConvertTo.vdx

      Filesize

      571KB

      MD5

      e2483a904050c1abc3a9ccc27cff8ea9

      SHA1

      54e324f22117c0815bbb5b05f955341df7649b72

      SHA256

      2e0e829b8d368fb301ce68a579a9167ecb8873f0d8c5708ff77862e81c038513

      SHA512

      5ec3d9d867dafb6972a5dac86c726ec8b3ed1ac2cf31b92b71f58fc7dd88f74ee69647c87f8c26a3f304e7888ae682cca90f7e80aa9cf4e464299fe69728a9fd

    • C:\Users\Admin\Desktop\ResizeRepair.ps1

      Filesize

      590KB

      MD5

      1ac66886a524d9a1071f04811c81c1e2

      SHA1

      1cb9d727117e8b04faf0bcc963d1a4b3d463ff61

      SHA256

      a0e5c17e6f015bb88d3968fae0d3ece12e91fbf729f303cc7c0599bc42c23e12

      SHA512

      0ff386de23656798ba4d1683830580582bfad557dd8d3b9b73bb33740d83dd78d14d8d180df014d71ab27bf756a12aab648f4996d24044fc4cf0cb6926f449ca

    • C:\Users\Admin\Desktop\ResumeUnblock.ADT

      Filesize

      361KB

      MD5

      04d6b19267ca7faafca3bccdf42cf161

      SHA1

      c81e2486a15912e7e10a1794603c78f9a4045c1b

      SHA256

      370624c7cde9da3c54faa84e5997c64b548291de36196c9c332444e4623e2dae

      SHA512

      0e86c103a942f2bfc4ec9540946752175ec29241043fd96a37f88acc6d3fdca5f0159923feaf1b2206101f0b2bd583e617986832d2cb53819f6eafaf14761d9f

    • C:\Users\Admin\Desktop\SetMerge.xlsm

      Filesize

      533KB

      MD5

      c202af6ecdf30082938f9a454c4212a5

      SHA1

      713ae9c607ec9c6bb77c28ab2d8cad1e31aa48ea

      SHA256

      63d2d3d0ab9c0ce296bca8742ccbdf2b30d959b5a9e5183d534a4c347b0b5a52

      SHA512

      845a265903064644c0c2b8f867ab635aa6d5a49cbfdf9ce08f577a6a651880432c4170aaf930aa4a3f5d8bd39d38df0643adede118f2fe4e02347154805b7a50

    • C:\Users\Admin\Desktop\SyncGrant.xlsm

      Filesize

      209KB

      MD5

      34b7fee86564ab05e8d227b2a54185d1

      SHA1

      c5806a047e0be441f535e5f45c73c0148fcf95c6

      SHA256

      1611010e559601d30b76dd82a608ca8e5cc18e32eda78f920c599afd54fe051c

      SHA512

      7bf7cc0bdd26849df207441908b8cb257105932120b41e15a4f562da69a3d3e62fc30f8397be03c1fcbd96b6c0387ba8cd092bf61f9dfbe9eb4631a6bc603ffb

    • C:\Users\Admin\Desktop\UndoNew.svg

      Filesize

      418KB

      MD5

      29e0aada2d5941f12d57e83e8d30aadc

      SHA1

      b7ca631ad5b09b3c111001709907aa7ffe7300a0

      SHA256

      e4c77773358e071d11078a4390efbb8b2c4c1bbb38c752c6d29c0001b05b7c84

      SHA512

      77c63da550b47c863f7b27d7329c0a8ca66ed12745e040efeb1791e8f85f019d491272f21ba8e755d7187013e083934def7c5648f8eff6ca527a0c6beeeb2678

    • C:\Users\Admin\Desktop\UnprotectPing.xltx

      Filesize

      228KB

      MD5

      148a54d28b6c1894d747f1a1b0680e1e

      SHA1

      e541e83feffdfcad6d5ff1d54c53c93a63d41d41

      SHA256

      5127dbbf46b69462660e0f3f0873f612d68c4c525f68c89ea12dfed4bd78164e

      SHA512

      b64f1d8f4165a7f911074af85dd5676e3ef47549597d409a2cd8fa8bc5803e19a1fec4258c2b84c61370e19252aae4bc373b9be4069b0db4b693b60598bb827b

    • C:\Users\Admin\Desktop\UpdatePublish.sql

      Filesize

      380KB

      MD5

      d37d802bf20542be484798a9e6ea71b8

      SHA1

      2ecb46457861bc8ab573edd19e71c0822f964ff9

      SHA256

      bba35996e77cb0e6bc48beff63ec6e1f959b30f191ad06a02231a0afe2312cb6

      SHA512

      c98a8dd7636fe7369684f21bae38ec8ff08dd93e4d93c3c677d4ef7b7b807f87e6c1da9e23688b3132c6af24181d67279290706a723fc91f29c5cd610cff4e95

    • C:\Users\Admin\RtkAudioService64.exe

      Filesize

      37KB

      MD5

      e08d7967557238a0ee488e405f7865dd

      SHA1

      b4428239dff65be117076a6d2169c1f5488e098e

      SHA256

      3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

      SHA512

      f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

    • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

      Filesize

      2KB

      MD5

      ff8b991fdf07823a5b92fc31ddf9e195

      SHA1

      8965c71ba789e9097230310dc488c6a328c58f7b

      SHA256

      3ad6c4c62539ef85ff51fbe27c30161d7cd20e6c65ef6a353b752ba2db55786c

      SHA512

      43f79c5299b15cbf69e58e28a18f6ecfd43f1b102c9f7e8635b90740c866b8c640f2a3ccf048008cb0fe20c1b8b234dec16e5b339e41d648fa0302e0de4fc267

    • C:\Users\Public\Desktop\Firefox.lnk

      Filesize

      1000B

      MD5

      31a19481a72fe929141082629773b79b

      SHA1

      e4c2a33c6ff0a4809671eced00ff6337e6197194

      SHA256

      3287417937b56475f4efb7f1c0d5e2f25c14ab4a4eb639b94c135a69bdd3eb6c

      SHA512

      25cb952622d855aea4511414340c84a9621084b5bff40d29b98872120245dce86f46d4c67ba290e9f9fa9b6953a731cde4a33b5263ce4f31266b353e9013f4e0

    • C:\Users\Public\Desktop\Google Chrome.lnk

      Filesize

      2KB

      MD5

      11c62020d530ae50665609f93547de8a

      SHA1

      2770f3c8c0092b9f4d822ac368fb8a566294a7a6

      SHA256

      038effeb662fc16dce014db457ac0efce0a48ed6a7923880059a082db7099c25

      SHA512

      e6731fd31a43bc52711ba3b94534204d693365cf728cd6b47a74c1971115a4feaf40a51634d488669e3da5e6da668128449e8ff2f80bdb0746199adec4cda3b6

    • C:\Users\Public\Desktop\VLC media player.lnk

      Filesize

      923B

      MD5

      75874af35973494e12283d356e366fd6

      SHA1

      2b8e9a62ee0c588d7d78c1c00340b585f1375f7d

      SHA256

      dc51ff5a00b40fa27fde7054cefbc4ee791edcf7a364d1e51ed676dc4ce36390

      SHA512

      a70cb20df71b21d02c83b089239e0f12d2a65530ffce4cfb396b481349f4501ccbb8fbe6f5a14f3ab1005e2be81d088b8f12f6c39e685c24b0a08dc80ff2d3a1

    • memory/1448-22-0x0000000074DD0000-0x0000000075381000-memory.dmp

      Filesize

      5.7MB

    • memory/1448-2-0x0000000074DD0000-0x0000000075381000-memory.dmp

      Filesize

      5.7MB

    • memory/1448-1-0x0000000074DD0000-0x0000000075381000-memory.dmp

      Filesize

      5.7MB

    • memory/1448-0-0x0000000074DD2000-0x0000000074DD3000-memory.dmp

      Filesize

      4KB

    • memory/1732-21-0x0000000074DD0000-0x0000000075381000-memory.dmp

      Filesize

      5.7MB

    • memory/1732-23-0x0000000074DD0000-0x0000000075381000-memory.dmp

      Filesize

      5.7MB

    • memory/1732-33-0x0000000074DD0000-0x0000000075381000-memory.dmp

      Filesize

      5.7MB