Overview

overview

10

Static

static

10

Bootstrapper.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-11-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    102KB

  • MD5

    eca9c9b3eb8e5598f1dd7d6eea69d18a

  • SHA1

    dbe5779142fbe19e46b3d6d6905838c7659c73e2

  • SHA256

    7708a99cb7450d311bd52afbfabf544dad72481d5de5a931791945b279330bdf

  • SHA512

    6cc229162b6ec43c1c1db33e197226f13bc778107cd7c18ab5b387ea16c868698842d89bc801236022b42ef5882cb803c2f5f418840c6b079f70e9a90bcc7154

  • SSDEEP

    3072:luctTFw424SdI9yZbaO2TFzrjvd6xwDFkGruq6lTPsQC9t2P:lucQB+yZba/hTZ3/6dPnCu

Score
10/10
asyncratvictimdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Victim

C2

193.161.193.99:1194

Mutex

zKBMm76IjaE5

Attributes
  • delay

    3

  • install

    true

  • install_file

    SysKeeperVLR.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SysKeeperVLR" /tr '"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "SysKeeperVLR" /tr '"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2232
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB93E.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3996
      • C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe
        "C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:2624
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4696
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a7e07c23-b15e-4f58-b345-90e842703301.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB93E.tmp.bat
      Filesize

      156B

      MD5

      de2550a7386274875a24bb157c6c3ad1

      SHA1

      ddcae39e7a1bf1488437ffae5eab7a1ba8ec1f7b

      SHA256

      0cb2b86cfbcea1c290da78b934bbb900c371b7d38029b48b2e3e998937d28245

      SHA512

      81c42602e187ccec1ba8c7f96a8d6c15920a24bea31fe3e614b3136f7c01d1754c55707b11690a54e95c3adfc3e9ea2f2437e911ef6d9da39f02adce4e17a6be

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe
      Filesize

      102KB

      MD5

      eca9c9b3eb8e5598f1dd7d6eea69d18a

      SHA1

      dbe5779142fbe19e46b3d6d6905838c7659c73e2

      SHA256

      7708a99cb7450d311bd52afbfabf544dad72481d5de5a931791945b279330bdf

      SHA512

      6cc229162b6ec43c1c1db33e197226f13bc778107cd7c18ab5b387ea16c868698842d89bc801236022b42ef5882cb803c2f5f418840c6b079f70e9a90bcc7154

      Download Submit

    • memory/1028-13-0x0000000074E10000-0x00000000755C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1028-14-0x0000000074E10000-0x00000000755C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4372-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4372-1-0x0000000000700000-0x0000000000720000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4372-2-0x0000000074EC0000-0x0000000075671000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4372-3-0x00000000051D0000-0x000000000526C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4372-8-0x0000000074EC0000-0x0000000075671000-memory.dmp

      Filesize

      7.7MB

      Download