Analysis

  • max time kernel
    106s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 23:58

General

  • Target

    BootstrapperV1.23.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
7/10

Malware Config

Signatures

  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:4112
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4840

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    getsolara.dev
    BootstrapperV1.23.exe
    Remote address:
    1.1.1.1:53
    Request
    getsolara.dev
    IN A
    Response
    getsolara.dev
    IN A
    104.21.93.27
    getsolara.dev
    IN A
    172.67.203.125
  • flag-us
    GET
    https://getsolara.dev/asset/discord.json
    BootstrapperV1.23.exe
    Remote address:
    104.21.93.27:443
    Request
    GET /asset/discord.json HTTP/1.1
    Host: getsolara.dev
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Nov 2024 23:58:38 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CdZOWR6jmRLcduLlFPM6aVn7trhLeC0idE3NMyBt1MjnW7BtraiB71jfc2M7NMDu5sefh9qKlmyaksqeglZTIegLGxLFrIwO%2FpBnyMFuPkNqUWnwOjboGG9kxQ92Gfhv"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    CF-Cache-Status: DYNAMIC
    Strict-Transport-Security: max-age=0
    Server: cloudflare
    CF-RAY: 8e5c63a1ea3dcd70-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=29964&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2974&recv_bytes=378&delivery_rate=128067&cwnd=253&unsent_bytes=0&cid=e27c28e535b3f98f&ts=106&x=0"
  • flag-us
    GET
    https://getsolara.dev/api/endpoint.json
    BootstrapperV1.23.exe
    Remote address:
    104.21.93.27:443
    Request
    GET /api/endpoint.json HTTP/1.1
    Host: getsolara.dev
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Nov 2024 23:58:40 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: W/"f6b52a565df2f13c59cdfa7bdef89298"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFE6g88m1r88wNxM4mM9OJzHu%2BQufe07mcAJcVJ%2FwKCoeMa4LvD2%2BrcSIPCeywR3vBWr%2Bq1Hyi4uviukZg%2BR0plUasmAt34TiNf2MrMhQbkdEuFIV%2FMJjQuZZ1mpP4dl"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    CF-Cache-Status: DYNAMIC
    Strict-Transport-Security: max-age=0
    Server: cloudflare
    CF-RAY: 8e5c63af1d89cd70-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=29739&sent=7&recv=8&lost=0&retrans=0&sent_bytes=4166&recv_bytes=463&delivery_rate=128067&cwnd=255&unsent_bytes=0&cid=e27c28e535b3f98f&ts=2216&x=0"
  • flag-us
    DNS
    27.93.21.104.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    27.93.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    clientsettings.roblox.com
    BootstrapperV1.23.exe
    Remote address:
    1.1.1.1:53
    Request
    clientsettings.roblox.com
    IN A
    Response
    clientsettings.roblox.com
    IN CNAME
    titanium.roblox.com
    titanium.roblox.com
    IN CNAME
    edge-term4.roblox.com
    edge-term4.roblox.com
    IN CNAME
    edge-term4-lhr2.roblox.com
    edge-term4-lhr2.roblox.com
    IN A
    128.116.119.4
  • flag-gb
    GET
    https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
    BootstrapperV1.23.exe
    Remote address:
    128.116.119.4:443
    Request
    GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
    Host: clientsettings.roblox.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-length: 119
    content-type: application/json; charset=utf-8
    date: Wed, 20 Nov 2024 23:58:40 GMT
    server: Kestrel
    cache-control: no-cache
    strict-transport-security: max-age=3600
    x-frame-options: SAMEORIGIN
    roblox-machine-id: 655ac928-e0aa-6768-42ea-248c7e294358
    x-roblox-region: us-central_rbx
    x-roblox-edge: lhr2
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
  • flag-us
    DNS
    4.119.116.128.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    4.119.116.128.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
  • flag-au
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    1.0.0.1:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    1.0.0.1.in-addr.arpa
    Remote address:
    1.0.0.1:53
    Request
    1.0.0.1.in-addr.arpa
    IN PTR
    Response
    1.0.0.1.in-addr.arpa
    IN PTR
    oneoneoneone
  • flag-au
    DNS
    1.0.0.1.in-addr.arpa
    Remote address:
    1.0.0.1:53
    Request
    1.0.0.1.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    1.0.0.1.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    1.0.0.1.in-addr.arpa
    IN PTR
  • flag-au
    DNS
    dl.delivery.mp.microsoft.com
    Remote address:
    1.0.0.1:53
    Request
    dl.delivery.mp.microsoft.com
    IN A
    Response
    dl.delivery.mp.microsoft.com
    IN CNAME
    dl.delivery.mp.microsoft.com.delivery.microsoft.com
    dl.delivery.mp.microsoft.com.delivery.microsoft.com
    IN CNAME
    dcat-f-nlu-net.trafficmanager.net
    dcat-f-nlu-net.trafficmanager.net
    IN CNAME
    fg.microsoft.map.fastly.net
    fg.microsoft.map.fastly.net
    IN A
    199.232.214.172
    fg.microsoft.map.fastly.net
    IN A
    199.232.210.172
  • flag-au
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    1.0.0.1:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    ctldl.windowsupdate.com
    Remote address:
    1.0.0.1:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.23.210.88
    a767.dspw65.akamai.net
    IN A
    2.23.210.83
  • flag-au
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    1.0.0.1:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-au
    DNS
    ctldl.windowsupdate.com
    Remote address:
    1.0.0.1:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    wu.azureedge.net
    wu.azureedge.net
    IN CNAME
    wu.ec.azureedge.net
    wu.ec.azureedge.net
    IN CNAME
    bg.apr-52dd2-0503.edgecastdns.net
    bg.apr-52dd2-0503.edgecastdns.net
    IN CNAME
    hlb.apr-52dd2-0.edgecastdns.net
    hlb.apr-52dd2-0.edgecastdns.net
    IN CNAME
    cs11.wpc.v0cdn.net
    cs11.wpc.v0cdn.net
    IN A
    93.184.221.240
  • flag-au
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    1.0.0.1:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.13
  • flag-au
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    1.0.0.1:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • 104.21.93.27:443
    https://getsolara.dev/api/endpoint.json
    tls, http
    BootstrapperV1.23.exe
    997 B
    6.4kB
    12
    13

    HTTP Request

    GET https://getsolara.dev/asset/discord.json

    HTTP Response

    200

    HTTP Request

    GET https://getsolara.dev/api/endpoint.json

    HTTP Response

    200
  • 127.0.0.1:6463
    BootstrapperV1.23.exe
  • 128.116.119.4:443
    https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
    tls, http
    BootstrapperV1.23.exe
    922 B
    6.6kB
    11
    11

    HTTP Request

    GET https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 224.0.0.251:5353
    158 B
    2
  • 1.1.1.1:53
    getsolara.dev
    dns
    BootstrapperV1.23.exe
    59 B
    91 B
    1
    1

    DNS Request

    getsolara.dev

    DNS Response

    104.21.93.27
    172.67.203.125

  • 1.1.1.1:53
    27.93.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    27.93.21.104.in-addr.arpa

  • 1.1.1.1:53
    clientsettings.roblox.com
    dns
    BootstrapperV1.23.exe
    71 B
    165 B
    1
    1

    DNS Request

    clientsettings.roblox.com

    DNS Response

    128.116.119.4

  • 1.1.1.1:53
    4.119.116.128.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    4.119.116.128.in-addr.arpa

  • 1.1.1.1:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 1.1.1.1:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 1.1.1.1:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 1.0.0.1:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 1.0.0.1:53
    1.0.0.1.in-addr.arpa
    dns
    132 B
    95 B
    2
    1

    DNS Request

    1.0.0.1.in-addr.arpa

    DNS Request

    1.0.0.1.in-addr.arpa

  • 1.1.1.1:53
    1.0.0.1.in-addr.arpa
    dns
    66 B
    1

    DNS Request

    1.0.0.1.in-addr.arpa

  • 1.0.0.1:53
    dl.delivery.mp.microsoft.com
    dns
    74 B
    243 B
    1
    1

    DNS Request

    dl.delivery.mp.microsoft.com

    DNS Response

    199.232.214.172
    199.232.210.172

  • 1.0.0.1:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 1.0.0.1:53
    ctldl.windowsupdate.com
    dns
    69 B
    283 B
    1
    1

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.23.210.88
    2.23.210.83

  • 1.0.0.1:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 1.0.0.1:53
    ctldl.windowsupdate.com
    dns
    69 B
    333 B
    1
    1

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    93.184.221.240

  • 1.0.0.1:53
    nexusrules.officeapps.live.com
    dns
    76 B
    141 B
    1
    1

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.13

  • 1.0.0.1:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4188-0-0x00007FFFE0C63000-0x00007FFFE0C65000-memory.dmp

    Filesize

    8KB

  • memory/4188-1-0x0000022584280000-0x000002258434E000-memory.dmp

    Filesize

    824KB

  • memory/4188-2-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

    Filesize

    10.8MB

  • memory/4188-4-0x00000225A0790000-0x00000225A07B2000-memory.dmp

    Filesize

    136KB

  • memory/4188-5-0x00007FFFE0C63000-0x00007FFFE0C65000-memory.dmp

    Filesize

    8KB

  • memory/4188-6-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.