Analysis
-
max time kernel
106s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 23:58
Static task
static1
Behavioral task
behavioral1
Sample
BootstrapperV1.23.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BootstrapperV1.23.exe
Resource
win10v2004-20241007-en
General
-
Target
BootstrapperV1.23.exe
-
Size
800KB
-
MD5
02c70d9d6696950c198db93b7f6a835e
-
SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2
-
SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
-
SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
SSDEEP
12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
Malware Config
Signatures
-
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4112 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4840 WMIC.exe Token: SeSecurityPrivilege 4840 WMIC.exe Token: SeTakeOwnershipPrivilege 4840 WMIC.exe Token: SeLoadDriverPrivilege 4840 WMIC.exe Token: SeSystemProfilePrivilege 4840 WMIC.exe Token: SeSystemtimePrivilege 4840 WMIC.exe Token: SeProfSingleProcessPrivilege 4840 WMIC.exe Token: SeIncBasePriorityPrivilege 4840 WMIC.exe Token: SeCreatePagefilePrivilege 4840 WMIC.exe Token: SeBackupPrivilege 4840 WMIC.exe Token: SeRestorePrivilege 4840 WMIC.exe Token: SeShutdownPrivilege 4840 WMIC.exe Token: SeDebugPrivilege 4840 WMIC.exe Token: SeSystemEnvironmentPrivilege 4840 WMIC.exe Token: SeRemoteShutdownPrivilege 4840 WMIC.exe Token: SeUndockPrivilege 4840 WMIC.exe Token: SeManageVolumePrivilege 4840 WMIC.exe Token: 33 4840 WMIC.exe Token: 34 4840 WMIC.exe Token: 35 4840 WMIC.exe Token: 36 4840 WMIC.exe Token: SeIncreaseQuotaPrivilege 4840 WMIC.exe Token: SeSecurityPrivilege 4840 WMIC.exe Token: SeTakeOwnershipPrivilege 4840 WMIC.exe Token: SeLoadDriverPrivilege 4840 WMIC.exe Token: SeSystemProfilePrivilege 4840 WMIC.exe Token: SeSystemtimePrivilege 4840 WMIC.exe Token: SeProfSingleProcessPrivilege 4840 WMIC.exe Token: SeIncBasePriorityPrivilege 4840 WMIC.exe Token: SeCreatePagefilePrivilege 4840 WMIC.exe Token: SeBackupPrivilege 4840 WMIC.exe Token: SeRestorePrivilege 4840 WMIC.exe Token: SeShutdownPrivilege 4840 WMIC.exe Token: SeDebugPrivilege 4840 WMIC.exe Token: SeSystemEnvironmentPrivilege 4840 WMIC.exe Token: SeRemoteShutdownPrivilege 4840 WMIC.exe Token: SeUndockPrivilege 4840 WMIC.exe Token: SeManageVolumePrivilege 4840 WMIC.exe Token: 33 4840 WMIC.exe Token: 34 4840 WMIC.exe Token: 35 4840 WMIC.exe Token: 36 4840 WMIC.exe Token: SeDebugPrivilege 4188 BootstrapperV1.23.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4188 wrote to memory of 1372 4188 BootstrapperV1.23.exe 85 PID 4188 wrote to memory of 1372 4188 BootstrapperV1.23.exe 85 PID 1372 wrote to memory of 4112 1372 cmd.exe 87 PID 1372 wrote to memory of 4112 1372 cmd.exe 87 PID 4188 wrote to memory of 2536 4188 BootstrapperV1.23.exe 94 PID 4188 wrote to memory of 2536 4188 BootstrapperV1.23.exe 94 PID 2536 wrote to memory of 4840 2536 cmd.exe 96 PID 2536 wrote to memory of 4840 2536 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:4112
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Requestgetsolara.devIN AResponsegetsolara.devIN A104.21.93.27getsolara.devIN A172.67.203.125
-
Remote address:104.21.93.27:443RequestGET /asset/discord.json HTTP/1.1
Host: getsolara.dev
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: public, max-age=0, must-revalidate
ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CdZOWR6jmRLcduLlFPM6aVn7trhLeC0idE3NMyBt1MjnW7BtraiB71jfc2M7NMDu5sefh9qKlmyaksqeglZTIegLGxLFrIwO%2FpBnyMFuPkNqUWnwOjboGG9kxQ92Gfhv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=0
Server: cloudflare
CF-RAY: 8e5c63a1ea3dcd70-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=29964&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2974&recv_bytes=378&delivery_rate=128067&cwnd=253&unsent_bytes=0&cid=e27c28e535b3f98f&ts=106&x=0"
-
Remote address:104.21.93.27:443RequestGET /api/endpoint.json HTTP/1.1
Host: getsolara.dev
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: public, max-age=0, must-revalidate
ETag: W/"f6b52a565df2f13c59cdfa7bdef89298"
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFE6g88m1r88wNxM4mM9OJzHu%2BQufe07mcAJcVJ%2FwKCoeMa4LvD2%2BrcSIPCeywR3vBWr%2Bq1Hyi4uviukZg%2BR0plUasmAt34TiNf2MrMhQbkdEuFIV%2FMJjQuZZ1mpP4dl"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=0
Server: cloudflare
CF-RAY: 8e5c63af1d89cd70-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=29739&sent=7&recv=8&lost=0&retrans=0&sent_bytes=4166&recv_bytes=463&delivery_rate=128067&cwnd=255&unsent_bytes=0&cid=e27c28e535b3f98f&ts=2216&x=0"
-
Remote address:1.1.1.1:53Request27.93.21.104.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Requestclientsettings.roblox.comIN AResponseclientsettings.roblox.comIN CNAMEtitanium.roblox.comtitanium.roblox.comIN CNAMEedge-term4.roblox.comedge-term4.roblox.comIN CNAMEedge-term4-lhr2.roblox.comedge-term4-lhr2.roblox.comIN A128.116.119.4
-
GEThttps://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/liveBootstrapperV1.23.exeRemote address:128.116.119.4:443RequestGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
Host: clientsettings.roblox.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
content-type: application/json; charset=utf-8
date: Wed, 20 Nov 2024 23:58:40 GMT
server: Kestrel
cache-control: no-cache
strict-transport-security: max-age=3600
x-frame-options: SAMEORIGIN
roblox-machine-id: 655ac928-e0aa-6768-42ea-248c7e294358
x-roblox-region: us-central_rbx
x-roblox-edge: lhr2
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
-
Remote address:1.1.1.1:53Request4.119.116.128.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request206.23.85.13.in-addr.arpaIN PTR
-
Remote address:1.0.0.1:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:1.0.0.1:53Request1.0.0.1.in-addr.arpaIN PTRResponse1.0.0.1.in-addr.arpaIN PTRoneoneoneone
-
Remote address:1.0.0.1:53Request1.0.0.1.in-addr.arpaIN PTR
-
Remote address:1.1.1.1:53Request1.0.0.1.in-addr.arpaIN PTR
-
Remote address:1.0.0.1:53Requestdl.delivery.mp.microsoft.comIN AResponsedl.delivery.mp.microsoft.comIN CNAMEdl.delivery.mp.microsoft.com.delivery.microsoft.comdl.delivery.mp.microsoft.com.delivery.microsoft.comIN CNAMEdcat-f-nlu-net.trafficmanager.netdcat-f-nlu-net.trafficmanager.netIN CNAMEfg.microsoft.map.fastly.netfg.microsoft.map.fastly.netIN A199.232.214.172fg.microsoft.map.fastly.netIN A199.232.210.172
-
Remote address:1.0.0.1:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:1.0.0.1:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.23.210.88a767.dspw65.akamai.netIN A2.23.210.83
-
Remote address:1.0.0.1:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:1.0.0.1:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEwu.azureedge.netwu.azureedge.netIN CNAMEwu.ec.azureedge.netwu.ec.azureedge.netIN CNAMEbg.apr-52dd2-0503.edgecastdns.netbg.apr-52dd2-0503.edgecastdns.netIN CNAMEhlb.apr-52dd2-0.edgecastdns.nethlb.apr-52dd2-0.edgecastdns.netIN CNAMEcs11.wpc.v0cdn.netcs11.wpc.v0cdn.netIN A93.184.221.240
-
Remote address:1.0.0.1:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.13
-
Remote address:1.0.0.1:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
997 B 6.4kB 12 13
HTTP Request
GET https://getsolara.dev/asset/discord.jsonHTTP Response
200HTTP Request
GET https://getsolara.dev/api/endpoint.jsonHTTP Response
200 -
-
128.116.119.4:443https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livetls, httpBootstrapperV1.23.exe922 B 6.6kB 11 11
HTTP Request
GET https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/liveHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
158 B 2
-
59 B 91 B 1 1
DNS Request
getsolara.dev
DNS Response
104.21.93.27172.67.203.125
-
71 B 133 B 1 1
DNS Request
27.93.21.104.in-addr.arpa
-
71 B 165 B 1 1
DNS Request
clientsettings.roblox.com
DNS Response
128.116.119.4
-
72 B 126 B 1 1
DNS Request
4.119.116.128.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
132 B 95 B 2 1
DNS Request
1.0.0.1.in-addr.arpa
DNS Request
1.0.0.1.in-addr.arpa
-
66 B 1
DNS Request
1.0.0.1.in-addr.arpa
-
74 B 243 B 1 1
DNS Request
dl.delivery.mp.microsoft.com
DNS Response
199.232.214.172199.232.210.172
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
69 B 283 B 1 1
DNS Request
ctldl.windowsupdate.com
DNS Response
2.23.210.882.23.210.83
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
69 B 333 B 1 1
DNS Request
ctldl.windowsupdate.com
DNS Response
93.184.221.240
-
76 B 141 B 1 1
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.13
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa