Analysis

  • max time kernel
    24s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 11:48

General

  • Target

    BootstrapperV1.23.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:4728
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1420
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 41C74BCF02B15D4D496C2F94FE471E90
      2⤵
      • Loads dropped DLL
      PID:4232
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1AF2F7BB80CCFC99DEDFA73EBF6E401D
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3552

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.72.21.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.72.21.2.in-addr.arpa
    IN PTR
    Response
    217.72.21.2.in-addr.arpa
    IN PTR
    a2-21-72-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    getsolara.dev
    BootstrapperV1.23.exe
    Remote address:
    1.1.1.1:53
    Request
    getsolara.dev
    IN A
    Response
    getsolara.dev
    IN A
    104.21.93.27
    getsolara.dev
    IN A
    172.67.203.125
  • flag-us
    GET
    https://getsolara.dev/asset/discord.json
    BootstrapperV1.23.exe
    Remote address:
    104.21.93.27:443
    Request
    GET /asset/discord.json HTTP/1.1
    Host: getsolara.dev
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 23 Nov 2024 11:48:21 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oK0Peff6tOdWuLyFK7CPbxy9cWpFKUEZH21tBW8rP1eLa5%2BZ7ZI381psypn6OPNyk9Wvn3wthE07hWNWO%2FoBKYCuYURUgsnJZAtx5jTGIe8OuNCFvIgf9Yl0iCEIlXoI"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    cf-cache-status: DYNAMIC
    Strict-Transport-Security: max-age=0
    Server: cloudflare
    CF-RAY: 8e70ee021e4b7196-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61137&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2972&recv_bytes=378&delivery_rate=44943&cwnd=251&unsent_bytes=0&cid=1c916cb45187184c&ts=201&x=0"
  • flag-us
    GET
    https://getsolara.dev/api/endpoint.json
    BootstrapperV1.23.exe
    Remote address:
    104.21.93.27:443
    Request
    GET /api/endpoint.json HTTP/1.1
    Host: getsolara.dev
    Response
    HTTP/1.1 200 OK
    Date: Sat, 23 Nov 2024 11:48:23 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: W/"1fb39881d9a29ec7570ef2c2a61f7386"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UySae7bhrJGXy%2Fip%2BTrVFKgjCtgpIqkI9iXkz4rCGuSbI5oO%2FLlaQrDjWNVuqBP9Ji%2FujcM6wN2Mr2s0%2B3jvBtJ6C09ULUOKiGUVYpTIUGkAn6S46Jsp19QGanlFj6jv"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    cf-cache-status: DYNAMIC
    Strict-Transport-Security: max-age=0
    Server: cloudflare
    CF-RAY: 8e70ee0f8f017196-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60962&sent=8&recv=8&lost=0&retrans=0&sent_bytes=4165&recv_bytes=463&delivery_rate=45436&cwnd=253&unsent_bytes=0&cid=1c916cb45187184c&ts=2347&x=0"
  • flag-us
    DNS
    27.93.21.104.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    27.93.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    clientsettings.roblox.com
    BootstrapperV1.23.exe
    Remote address:
    1.1.1.1:53
    Request
    clientsettings.roblox.com
    IN A
    Response
    clientsettings.roblox.com
    IN CNAME
    titanium.roblox.com
    titanium.roblox.com
    IN CNAME
    edge-term4.roblox.com
    edge-term4.roblox.com
    IN CNAME
    edge-term4-lhr2.roblox.com
    edge-term4-lhr2.roblox.com
    IN A
    128.116.119.4
  • flag-gb
    GET
    https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
    BootstrapperV1.23.exe
    Remote address:
    128.116.119.4:443
    Request
    GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
    Host: clientsettings.roblox.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-length: 119
    content-type: application/json; charset=utf-8
    date: Sat, 23 Nov 2024 11:48:24 GMT
    server: Kestrel
    cache-control: no-cache
    strict-transport-security: max-age=3600
    x-frame-options: SAMEORIGIN
    roblox-machine-id: c40a8744-2175-a775-d6cf-c784445aa029
    x-roblox-region: us-central_rbx
    x-roblox-edge: lhr2
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
  • flag-us
    DNS
    4.119.116.128.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    4.119.116.128.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.nodejs.org
    BootstrapperV1.23.exe
    Remote address:
    1.1.1.1:53
    Request
    www.nodejs.org
    IN A
    Response
    www.nodejs.org
    IN A
    104.20.23.46
    www.nodejs.org
    IN A
    104.20.22.46
  • flag-us
    GET
    https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
    BootstrapperV1.23.exe
    Remote address:
    104.20.23.46:443
    Request
    GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
    Host: www.nodejs.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 307 Temporary Redirect
    Date: Sat, 23 Nov 2024 11:48:26 GMT
    Content-Type: text/plain
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: public, max-age=0, must-revalidate
    location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-vercel-id: lhr1::mtrnh-1732362506500-787c28e3b1ac
    CF-Cache-Status: DYNAMIC
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8e70ee1f9ec0cd6b-LHR
  • flag-us
    DNS
    nodejs.org
    BootstrapperV1.23.exe
    Remote address:
    1.1.1.1:53
    Request
    nodejs.org
    IN A
    Response
    nodejs.org
    IN A
    104.20.22.46
    nodejs.org
    IN A
    104.20.23.46
  • flag-us
    GET
    https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
    BootstrapperV1.23.exe
    Remote address:
    104.20.22.46:443
    Request
    GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
    Host: nodejs.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 23 Nov 2024 11:48:27 GMT
    Content-Type: application/x-msi
    Content-Length: 31539200
    Connection: keep-alive
    Cache-Control: public, max-age=3600, s-maxage=14400
    ETag: "0e4e9aa41d24221b29b19ba96c1a64d0"
    Last-Modified: Wed, 12 Apr 2023 04:13:37 GMT
    accept-range: bytes
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8e70ee23bf4694c3-LHR
  • flag-us
    DNS
    46.23.20.104.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    46.23.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    46.22.20.104.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    46.22.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • 104.21.93.27:443
    https://getsolara.dev/api/endpoint.json
    tls, http
    BootstrapperV1.23.exe
    905 B
    6.4kB
    10
    13

    HTTP Request

    GET https://getsolara.dev/asset/discord.json

    HTTP Response

    200

    HTTP Request

    GET https://getsolara.dev/api/endpoint.json

    HTTP Response

    200
  • 127.0.0.1:6463
    BootstrapperV1.23.exe
  • 128.116.119.4:443
    https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
    tls, http
    BootstrapperV1.23.exe
    784 B
    6.5kB
    8
    9

    HTTP Request

    GET https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live

    HTTP Response

    200
  • 104.20.23.46:443
    https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
    tls, http
    BootstrapperV1.23.exe
    753 B
    6.8kB
    8
    11

    HTTP Request

    GET https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

    HTTP Response

    307
  • 104.20.22.46:443
    https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
    tls, http
    BootstrapperV1.23.exe
    2.0MB
    39.2MB
    26655
    28094

    HTTP Request

    GET https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    217.72.21.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    217.72.21.2.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 224.0.0.251:5353
    316 B
    4
  • 1.1.1.1:53
    getsolara.dev
    dns
    BootstrapperV1.23.exe
    59 B
    91 B
    1
    1

    DNS Request

    getsolara.dev

    DNS Response

    104.21.93.27
    172.67.203.125

  • 1.1.1.1:53
    27.93.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    27.93.21.104.in-addr.arpa

  • 1.1.1.1:53
    clientsettings.roblox.com
    dns
    BootstrapperV1.23.exe
    71 B
    165 B
    1
    1

    DNS Request

    clientsettings.roblox.com

    DNS Response

    128.116.119.4

  • 1.1.1.1:53
    4.119.116.128.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    4.119.116.128.in-addr.arpa

  • 1.1.1.1:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 1.1.1.1:53
    www.nodejs.org
    dns
    BootstrapperV1.23.exe
    60 B
    92 B
    1
    1

    DNS Request

    www.nodejs.org

    DNS Response

    104.20.23.46
    104.20.22.46

  • 1.1.1.1:53
    nodejs.org
    dns
    BootstrapperV1.23.exe
    56 B
    88 B
    1
    1

    DNS Request

    nodejs.org

    DNS Response

    104.20.22.46
    104.20.23.46

  • 1.1.1.1:53
    46.23.20.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    46.23.20.104.in-addr.arpa

  • 1.1.1.1:53
    46.22.20.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    46.22.20.104.in-addr.arpa

  • 1.1.1.1:53
    23.149.64.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    23.149.64.172.in-addr.arpa

  • 1.1.1.1:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

    Filesize

    30.1MB

    MD5

    0e4e9aa41d24221b29b19ba96c1a64d0

    SHA1

    231ade3d5a586c0eb4441c8dbfe9007dc26b2872

    SHA256

    5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

    SHA512

    e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

  • C:\Windows\Installer\MSIEA7F.tmp

    Filesize

    122KB

    MD5

    9fe9b0ecaea0324ad99036a91db03ebb

    SHA1

    144068c64ec06fc08eadfcca0a014a44b95bb908

    SHA256

    e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

    SHA512

    906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

  • C:\Windows\Installer\MSIEACF.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\MSIF522.tmp

    Filesize

    297KB

    MD5

    7a86ce1a899262dd3c1df656bff3fb2c

    SHA1

    33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

    SHA256

    b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

    SHA512

    421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

  • memory/4244-0-0x00007FFA07DA3000-0x00007FFA07DA5000-memory.dmp

    Filesize

    8KB

  • memory/4244-1-0x000002C19A270000-0x000002C19A33E000-memory.dmp

    Filesize

    824KB

  • memory/4244-2-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

    Filesize

    10.8MB

  • memory/4244-4-0x00007FFA07DA3000-0x00007FFA07DA5000-memory.dmp

    Filesize

    8KB

  • memory/4244-5-0x000002C1B48B0000-0x000002C1B48D2000-memory.dmp

    Filesize

    136KB

  • memory/4244-9-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.