Overview

overview

7

Static

static

3

Bootstrapper.exe

windows11-21h2-x64

7

Resubmissions

26-11-2024 20:16

241126-y2bjestrcq 7

26-11-2024 20:14

241126-yz6xjsxnhy 7

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-11-2024 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
7/10

Malware Config

Signatures

  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:396
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4068
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3880
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7d218f-d8ac-4ef8-b303-63b9a4315fdf} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" gpu
          3⤵
            PID:4764
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1e9fc06-3dd9-48ce-b151-f318a6277fd6} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" socket
            3⤵
              PID:3552
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3132 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59038f2f-ea47-447f-810a-1bff2902a4f4} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab
              3⤵
                PID:808
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2512 -childID 2 -isForBrowser -prefsHandle 1672 -prefMapHandle 3560 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cec2385-c628-4ab0-ad82-97c0ecc17e80} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab
                3⤵
                  PID:4484
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5096 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5088 -prefMapHandle 5084 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1708be1a-30b4-41c3-bdfc-a20590ba1e59} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" utility
                  3⤵
                    PID:4244
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 4972 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {789cdf68-27fc-4325-826e-bd725f1d179e} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab
                    3⤵
                      PID:3312
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42d288b6-4b65-4793-8004-bfe04827145f} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab
                      3⤵
                        PID:5060
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ff7cd0d-7a99-45e8-b7c5-00a0af08451a} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab
                        3⤵
                          PID:4396

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      7b6c2e90b8ec23a55a1b5fd398607f09

                      SHA1

                      c489c26c7e116b623be9212a35f43e2db34233c8

                      SHA256

                      c2fb8bd5fb32a9242120d59fdd9b6d81790fb4d44567b552dedef451acd7538f

                      SHA512

                      6364b4667541d29086e49ad796b894496146085109ee9d6f2628bad4bdf52b461733da91328d8e1f941f0f4804cc92dec4e21400c1c71e8a83d7caeea04d8f36

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      d8d9c8b2daf069cfcb317c06ead89e9b

                      SHA1

                      74e255421c724470b59ed8225a04a35e475062b3

                      SHA256

                      7cab5192682f7c3fb12c4f0a25fc967f362bc5f1f8f3c07f79ac668fa3a408ab

                      SHA512

                      2244ae37fedb44a4c7e63059b115c0eb158d8173c698057ac5e03bf5264839822f8955e97f9545635073823f7c7d490fb6794fd1e4c242352a07d660e99a96ff

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\1a4cb2f5-d204-4838-9a6e-d77d2231ba19
                      Filesize

                      671B

                      MD5

                      800459368639d34e2d5ba39c8f995817

                      SHA1

                      b710f72dc2c886215d3aa140683ee94537c62e78

                      SHA256

                      cb974625d19c6270272bde90ba14db9fc20a3b6c3f97197e37cbaf2c7f5d7e3e

                      SHA512

                      e2025c68afcc72f5bde6c5aca78d0a1bdda8cebab039140e3f588b34e52e8e26370c9de05aeb23f1b77607470ad9539eca544043d0f9913b0611500f0a42b406

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\2ac90e34-4530-4d63-9e5a-e957ba0a91bb
                      Filesize

                      982B

                      MD5

                      882eff7e64014ca9f3d0878a47dd38a0

                      SHA1

                      065af820b3d09ce2e5148d614b464f4c962819fe

                      SHA256

                      a022de57bb9fea7359f41dbcb03182527ad3e68de08978eac483ea63f0f290d8

                      SHA512

                      c823a53ae55b5c33fde14b5afc5b8bb563216a98c2fee2f88dff9a04e6c2fdef9bc03fbd0eec859d85200d62b7e4c85a3019e407cff3e11d12311b8158c57119

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\e5725db7-2d12-4733-9f21-022034b84ed4
                      Filesize

                      23KB

                      MD5

                      4053e59d71b59b1cdbcae422a0785aab

                      SHA1

                      a45b5eca1f5ae8d03c46aefccdbb6be3b9f5582c

                      SHA256

                      0f9fa163da74e628251055b6d66e88480a443e22dd1f43710c858b7c607e8c7e

                      SHA512

                      8951523567412a66697639c924e2aa6d7136fe5d71895dcd78322b6a0b89e7ff45fe12bd570572651a9e05affd40cd98b5bab89ac20652a6f4a15e0776f33792

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js
                      Filesize

                      10KB

                      MD5

                      ed7f27b1cadccf0a540c99532580a9a1

                      SHA1

                      cdcd08861cab9194a03e5ae18dde061930170f7a

                      SHA256

                      f191c13af76f22603e51650ef6268b526e99b4cbd43698a0c6367f7bd14da089

                      SHA512

                      65059a7329cc2d0ae3a3dd3156ed05cbc5c0093cb309e5de0199a895b8c63c6313910a224b7f581f8ed4418cac3c4ea8e9e66acf9d04da20cc2d69866b2c18b1

                      Download Submit

                    • memory/464-0-0x00007FFF60AB3000-0x00007FFF60AB5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/464-1-0x0000022915640000-0x000002291570E000-memory.dmp

                      Filesize

                      824KB

                      Download

                    • memory/464-2-0x00007FFF60AB0000-0x00007FFF61572000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/464-4-0x00007FFF60AB3000-0x00007FFF60AB5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/464-5-0x00007FFF60AB0000-0x00007FFF61572000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/464-7-0x00007FFF60AB0000-0x00007FFF61572000-memory.dmp

                      Filesize

                      10.8MB

                      Download