Overview

overview

7

Static

static

3

Bootstrapper.exe

windows7-x64

7

Bootstrapper.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    88s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
7/10

Malware Config

Signatures

  • Unexpected DNS network traffic destination 29 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\system32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:2800
    • C:\Windows\system32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2604 -s 1124
      2⤵
        PID:2864
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\DISCORD
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\DISCORD
        2⤵
          PID:3000
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\DISCORD
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\DISCORD"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1084
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\DISCORD
            3⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.0.191653456\299612118" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1136 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52130028-2b72-4076-9593-24387cebfa08} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 1328 7cecd58 gpu
              4⤵
                PID:592
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.1.1647687970\1097492814" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d19ec3de-8d3d-43db-b9b2-583af9449cb5} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 1524 e6f558 socket
                4⤵
                • Checks processor information in registry
                PID:2940
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.2.1995170165\706809646" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2016 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0f6c666-d226-4854-8f4e-590c614eaaa3} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 2032 7c60158 tab
                4⤵
                  PID:952
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.3.1004151895\1257620296" -childID 2 -isForBrowser -prefsHandle 2452 -prefMapHandle 2444 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d337b7cd-7d7a-4619-81aa-416d5ca64ee5} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 2464 e62858 tab
                  4⤵
                    PID:1760
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.4.1183929179\196424561" -childID 3 -isForBrowser -prefsHandle 3808 -prefMapHandle 3744 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad63329c-c8a5-4602-8de0-0806594b3d75} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3820 1fa72c58 tab
                    4⤵
                      PID:2360
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.5.1961164673\454861974" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60932459-e615-4b38-b05b-62a0ec222de5} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3916 1fa72358 tab
                      4⤵
                        PID:2124
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.6.1778228657\301791046" -childID 5 -isForBrowser -prefsHandle 4092 -prefMapHandle 4100 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cad6406-e725-49b3-bfec-c499e64c2cbd} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 4080 1fa73e58 tab
                        4⤵
                          PID:2072
                  • C:\Users\Admin\Desktop\soar\Bootstrapper.exe
                    "C:\Users\Admin\Desktop\soar\Bootstrapper.exe"
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2736
                    • C:\Windows\system32\cmd.exe
                      "cmd" /c ipconfig /all
                      2⤵
                        PID:836
                        • C:\Windows\system32\ipconfig.exe
                          ipconfig /all
                          3⤵
                          • Gathers network information
                          PID:1768
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 2736 -s 1080
                        2⤵
                          PID:656

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        24KB

                        MD5

                        82ca7c1a88e6b1e7596ebe576ecc9d29

                        SHA1

                        3968518d47236105d693385fc774350ac5f1eab4

                        SHA256

                        f9c6608d95ca44aee236d17945b701ba1559bddffdefccabf5e0efed1ca2647d

                        SHA512

                        49ba1f2ad6d495cec76b2e9a68ec4b13d0aa8e291d5aceeb0d36d460b58ed01f1fa4d6db55ac35348ac91dbf32e4a70bf4ab6a635b0d5fcd787338a2792a2f7b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                        Filesize

                        13KB

                        MD5

                        f99b4984bd93547ff4ab09d35b9ed6d5

                        SHA1

                        73bf4d313cb094bb6ead04460da9547106794007

                        SHA256

                        402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                        SHA512

                        cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        3bc3f61ae7ae6130013576c15341ea50

                        SHA1

                        453551d5c0602342977e4bf6854c148af2589ce1

                        SHA256

                        044cc92673e7f4915949c0ce20bde8460c95d819d06569b2559a704417904acb

                        SHA512

                        4213f9c4d5fca37d80192c3246bef66d4efc731819cac7db5a63df49840a0c34593109b6965275c3080a498eded659817737e7b4ce0e34e24cd4f2bfd675b6cd

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        967dae971b9750ace773c9b76375cc0c

                        SHA1

                        8efae3acadfc3b6bb3b6cb3ef288ccd8e1d88be9

                        SHA256

                        6820384c6769f0059cc55c907cef80ff00665eae0d0c1f91ced0dd1278d89894

                        SHA512

                        9c99333d6e7b8635aab0daed7d44adb4575c7de50a1af3a89e14dc15a6666b499488743631f123ca63d7ccb61011cc03456b920386e56ea73a3eab7beba1dd7c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\95df2627-641d-47c2-8fbc-ae5c2f287dbe
                        Filesize

                        745B

                        MD5

                        4c2979f906d522ed306c3353f572dc29

                        SHA1

                        d21d91b6794dc47a147dbf9b06ea7d031e4e6647

                        SHA256

                        09ef7d86908843b9867430f1862a39ee47fe1309cfe8be20a1afa3dcd443f9af

                        SHA512

                        9d2a589a88475cb9b332981041a830a380618e60ff38e613289577efa82c25145dd0ae59e467e81933c1bb5de018d5e261064aaa71d062e57ba2cceda3d2424e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\bafe306c-b775-498c-9d84-7e5efeb2673f
                        Filesize

                        11KB

                        MD5

                        be666cbd3912cf1d5835e1686ffa9219

                        SHA1

                        72aeeee47f91fba34b33d8ad047ce8d0c7b4245c

                        SHA256

                        10492e69da879fc88fc014820c5168566b4e18265f1b2942b80f5ec49142a1d8

                        SHA512

                        f892b72627f1a81570dda0c11f5ca485e9c6476e1905b61575a413bc287acb1acec15d9a91ea2fc12ef48cb7e694f742acc76d80704ad45eaeb9000671293eef

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        9c85445832a123215d69cd8040c86217

                        SHA1

                        3c4756cc595f0a43bbf66466662661f5391cb8ab

                        SHA256

                        1e5dcc246fac99bba9dd593e9204be58eb0093f0945d2f000624127b0ae012ac

                        SHA512

                        190c444594f3d95b10ff0b4d7bbc2b415d58db67ad70ca0808eb1e1f50d93f376c5bce9f60648b2d95bc3d6c8fecd005f3c25d494a5f6244a36042ca5dee9028

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        52b5bbee0567b62ef946b432f392c067

                        SHA1

                        7fc069eb54e629b7fc316d0f835b0648e8ee56dd

                        SHA256

                        78b777e6fc9ae24a6de8c138459e6af8b40dc163886e238ad46aca1cc1d94466

                        SHA512

                        d6cebbb3a3383e7f2ce1391fa76d34317a084078ee91030bf2f3cba117e88ce8b5efe4b44f1530d4768d5cc148c6cfdcaef08fb33a25ecaa0e8f09c46f17f0e5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore.jsonlz4
                        Filesize

                        863B

                        MD5

                        b63db482e4ebf9c3d97b8b041f274b6a

                        SHA1

                        310d93349a23a4d12a46530fd388e216b55c61cc

                        SHA256

                        c3bd601462c19086dca63a16c5c930207526f0cd4b9cb7608a1e21eb64d8446b

                        SHA512

                        d2fe771b60207c9ba34972c1a5e951c73e03a3dfcea7621cfb19e19930f644a47b1bdc162c7e46f27e933d830a618299e7cbf24b567ebf19e29b6c05a8499ff9

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        92e8ec5aa8036c140036cd9fee54c2e3

                        SHA1

                        c2da28589c00b1c2846a6e5c554472d7e93a9f4a

                        SHA256

                        78205cd9091d5f354be57f73cbfc010b0b96894fc48e91140b541913b7af9663

                        SHA512

                        babd843754d72b10fc7d77ae0465ff3749c4da09e40960d699662ae8c472a8cfebde875f081dc6347d61c5e8822810deefd6437265055584965d660d2c2a7fc7

                        Download Submit

                      • memory/2604-4-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2604-3-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2604-2-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2604-1-0x0000000000380000-0x000000000044E000-memory.dmp

                        Filesize

                        824KB

                        Download

                      • memory/2604-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2736-200-0x0000000000B70000-0x0000000000C3E000-memory.dmp

                        Filesize

                        824KB

                        Download