Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 15:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Bootstrapper (2).exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Bootstrapper (2).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
Bootstrapper (2).exe
-
Size
800KB
-
MD5
02c70d9d6696950c198db93b7f6a835e
-
SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2
-
SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
-
SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
SSDEEP
12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2692 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 Bootstrapper (2).exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2044 2012 Bootstrapper (2).exe 31 PID 2012 wrote to memory of 2044 2012 Bootstrapper (2).exe 31 PID 2012 wrote to memory of 2044 2012 Bootstrapper (2).exe 31 PID 2044 wrote to memory of 2692 2044 cmd.exe 33 PID 2044 wrote to memory of 2692 2044 cmd.exe 33 PID 2044 wrote to memory of 2692 2044 cmd.exe 33 PID 2012 wrote to memory of 2220 2012 Bootstrapper (2).exe 34 PID 2012 wrote to memory of 2220 2012 Bootstrapper (2).exe 34 PID 2012 wrote to memory of 2220 2012 Bootstrapper (2).exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper (2).exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper (2).exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2692
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2012 -s 11242⤵PID:2220
-
Network
-
Remote address:8.8.8.8:53Requestgetsolara.devIN AResponsegetsolara.devIN A172.67.203.125getsolara.devIN A104.21.93.27
-
Remote address:8.8.8.8:53Requestgitlab.comIN AResponsegitlab.comIN A172.65.251.78
-
347 B 219 B 5 5
-
344 B 219 B 5 5
-