Resubmissions

30-11-2024 15:00

241130-sdggwawrdx 7

30-11-2024 14:58

241130-sb5fxswrbx 3

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 15:00

General

  • Target

    Bootstrapper (2).exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
1/10

Malware Config

Signatures

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper (2).exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper (2).exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\system32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:2692
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2012 -s 1124
      2⤵
        PID:2220

    Network

    • flag-us
      DNS
      getsolara.dev
      Bootstrapper (2).exe
      Remote address:
      8.8.8.8:53
      Request
      getsolara.dev
      IN A
      Response
      getsolara.dev
      IN A
      172.67.203.125
      getsolara.dev
      IN A
      104.21.93.27
    • flag-us
      DNS
      gitlab.com
      Bootstrapper (2).exe
      Remote address:
      8.8.8.8:53
      Request
      gitlab.com
      IN A
      Response
      gitlab.com
      IN A
      172.65.251.78
    • 172.67.203.125:443
      getsolara.dev
      tls
      Bootstrapper (2).exe
      347 B
      219 B
      5
      5
    • 172.65.251.78:443
      gitlab.com
      tls
      Bootstrapper (2).exe
      344 B
      219 B
      5
      5
    • 127.0.0.1:6463
      Bootstrapper (2).exe
    • 8.8.8.8:53
      getsolara.dev
      dns
      Bootstrapper (2).exe
      59 B
      91 B
      1
      1

      DNS Request

      getsolara.dev

      DNS Response

      172.67.203.125
      104.21.93.27

    • 8.8.8.8:53
      gitlab.com
      dns
      Bootstrapper (2).exe
      56 B
      72 B
      1
      1

      DNS Request

      gitlab.com

      DNS Response

      172.65.251.78

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2012-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

      Filesize

      4KB

    • memory/2012-1-0x00000000011C0000-0x000000000128E000-memory.dmp

      Filesize

      824KB

    • memory/2012-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

      Filesize

      9.9MB

    • memory/2012-3-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

      Filesize

      4KB

    • memory/2012-4-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

      Filesize

      9.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.