Analysis
-
max time kernel
61s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 04:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Bootstrapper.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Bootstrapper.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
Bootstrapper.exe
-
Size
800KB
-
MD5
02c70d9d6696950c198db93b7f6a835e
-
SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2
-
SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
-
SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
SSDEEP
12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3600 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2464 WMIC.exe Token: SeSecurityPrivilege 2464 WMIC.exe Token: SeTakeOwnershipPrivilege 2464 WMIC.exe Token: SeLoadDriverPrivilege 2464 WMIC.exe Token: SeSystemProfilePrivilege 2464 WMIC.exe Token: SeSystemtimePrivilege 2464 WMIC.exe Token: SeProfSingleProcessPrivilege 2464 WMIC.exe Token: SeIncBasePriorityPrivilege 2464 WMIC.exe Token: SeCreatePagefilePrivilege 2464 WMIC.exe Token: SeBackupPrivilege 2464 WMIC.exe Token: SeRestorePrivilege 2464 WMIC.exe Token: SeShutdownPrivilege 2464 WMIC.exe Token: SeDebugPrivilege 2464 WMIC.exe Token: SeSystemEnvironmentPrivilege 2464 WMIC.exe Token: SeRemoteShutdownPrivilege 2464 WMIC.exe Token: SeUndockPrivilege 2464 WMIC.exe Token: SeManageVolumePrivilege 2464 WMIC.exe Token: 33 2464 WMIC.exe Token: 34 2464 WMIC.exe Token: 35 2464 WMIC.exe Token: 36 2464 WMIC.exe Token: SeIncreaseQuotaPrivilege 2464 WMIC.exe Token: SeSecurityPrivilege 2464 WMIC.exe Token: SeTakeOwnershipPrivilege 2464 WMIC.exe Token: SeLoadDriverPrivilege 2464 WMIC.exe Token: SeSystemProfilePrivilege 2464 WMIC.exe Token: SeSystemtimePrivilege 2464 WMIC.exe Token: SeProfSingleProcessPrivilege 2464 WMIC.exe Token: SeIncBasePriorityPrivilege 2464 WMIC.exe Token: SeCreatePagefilePrivilege 2464 WMIC.exe Token: SeBackupPrivilege 2464 WMIC.exe Token: SeRestorePrivilege 2464 WMIC.exe Token: SeShutdownPrivilege 2464 WMIC.exe Token: SeDebugPrivilege 2464 WMIC.exe Token: SeSystemEnvironmentPrivilege 2464 WMIC.exe Token: SeRemoteShutdownPrivilege 2464 WMIC.exe Token: SeUndockPrivilege 2464 WMIC.exe Token: SeManageVolumePrivilege 2464 WMIC.exe Token: 33 2464 WMIC.exe Token: 34 2464 WMIC.exe Token: 35 2464 WMIC.exe Token: 36 2464 WMIC.exe Token: SeDebugPrivilege 1620 Bootstrapper.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2360 1620 Bootstrapper.exe 83 PID 1620 wrote to memory of 2360 1620 Bootstrapper.exe 83 PID 2360 wrote to memory of 3600 2360 cmd.exe 85 PID 2360 wrote to memory of 3600 2360 cmd.exe 85 PID 1620 wrote to memory of 4084 1620 Bootstrapper.exe 94 PID 1620 wrote to memory of 4084 1620 Bootstrapper.exe 94 PID 4084 wrote to memory of 2464 4084 cmd.exe 96 PID 4084 wrote to memory of 2464 4084 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:3600
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1616
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Requestgetsolara.devIN AResponsegetsolara.devIN A104.21.93.27getsolara.devIN A172.67.203.125
-
Remote address:104.21.93.27:443RequestGET /asset/discord.json HTTP/1.1
Host: getsolara.dev
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: public, max-age=0, must-revalidate
ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i9%2FQ8IdbJBkYNiiKiDpmyDtF4Z6tgxLDOttqdPVNYwJQZaijUss%2BXmCgp2Yf3pZpgR73GmNpOwKK1bl1hBrGYaJD3WY01eiEmFbgQMiMzB17RexxXcQ0xwks7ONY6T%2Ft"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=0
Server: cloudflare
CF-RAY: 8ec919c51c4e6538-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52727&min_rtt=47272&rtt_var=18249&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2975&recv_bytes=378&delivery_rate=57412&cwnd=253&unsent_bytes=0&cid=37666299f78e57e5&ts=174&x=0"
-
Remote address:104.21.93.27:443RequestGET /api/endpoint.json HTTP/1.1
Host: getsolara.dev
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: public, max-age=0, must-revalidate
ETag: W/"94670152d340e6e41e0e564b886ac5d4"
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8nNUMs9PonH1m7FC47yOVKsrRBfoQdc4d8e5j5puPex4gec1qWhvXneUIwDMlI%2FLcFC5YY4ORy06OKAAp5Bxrtx7ARo5hZDawKTmOWjR%2FDjLqUpuHKsI9rQTPPNMzTEZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=0
Server: cloudflare
CF-RAY: 8ec919d25d066538-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52146&min_rtt=47272&rtt_var=14850&sent=7&recv=8&lost=0&retrans=0&sent_bytes=4198&recv_bytes=463&delivery_rate=57412&cwnd=255&unsent_bytes=0&cid=37666299f78e57e5&ts=2279&x=0"
-
Remote address:1.1.1.1:53Request27.93.21.104.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:1.1.1.1:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
905 B 6.4kB 10 12
HTTP Request
GET https://getsolara.dev/asset/discord.jsonHTTP Response
200HTTP Request
GET https://getsolara.dev/api/endpoint.jsonHTTP Response
200 -
-
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
158 B 2
-
59 B 91 B 1 1
DNS Request
getsolara.dev
DNS Response
104.21.93.27172.67.203.125
-
71 B 133 B 1 1
DNS Request
27.93.21.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-