Analysis

  • max time kernel
    61s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 04:36

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
1/10

Malware Config

Signatures

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:3600
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1616

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      getsolara.dev
      Bootstrapper.exe
      Remote address:
      1.1.1.1:53
      Request
      getsolara.dev
      IN A
      Response
      getsolara.dev
      IN A
      104.21.93.27
      getsolara.dev
      IN A
      172.67.203.125
    • flag-us
      GET
      https://getsolara.dev/asset/discord.json
      Bootstrapper.exe
      Remote address:
      104.21.93.27:443
      Request
      GET /asset/discord.json HTTP/1.1
      Host: getsolara.dev
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 04 Dec 2024 04:37:20 GMT
      Content-Type: application/json
      Transfer-Encoding: chunked
      Connection: keep-alive
      Access-Control-Allow-Origin: *
      Cache-Control: public, max-age=0, must-revalidate
      ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
      referrer-policy: strict-origin-when-cross-origin
      x-content-type-options: nosniff
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i9%2FQ8IdbJBkYNiiKiDpmyDtF4Z6tgxLDOttqdPVNYwJQZaijUss%2BXmCgp2Yf3pZpgR73GmNpOwKK1bl1hBrGYaJD3WY01eiEmFbgQMiMzB17RexxXcQ0xwks7ONY6T%2Ft"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Vary: Accept-Encoding
      CF-Cache-Status: DYNAMIC
      Strict-Transport-Security: max-age=0
      Server: cloudflare
      CF-RAY: 8ec919c51c4e6538-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=52727&min_rtt=47272&rtt_var=18249&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2975&recv_bytes=378&delivery_rate=57412&cwnd=253&unsent_bytes=0&cid=37666299f78e57e5&ts=174&x=0"
    • flag-us
      GET
      https://getsolara.dev/api/endpoint.json
      Bootstrapper.exe
      Remote address:
      104.21.93.27:443
      Request
      GET /api/endpoint.json HTTP/1.1
      Host: getsolara.dev
      Response
      HTTP/1.1 200 OK
      Date: Wed, 04 Dec 2024 04:37:22 GMT
      Content-Type: application/json
      Transfer-Encoding: chunked
      Connection: keep-alive
      Access-Control-Allow-Origin: *
      Cache-Control: public, max-age=0, must-revalidate
      ETag: W/"94670152d340e6e41e0e564b886ac5d4"
      referrer-policy: strict-origin-when-cross-origin
      x-content-type-options: nosniff
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8nNUMs9PonH1m7FC47yOVKsrRBfoQdc4d8e5j5puPex4gec1qWhvXneUIwDMlI%2FLcFC5YY4ORy06OKAAp5Bxrtx7ARo5hZDawKTmOWjR%2FDjLqUpuHKsI9rQTPPNMzTEZ"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Vary: Accept-Encoding
      CF-Cache-Status: DYNAMIC
      Strict-Transport-Security: max-age=0
      Server: cloudflare
      CF-RAY: 8ec919d25d066538-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=52146&min_rtt=47272&rtt_var=14850&sent=7&recv=8&lost=0&retrans=0&sent_bytes=4198&recv_bytes=463&delivery_rate=57412&cwnd=255&unsent_bytes=0&cid=37666299f78e57e5&ts=2279&x=0"
    • flag-us
      DNS
      27.93.21.104.in-addr.arpa
      Remote address:
      1.1.1.1:53
      Request
      27.93.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      1.1.1.1:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      1.1.1.1:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      1.1.1.1:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      1.1.1.1:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • 104.21.93.27:443
      https://getsolara.dev/api/endpoint.json
      tls, http
      Bootstrapper.exe
      905 B
      6.4kB
      10
      12

      HTTP Request

      GET https://getsolara.dev/asset/discord.json

      HTTP Response

      200

      HTTP Request

      GET https://getsolara.dev/api/endpoint.json

      HTTP Response

      200
    • 127.0.0.1:6463
      Bootstrapper.exe
    • 199.232.210.172:80
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      71.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      71.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 224.0.0.251:5353
      158 B
      2
    • 1.1.1.1:53
      getsolara.dev
      dns
      Bootstrapper.exe
      59 B
      91 B
      1
      1

      DNS Request

      getsolara.dev

      DNS Response

      104.21.93.27
      172.67.203.125

    • 1.1.1.1:53
      27.93.21.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      27.93.21.104.in-addr.arpa

    • 1.1.1.1:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 1.1.1.1:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 1.1.1.1:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 1.1.1.1:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 1.1.1.1:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1620-0-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

      Filesize

      8KB

    • memory/1620-1-0x0000021A2F2F0000-0x0000021A2F3BE000-memory.dmp

      Filesize

      824KB

    • memory/1620-2-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

      Filesize

      8KB

    • memory/1620-3-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

      Filesize

      10.8MB

    • memory/1620-5-0x0000021A31030000-0x0000021A31052000-memory.dmp

      Filesize

      136KB

    • memory/1620-6-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

      Filesize

      10.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.