8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
24s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2608	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133791324299648103"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
916	chrome.exe
916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3096	WMIC.exe
Token: SeSecurityPrivilege	3096	WMIC.exe
Token: SeTakeOwnershipPrivilege	3096	WMIC.exe
Token: SeLoadDriverPrivilege	3096	WMIC.exe
Token: SeSystemProfilePrivilege	3096	WMIC.exe
Token: SeSystemtimePrivilege	3096	WMIC.exe
Token: SeProfSingleProcessPrivilege	3096	WMIC.exe
Token: SeIncBasePriorityPrivilege	3096	WMIC.exe
Token: SeCreatePagefilePrivilege	3096	WMIC.exe
Token: SeBackupPrivilege	3096	WMIC.exe
Token: SeRestorePrivilege	3096	WMIC.exe
Token: SeShutdownPrivilege	3096	WMIC.exe
Token: SeDebugPrivilege	3096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3096	WMIC.exe
Token: SeRemoteShutdownPrivilege	3096	WMIC.exe
Token: SeUndockPrivilege	3096	WMIC.exe
Token: SeManageVolumePrivilege	3096	WMIC.exe
Token: 33	3096	WMIC.exe
Token: 34	3096	WMIC.exe
Token: 35	3096	WMIC.exe
Token: 36	3096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3096	WMIC.exe
Token: SeSecurityPrivilege	3096	WMIC.exe
Token: SeTakeOwnershipPrivilege	3096	WMIC.exe
Token: SeLoadDriverPrivilege	3096	WMIC.exe
Token: SeSystemProfilePrivilege	3096	WMIC.exe
Token: SeSystemtimePrivilege	3096	WMIC.exe
Token: SeProfSingleProcessPrivilege	3096	WMIC.exe
Token: SeIncBasePriorityPrivilege	3096	WMIC.exe
Token: SeCreatePagefilePrivilege	3096	WMIC.exe
Token: SeBackupPrivilege	3096	WMIC.exe
Token: SeRestorePrivilege	3096	WMIC.exe
Token: SeShutdownPrivilege	3096	WMIC.exe
Token: SeDebugPrivilege	3096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3096	WMIC.exe
Token: SeRemoteShutdownPrivilege	3096	WMIC.exe
Token: SeUndockPrivilege	3096	WMIC.exe
Token: SeManageVolumePrivilege	3096	WMIC.exe
Token: 33	3096	WMIC.exe
Token: 34	3096	WMIC.exe
Token: 35	3096	WMIC.exe
Token: 36	3096	WMIC.exe
Token: SeDebugPrivilege	3800	Bootstrapper.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 2504	3800	Bootstrapper.exe	85
PID 3800 wrote to memory of 2504	3800	Bootstrapper.exe	85
PID 2504 wrote to memory of 2608	2504	cmd.exe	87
PID 2504 wrote to memory of 2608	2504	cmd.exe	87
PID 3800 wrote to memory of 2728	3800	Bootstrapper.exe	92
PID 3800 wrote to memory of 2728	3800	Bootstrapper.exe	92
PID 2728 wrote to memory of 3096	2728	cmd.exe	95
PID 2728 wrote to memory of 3096	2728	cmd.exe	95
PID 916 wrote to memory of 4160	916	chrome.exe	111
PID 916 wrote to memory of 4160	916	chrome.exe	111
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3032	916	chrome.exe	112
PID 916 wrote to memory of 3368	916	chrome.exe	113
PID 916 wrote to memory of 3368	916	chrome.exe	113
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114
PID 916 wrote to memory of 1096	916	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2608
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x80,0x104,0x7ffca20bcc40,0x7ffca20bcc4c,0x7ffca20bcc58
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3888,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,9025585844081612543,11045067703706989132,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:3296

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bf11a84928402c8427b5ec921a2e89c3

SHA1
93d86d933b14a4ae4a6f73bfc9e51763b243c437

SHA256
9f5464f0ee2651776dc9f92df75986288d5e5c603d038d136d6240bb1a63d4d4

SHA512
b171b63ac5cbd7a1819f1bbaed200867990a6d96851e810a4d92b75874c19f21fff1ee1fa1c933a52a10b10428ec9cbe872d03791e2b027d86e0caf29bf91cf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a60fd164e936ec7f3537515efa15e68f

SHA1
3ff17a547fdf83a1a3177b805b154bd393e1ea2d

SHA256
c41335ca34c37a89a1eb3a39815985f9770c7d452699fe410a433685d6beceb2

SHA512
54a25759069d5762b582b1afbb684e5c01c311c2702630b62b989b11a6a4fab28cbc3d809023a16b99737865f0ae5583af6e43914e26e45e5fc2215b77be8509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3b559c73a2ba898234e6b47b1fc5cc07

SHA1
fffd69bad81e4acf7a32c1101f45fa69b162fc4e

SHA256
a7e16b78219eda713c91cbda9878b6b3c72cb16b104a6b3806709ab19466c3b1

SHA512
56f118151195dca16e5571e117c610753db317464abb00fc5285af9ce31b7c6a5b49ac7f249cded453b6a9741900f5870b6e03c6181314ddefa501cede522203

Download Submit
memory/3800-0-0x00007FFCA1613000-0x00007FFCA1615000-memory.dmp

Filesize
8KB

Download
memory/3800-1-0x000002A27DA00000-0x000002A27DACE000-memory.dmp

Filesize
824KB

Download
memory/3800-3-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/3800-4-0x000002A27DE90000-0x000002A27DEB2000-memory.dmp

Filesize
136KB

Download
memory/3800-5-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download