8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
93s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21/12/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

7^/10

discovery

Malware Config

Signatures

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1412	ipconfig.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5948	WMIC.exe
Token: SeSecurityPrivilege	5948	WMIC.exe
Token: SeTakeOwnershipPrivilege	5948	WMIC.exe
Token: SeLoadDriverPrivilege	5948	WMIC.exe
Token: SeSystemProfilePrivilege	5948	WMIC.exe
Token: SeSystemtimePrivilege	5948	WMIC.exe
Token: SeProfSingleProcessPrivilege	5948	WMIC.exe
Token: SeIncBasePriorityPrivilege	5948	WMIC.exe
Token: SeCreatePagefilePrivilege	5948	WMIC.exe
Token: SeBackupPrivilege	5948	WMIC.exe
Token: SeRestorePrivilege	5948	WMIC.exe
Token: SeShutdownPrivilege	5948	WMIC.exe
Token: SeDebugPrivilege	5948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5948	WMIC.exe
Token: SeRemoteShutdownPrivilege	5948	WMIC.exe
Token: SeUndockPrivilege	5948	WMIC.exe
Token: SeManageVolumePrivilege	5948	WMIC.exe
Token: 33	5948	WMIC.exe
Token: 34	5948	WMIC.exe
Token: 35	5948	WMIC.exe
Token: 36	5948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5948	WMIC.exe
Token: SeSecurityPrivilege	5948	WMIC.exe
Token: SeTakeOwnershipPrivilege	5948	WMIC.exe
Token: SeLoadDriverPrivilege	5948	WMIC.exe
Token: SeSystemProfilePrivilege	5948	WMIC.exe
Token: SeSystemtimePrivilege	5948	WMIC.exe
Token: SeProfSingleProcessPrivilege	5948	WMIC.exe
Token: SeIncBasePriorityPrivilege	5948	WMIC.exe
Token: SeCreatePagefilePrivilege	5948	WMIC.exe
Token: SeBackupPrivilege	5948	WMIC.exe
Token: SeRestorePrivilege	5948	WMIC.exe
Token: SeShutdownPrivilege	5948	WMIC.exe
Token: SeDebugPrivilege	5948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5948	WMIC.exe
Token: SeRemoteShutdownPrivilege	5948	WMIC.exe
Token: SeUndockPrivilege	5948	WMIC.exe
Token: SeManageVolumePrivilege	5948	WMIC.exe
Token: 33	5948	WMIC.exe
Token: 34	5948	WMIC.exe
Token: 35	5948	WMIC.exe
Token: 36	5948	WMIC.exe
Token: SeDebugPrivilege	2872	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3476	2872	Bootstrapper.exe	78
PID 2872 wrote to memory of 3476	2872	Bootstrapper.exe	78
PID 3476 wrote to memory of 1412	3476	cmd.exe	80
PID 3476 wrote to memory of 1412	3476	cmd.exe	80
PID 2872 wrote to memory of 2536	2872	Bootstrapper.exe	81
PID 2872 wrote to memory of 2536	2872	Bootstrapper.exe	81
PID 2536 wrote to memory of 5948	2536	cmd.exe	83
PID 2536 wrote to memory of 5948	2536	cmd.exe	83
PID 4524 wrote to memory of 4684	4524	msedge.exe	95
PID 4524 wrote to memory of 4684	4524	msedge.exe	95
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 872	4524	msedge.exe	96
PID 4524 wrote to memory of 1784	4524	msedge.exe	97
PID 4524 wrote to memory of 1784	4524	msedge.exe	97
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98
PID 4524 wrote to memory of 4984	4524	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5948

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9eb043cb8,0x7ff9eb043cc8,0x7ff9eb043cd8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,8672493952753956182,3320281086230808440,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,8672493952753956182,3320281086230808440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,8672493952753956182,3320281086230808440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8672493952753956182,3320281086230808440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8672493952753956182,3320281086230808440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8672493952753956182,3320281086230808440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
  2⤵
  PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52cf8b15443915a9d452a336be72b802

SHA1
c67cb3e13853700ce97bd06298049c8d0409043e

SHA256
740c49b315d203e7acd7a71215d9ecc85499f350c952560dc9711c5234ec2687

SHA512
ab1cbde23f534a1f1b689693d301f5cbd92129be8bde9f68c675542d91d8d5b0ee6b3d515764cca02e640645955f5eef75dc77610e555cb41dbf6057eba079a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ccbfac5c6e5d3865eb38d9178bd843e4

SHA1
138833d9fd5d8c02aef6b726182544c556b4d0b1

SHA256
60816487eeb6839babd239ca3ccb949da2d59974d75823741dd6db6b8a50556c

SHA512
1e00d783ad6e344a7798d02e6890eb9b84891c87af6b68d4666a4068abe298965f5a156767b67bf56d5c00d6f308b9256b953df50eeb3090d41a26efbb030d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18bbbfbb281983bb23f2886542037f2f

SHA1
3c29c0ac3c64c67ef87e9f7b27641093dafc288b

SHA256
e2867d552d95152fb507b38a22440135f60fd7d71d119b35b5d9fc471ee8d8a9

SHA512
68b8e2ea60c66296575a7988299dba35c337732f72ee2d64ead664b4eccf5142ce6dfabfa81bfcfd90a00b6c08b5e6ebecd39525ffb82022bd91ea9d74643078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d3179e7f-4396-494f-80d3-e93fcdab3402.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/2872-4-0x00007FF9D8FF3000-0x00007FF9D8FF5000-memory.dmp

Filesize
8KB

Download
memory/2872-13-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

Filesize
10.8MB

Download
memory/2872-5-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

Filesize
10.8MB

Download
memory/2872-0-0x00007FF9D8FF3000-0x00007FF9D8FF5000-memory.dmp

Filesize
8KB

Download
memory/2872-2-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

Filesize
10.8MB

Download
memory/2872-1-0x00000184124A0000-0x000001841256E000-memory.dmp

Filesize
824KB

Download