Resubmissions
22-12-2024 11:42
241222-nvcssswqe1 922-12-2024 11:37
241222-nrbfkaxjdj 722-12-2024 11:36
241222-nqj2bawpbv 7Analysis
-
max time kernel
265s -
max time network
264s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 11:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Bootstrapper.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
Bootstrapper.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
Bootstrapper.exe
-
Size
800KB
-
MD5
02c70d9d6696950c198db93b7f6a835e
-
SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2
-
SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
-
SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
SSDEEP
12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
Score
3/10
Malware Config
Signatures
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 1920 ipconfig.exe 2356 ipconfig.exe 2768 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemProfilePrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeProfSingleProcessPrivilege 2136 WMIC.exe Token: SeIncBasePriorityPrivilege 2136 WMIC.exe Token: SeCreatePagefilePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeRemoteShutdownPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe Token: SeManageVolumePrivilege 2136 WMIC.exe Token: 33 2136 WMIC.exe Token: 34 2136 WMIC.exe Token: 35 2136 WMIC.exe Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemProfilePrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeProfSingleProcessPrivilege 2136 WMIC.exe Token: SeIncBasePriorityPrivilege 2136 WMIC.exe Token: SeCreatePagefilePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeRemoteShutdownPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe Token: SeManageVolumePrivilege 2136 WMIC.exe Token: 33 2136 WMIC.exe Token: 34 2136 WMIC.exe Token: 35 2136 WMIC.exe Token: SeDebugPrivilege 1984 Bootstrapper.exe Token: SeDebugPrivilege 2748 Bootstrapper.exe Token: SeDebugPrivilege 2904 Bootstrapper.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe 2644 Magnify.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2644 Magnify.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2500 1984 Bootstrapper.exe 31 PID 1984 wrote to memory of 2500 1984 Bootstrapper.exe 31 PID 1984 wrote to memory of 2500 1984 Bootstrapper.exe 31 PID 2500 wrote to memory of 2356 2500 cmd.exe 33 PID 2500 wrote to memory of 2356 2500 cmd.exe 33 PID 2500 wrote to memory of 2356 2500 cmd.exe 33 PID 1984 wrote to memory of 2688 1984 Bootstrapper.exe 34 PID 1984 wrote to memory of 2688 1984 Bootstrapper.exe 34 PID 1984 wrote to memory of 2688 1984 Bootstrapper.exe 34 PID 2688 wrote to memory of 2136 2688 cmd.exe 36 PID 2688 wrote to memory of 2136 2688 cmd.exe 36 PID 2688 wrote to memory of 2136 2688 cmd.exe 36 PID 1984 wrote to memory of 2332 1984 Bootstrapper.exe 38 PID 1984 wrote to memory of 2332 1984 Bootstrapper.exe 38 PID 1984 wrote to memory of 2332 1984 Bootstrapper.exe 38 PID 2768 wrote to memory of 2644 2768 utilman.exe 42 PID 2768 wrote to memory of 2644 2768 utilman.exe 42 PID 2768 wrote to memory of 2644 2768 utilman.exe 42 PID 2748 wrote to memory of 2472 2748 Bootstrapper.exe 56 PID 2748 wrote to memory of 2472 2748 Bootstrapper.exe 56 PID 2748 wrote to memory of 2472 2748 Bootstrapper.exe 56 PID 2472 wrote to memory of 2768 2472 cmd.exe 58 PID 2472 wrote to memory of 2768 2472 cmd.exe 58 PID 2472 wrote to memory of 2768 2472 cmd.exe 58 PID 2748 wrote to memory of 1244 2748 Bootstrapper.exe 59 PID 2748 wrote to memory of 1244 2748 Bootstrapper.exe 59 PID 2748 wrote to memory of 1244 2748 Bootstrapper.exe 59 PID 2904 wrote to memory of 2912 2904 Bootstrapper.exe 62 PID 2904 wrote to memory of 2912 2904 Bootstrapper.exe 62 PID 2904 wrote to memory of 2912 2904 Bootstrapper.exe 62 PID 2912 wrote to memory of 1920 2912 cmd.exe 64 PID 2912 wrote to memory of 1920 2912 cmd.exe 64 PID 2912 wrote to memory of 1920 2912 cmd.exe 64 PID 2904 wrote to memory of 2992 2904 Bootstrapper.exe 65 PID 2904 wrote to memory of 2992 2904 Bootstrapper.exe 65 PID 2904 wrote to memory of 2992 2904 Bootstrapper.exe 65
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2356
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1984 -s 11282⤵PID:2332
-
-
C:\Windows\system32\magnify.exe"C:\Windows\system32\magnify.exe"1⤵PID:3024
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\Magnify.exe"C:\Windows\System32\Magnify.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵PID:1244
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" SYSTEM1⤵PID:1112
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:692
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" SYSTEM1⤵PID:2464
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2212
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2768
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2748 -s 10922⤵PID:1244
-
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1920
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2904 -s 10842⤵PID:2992
-