8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
14s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper(1).exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Bootstrapper(1).exe

Loads dropped DLL 3 IoCs

pid	Process
3492	MsiExec.exe
3492	MsiExec.exe
1392	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	4804	msiexec.exe
34	4804	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57d39c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID92A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID989.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE235.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d39c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID979.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3196	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3400	Bootstrapper(1).exe
3400	Bootstrapper(1).exe
4804	msiexec.exe
4804	msiexec.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	Bootstrapper(1).exe
Token: SeShutdownPrivilege	984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	984	msiexec.exe
Token: SeSecurityPrivilege	4804	msiexec.exe
Token: SeCreateTokenPrivilege	984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	984	msiexec.exe
Token: SeLockMemoryPrivilege	984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	984	msiexec.exe
Token: SeMachineAccountPrivilege	984	msiexec.exe
Token: SeTcbPrivilege	984	msiexec.exe
Token: SeSecurityPrivilege	984	msiexec.exe
Token: SeTakeOwnershipPrivilege	984	msiexec.exe
Token: SeLoadDriverPrivilege	984	msiexec.exe
Token: SeSystemProfilePrivilege	984	msiexec.exe
Token: SeSystemtimePrivilege	984	msiexec.exe
Token: SeProfSingleProcessPrivilege	984	msiexec.exe
Token: SeIncBasePriorityPrivilege	984	msiexec.exe
Token: SeCreatePagefilePrivilege	984	msiexec.exe
Token: SeCreatePermanentPrivilege	984	msiexec.exe
Token: SeBackupPrivilege	984	msiexec.exe
Token: SeRestorePrivilege	984	msiexec.exe
Token: SeShutdownPrivilege	984	msiexec.exe
Token: SeDebugPrivilege	984	msiexec.exe
Token: SeAuditPrivilege	984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	984	msiexec.exe
Token: SeChangeNotifyPrivilege	984	msiexec.exe
Token: SeRemoteShutdownPrivilege	984	msiexec.exe
Token: SeUndockPrivilege	984	msiexec.exe
Token: SeSyncAgentPrivilege	984	msiexec.exe
Token: SeEnableDelegationPrivilege	984	msiexec.exe
Token: SeManageVolumePrivilege	984	msiexec.exe
Token: SeImpersonatePrivilege	984	msiexec.exe
Token: SeCreateGlobalPrivilege	984	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 460	3400	Bootstrapper(1).exe	87
PID 3400 wrote to memory of 460	3400	Bootstrapper(1).exe	87
PID 460 wrote to memory of 3196	460	cmd.exe	89
PID 460 wrote to memory of 3196	460	cmd.exe	89
PID 3400 wrote to memory of 984	3400	Bootstrapper(1).exe	98
PID 3400 wrote to memory of 984	3400	Bootstrapper(1).exe	98
PID 4804 wrote to memory of 3492	4804	msiexec.exe	106
PID 4804 wrote to memory of 3492	4804	msiexec.exe	106
PID 4804 wrote to memory of 1392	4804	msiexec.exe	107
PID 4804 wrote to memory of 1392	4804	msiexec.exe	107
PID 4804 wrote to memory of 1392	4804	msiexec.exe	107

C:\Users\Admin\AppData\Local\Temp\Bootstrapper(1).exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper(1).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3196
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1AE5A190B36693A0AC0906BFF61F6907
  2⤵
  - Loads dropped DLL
  PID:3492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1A91509BB97B87C958F4A53B10A20C72
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSID92A.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSID989.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/3400-0-0x0000021800530000-0x00000218005FE000-memory.dmp

Filesize
824KB

Download
memory/3400-1-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

Filesize
8KB

Download
memory/3400-2-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/3400-4-0x000002181AD80000-0x000002181ADA2000-memory.dmp

Filesize
136KB

Download
memory/3400-7-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

Filesize
8KB

Download
memory/3400-30-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download