Overview

overview

7

Static

static

3

Bootstrapper.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    128s
  • max time network
    131s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/12/2024, 22:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 59 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5396
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:856
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5884
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Users\Admin\Downloads\Solara\Solara.exe
        "C:\Users\Admin\Downloads\Solara\Solara.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:920
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:6096
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5500
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /c ipconfig /all
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5168
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:1320
      • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5512
        • C:\Users\Admin\Downloads\Solara\Solara.exe
          "C:\Users\Admin\Downloads\Solara\Solara.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1372
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /c ipconfig /all
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:3340
      • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Users\Admin\Downloads\Solara\Solara.exe
          "C:\Users\Admin\Downloads\Solara\Solara.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1220
    • C:\Users\Admin\Downloads\Solara\Solara.exe
      "C:\Users\Admin\Downloads\Solara\Solara.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:240
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1036
    • C:\Users\Admin\Downloads\Solara\Solara.exe
      "C:\Users\Admin\Downloads\Solara\Solara.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5284
      • C:\Users\Admin\Downloads\Solara\Solara.exe
        "C:\Users\Admin\Downloads\Solara\Solara.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2108

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log
            Filesize

            1KB

            MD5

            9176955f987353c5ddb05c21fb80f926

            SHA1

            421986a60bc208169097b09332f5f0b3a46550c8

            SHA256

            d6049eea46205fc0128c8672db4aec0386e0a8425679d62741a33ca79e272de9

            SHA512

            126c6468eeabcb2f8303ba3a5dda401de178de9e5aa00683f2ba7006dff3845890fcbc5be113bec5fee6ed2251a947271f565a4795e406c61c17392533c34d49

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperV2.04.exe.log
            Filesize

            3KB

            MD5

            d42466e26481da880f471cbe5079250c

            SHA1

            3420dcec1a5dd09a1c3dc825481edda208ad7024

            SHA256

            dc2c7ca0bff451bb9b2b7cb7bc64194a500a3d8b053cf28e81d7e12cc63c10bb

            SHA512

            00681580a4012321e469d44a040c452d08d0f227887c9f718a4650a06c46c8b16331c75b11af70ba1a3e84505366fb4a3ffb533c25e15a97080d38f4f960d9d9

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
            Filesize

            10KB

            MD5

            76fbe77cbc68f3bd5f0decad25775716

            SHA1

            2ebc2dea0b2224ea73fb5413d94ad38218122bf3

            SHA256

            8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6

            SHA512

            1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe
            Filesize

            2.8MB

            MD5

            be4da425d9b7593e358ffbfca29f9c70

            SHA1

            dc98530aad9728d779866ae957a738c52b13a565

            SHA256

            c5277ddb6e51181d2b8bad59acf5f2badf5613b1e73384a84b793f720aa76c0d

            SHA512

            35790944f5855038f8357c0f6d11ea81b260632e590c26f9342e8beb1a8dfd2e3eb9efa11f8378f8542cad45e7675af3d29cf27424accf35aaa6aeb34487155b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CONFIG
            Filesize

            121B

            MD5

            93d948a15a1f6dfb02898e8d7cc9cc08

            SHA1

            df76d8c6b143e88961ecd7771cf826315f6f39ef

            SHA256

            62d64d11085d0513cb700d4c627e3271fd4bb87a4d7ac6504e56ea160e8cab5c

            SHA512

            847eb5de0ea7fd559ad1259a9ca642c8ab17a38ec001ff0eb060271ccff3025d5be71c02c2fcf0545c9683a91ea501ecac1a3ef365cfd8e7d6576bc9ef995d2d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DISCORD
            Filesize

            103B

            MD5

            b016dafca051f817c6ba098c096cb450

            SHA1

            4cc74827c4b2ed534613c7764e6121ceb041b459

            SHA256

            b03c8c2d2429e9dbc7920113dedf6fc09095ab39421ee0cc8819ad412e5d67b9

            SHA512

            d69663e1e81ec33654b87f2dfaddd5383681c8ebf029a559b201d65eb12fa2989fa66c25fa98d58066eab7b897f0eef6b7a68fa1a9558482a17dfed7b6076aca

            Download Submit

          • C:\Users\Admin\Downloads\Solara\Newtonsoft.Json.dll
            Filesize

            695KB

            MD5

            195ffb7167db3219b217c4fd439eedd6

            SHA1

            1e76e6099570ede620b76ed47cf8d03a936d49f8

            SHA256

            e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

            SHA512

            56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

            Download Submit

          • C:\Users\Admin\Downloads\Solara\Solara.exe
            Filesize

            133KB

            MD5

            c6f770cbb24248537558c1f06f7ff855

            SHA1

            fdc2aaae292c32a58ea4d9974a31ece26628fdd7

            SHA256

            d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

            SHA512

            cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

            Download Submit

          • C:\Users\Admin\Downloads\Solara\Wpf.Ui.dll
            Filesize

            5.2MB

            MD5

            aead90ab96e2853f59be27c4ec1e4853

            SHA1

            43cdedde26488d3209e17efff9a51e1f944eb35f

            SHA256

            46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

            SHA512

            f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

            Download Submit

          • C:\Users\Admin\Downloads\Solara\bin\path.txt
            Filesize

            34B

            MD5

            0e2184f1c7464b6617329fb18f107b4f

            SHA1

            6f22f98471e33c9db10d6f6f1728e98852e25b8f

            SHA256

            dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb

            SHA512

            8e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37

            Download Submit

          • C:\Users\Admin\Downloads\Solara\bin\version.txt
            Filesize

            5B

            MD5

            37aa1f84af14327f56844e2a6e046b8e

            SHA1

            4ab41557ec631ee3866c62a76f31339f95da5c40

            SHA256

            800febbfd5e51c2df3529c3dbd5ac3216cb3485be40ec10c9f9168382c4bfcd9

            SHA512

            ef7237d3f954790262bd73f129fda3db2fa7c3b4f9eb827d46d38a033c3198ed1e4921374a9d66a523de7d13bc5754e462b69dab93d7e62827453b0d813ba7de

            Download Submit

          • memory/916-0-0x00007FFAE0EE3000-0x00007FFAE0EE5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/916-19-0x00007FFAE0EE0000-0x00007FFAE19A2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/916-6-0x00007FFAE0EE3000-0x00007FFAE0EE5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/916-4-0x0000024922FC0000-0x0000024922FE2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/916-2-0x00007FFAE0EE0000-0x00007FFAE19A2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/916-1-0x00000249211D0000-0x000002492129E000-memory.dmp

            Filesize

            824KB

            Download

          • memory/920-463-0x000001BECBE90000-0x000001BECBF42000-memory.dmp

            Filesize

            712KB

            Download

          • memory/920-461-0x000001BECBDD0000-0x000001BECBE8A000-memory.dmp

            Filesize

            744KB

            Download

          • memory/920-460-0x000001BECC220000-0x000001BECC75C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/920-458-0x000001BEB15A0000-0x000001BEB15C4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/1600-22-0x000001F2B85B0000-0x000001F2B85E8000-memory.dmp

            Filesize

            224KB

            Download

          • memory/1600-36-0x000001F280150000-0x000001F28016E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1600-38-0x000001F2802E0000-0x000001F280392000-memory.dmp

            Filesize

            712KB

            Download

          • memory/1600-40-0x000001F2F6160000-0x000001F2F616A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1600-42-0x000001F2F61F0000-0x000001F2F6202000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1600-34-0x000001F2FC350000-0x000001F2FC370000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1600-33-0x000001F2FC2C0000-0x000001F2FC34A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/1600-31-0x000001F2B8D70000-0x000001F2B8D78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1600-30-0x000001F2B85A0000-0x000001F2B85AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1600-29-0x000001F2B8620000-0x000001F2B862A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1600-28-0x000001F2B8D40000-0x000001F2B8D56000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1600-27-0x000001F2B8630000-0x000001F2B8638000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1600-26-0x000001F2B85F0000-0x000001F2B8618000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1600-25-0x000001F2B8590000-0x000001F2B859A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1600-24-0x000001F2B8C40000-0x000001F2B8D40000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1600-23-0x000001F2B8580000-0x000001F2B858E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1600-21-0x000001F2B8530000-0x000001F2B8538000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1600-20-0x000001F29A360000-0x000001F29A370000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1600-18-0x000001F299BE0000-0x000001F299EBA000-memory.dmp

            Filesize

            2.9MB

            Download