f110a7d8c7f741474e6b6cfdb33aba02a2de58280dbd92f7c118a780d9eabceb

Resubmissions

30-12-2024 00:00

241230-aagpcs1lgt 10

29-12-2024 23:59

241229-31rw8s1lhm 10

25-12-2024 13:51

241225-q5yjcsvjcw 10

Analysis

max time kernel
18s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper1.55.exe
Size

76.4MB
MD5

2c8781fb8af16e9646c0fc2ce303a699
SHA1

1444b640655d1e5494ca486d0333cff86aa1e3d6
SHA256

f110a7d8c7f741474e6b6cfdb33aba02a2de58280dbd92f7c118a780d9eabceb
SHA512

ad34362c042ecb00a5804c1dab0b55627726596d38ae09ab1d84c6321b6028f2f52c284943bbd2903549586d07221be44a4123bbb2c7890b1bc985baf13e5f2d
SSDEEP

1572864:v8VlOWyomcSk8IpG7V+VPhqSvE7WxylKN0iY4MHHLeqPNLtD5zq3BxZpW9ryN:vKYromcSkB05awStxyMZMHVLt1zq3juE

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1848	Bootstrapper1.55.exe
1848	Bootstrapper1.55.exe
1848	Bootstrapper1.55.exe
1848	Bootstrapper1.55.exe
1848	Bootstrapper1.55.exe
1848	Bootstrapper1.55.exe
1848	Bootstrapper1.55.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020b4e-1317.dat	upx
behavioral1/memory/1848-1319-0x000007FEF59B0000-0x000007FEF5E1E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAB3A311-C640-11EF-9A25-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
892	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
892	iexplore.exe
892	iexplore.exe
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1848	2996	Bootstrapper1.55.exe	30
PID 2996 wrote to memory of 1848	2996	Bootstrapper1.55.exe	30
PID 2996 wrote to memory of 1848	2996	Bootstrapper1.55.exe	30
PID 892 wrote to memory of 2148	892	iexplore.exe	32
PID 892 wrote to memory of 2148	892	iexplore.exe	32
PID 892 wrote to memory of 2148	892	iexplore.exe	32
PID 892 wrote to memory of 2148	892	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"
  2⤵
  - Loads dropped DLL
  PID:1848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65b412ded032b3d004447095df68de09

SHA1
86f9700a3147a9225f0af6cae6974436e6a7e856

SHA256
044c6de84cb81ac9964ef443de73693c225c12a4eee15f77ce3fb3db55ec058e

SHA512
af90454ab15fbddcdce77e2c01fc0b83d7e19d564a673d58a8232af35c8fb64430496de5800389dc02573d32fd4daa86125b82a3de68f8866c317502ed661289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74e0ed9d618fce783f07212447853665

SHA1
5453e8149175dca83995b85f76b0e3322f02eed2

SHA256
fc4a63662dbfd6e6d7f54897a0ada4fc44ce823fc4ca6be490cbb4307e2e8a14

SHA512
b0b35d50cfa58970c3a950e9305d4d9b77034a8295c6ee0f8e51e96ab407241779e22901a64ff6158b34cc6638d8f545e99dc2644678525f890fc30a35ed2613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90bab0e10e7033dd3bc047419b7ddd83

SHA1
f035efed80b78ae0f37a9d8cdd9c438c27b40015

SHA256
5dbaa59946d5a4059f5e86cd40ef0789046b288dfdbccd57aa2821f0a1432d85

SHA512
9924bff3982adb8b9e3febdcf1064ced3ddacdf05a79c888db3ed21ac19772d001006e2bda960d820126ffa78a410b32b5812e51ebc57766ee6dda46e1500a00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dd7b91886388edee446cbcf83c48551

SHA1
a2339645acc77c2b5e29b4cdb10738b969694242

SHA256
aa2b3161db24eccebf8c3be2054c38328cebbfc29137c237d571297a3faa828d

SHA512
680721300a1eabbfe7efa5acdfc91602f7a425b4aa17afc0724cced46c70a753637d62861df5c8fdfb338579ed0a53c449f011db6cbf00f4bb57f7aaf2b9f6e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45ff1e37e3246fefeb58deb3c987edba

SHA1
80f8a42d99eb5d0f04d8220b6d75ae60ae9972bc

SHA256
07fc1bae381c3b87ef116b72fbe198d2945550f6ca6727a940a8b941f83ca02a

SHA512
93a77b99a61fbd41e431cdda41cf7c123da57a120a6aac6c6f5417c8ac90f1530b753bc0ce054d1695e85d944550192d3960a2c67e808db311bb8c28cd945ef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f7601fa9864fe72b6e6b9bbbe8a8687

SHA1
0f9a5db217a2607d2adde6b26b62ab8aa756e0c7

SHA256
661a2469badbb5e8bdee38c12a6cafabdbe5de1b47dd8ddc69f815590da61993

SHA512
0206776e70043649860929b6668ba68a7b0b16ee66d50bbd6353a7dda34e60a778b41ea80a01f8a4857632473064d38753ee98758515a08a3ec3bddaab815dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bb514a7687a19ee241350e5b32266ad

SHA1
34adeba06a6dfe7edebb5ffbbe3a346027103e6a

SHA256
b998c25140e10a86451b546398505117a36b2f75a737fa7c5e244daf5dc5caf8

SHA512
64a1f87bb75f607464be5a3475e14e423229526360075313a0db439e9af2f58b789b1ce0e7d4adb87b700765375b3c9c543a6a27aba1ee6d8ffff04e2d1f06bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e68a8581f9cd285b147b208437f43d6d

SHA1
bd6ad34631a7ebd7ad451adca877c2f9df42398f

SHA256
4a7682d412d5f23ff34fba4afcced077b96a0e5b8cca8f9a24378c7ec90af8a0

SHA512
0c1b5296a2f8665700b0150b206453a7f5ed794da08004ebb8fcbef778fbed05226da2e08e058a5b5187a4b2b4d3a4f15cc12eed7ba59a1e72e5b4232224e4e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03e02ecf6cbb5f8302e7353fea114e04

SHA1
2ea3676240079159eeab6a981dc7570b186e104c

SHA256
f91b91cda9b330d884e3e57a1bc257e6c0ee57a6eb3c9ea6aee785b64f6d5645

SHA512
43374ea4b1aeeff76cf14be715947863ce5a5b3225f507b3a2af9cd5a838385168778df52dccb1657f10a19a0825bad5205b645e44e0c6cb8e32322cdaeb7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3611.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3691.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
d0842ac13c33e2287d8adfb16bc83e7a

SHA1
68cfd86a437bd755c2f06e59fd2ba87026d9bec1

SHA256
79f0ccfec37c99a53fa333c95adf94420765366d040eea78a76c545c89708ff6

SHA512
88a5e680ed5e42452d0b7f638327bc38e88af835ada391a11c44c43faebee040d9d30227dba12231ed4ffa0c8fd3cb461f5a682d48e40a9c29ec410f069ca346

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
f12c1674574b16ddc17f4ccf68955e59

SHA1
0c7d9b8b504a3ddc53c0b8e4066c8d829e65ae55

SHA256
a88202b5b8e62edeafb536af25580b2b1a437860d86cd5d8a6fba3c89b46acd6

SHA512
084776cb0c9e7e3708cd67bd2e075bd6878a13ec0dd70f46abb7532e7153ddc4c5afbcbbd477a62432bef0e1381e06a16f951f7c701b1c6eadec93514834bb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
39475799bfaee65894f94a0f15d0d1fb

SHA1
f7a4e3dc3fb5133c53be4f1b7f1956d85f6f392e

SHA256
2d9f380091506eb22f0e92c68f6d8641c06fa92f733494fee9836fd748a294d5

SHA512
7156d60ee067f99d21c9d88883c90e8c83d75729807cdd77a37d74d6b15a8224d93189c1283c8756ef18a965bb8a11ad2da84bb6fe8acbffb83503fe6b5355a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
915f1c029d8b51ce579fe6f5330a77ca

SHA1
1629e4611e444fcc2514c522e6ac626860f370a5

SHA256
8065d56d1442de48a43b98fec8a9788ee144d997604180629ce303ee9ba53d8e

SHA512
e0d6900b9d8bd496d41c8cc538054e39e20caca88b8c54b52a2ebc7f01b104db25d9fe2d5fc2b269040cf75ad1c35759d7930be874f034191d03e0dd458e3235

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
7b2caafbe6b2c3d6cbf232610dccc034

SHA1
ed3f3cb464c779f224729c62ed2a4318f8d0aefc

SHA256
ba0afa1fadd4429693538aa2e85230edccc2e481f80b89666907d108d31bed8c

SHA512
e32c3b6f31c9fe31381884ae683178bffaca4a88f030335a4502de42432cc014337f5ac2c2ecb726afea15ca3f4c52c26d4024abed1a4187c4773b8c6ff73977

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29962\ucrtbase.dll

Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
memory/1848-1319-0x000007FEF59B0000-0x000007FEF5E1E000-memory.dmp

Filesize
4.4MB

Download