f110a7d8c7f741474e6b6cfdb33aba02a2de58280dbd92f7c118a780d9eabceb

Resubmissions

30/12/2024, 00:00

241230-aagpcs1lgt 10

29/12/2024, 23:59

241229-31rw8s1lhm 10

25/12/2024, 13:51

241225-q5yjcsvjcw 10

Analysis

max time kernel
719s
max time network
728s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper1.55.exe
Size

76.4MB
MD5

2c8781fb8af16e9646c0fc2ce303a699
SHA1

1444b640655d1e5494ca486d0333cff86aa1e3d6
SHA256

f110a7d8c7f741474e6b6cfdb33aba02a2de58280dbd92f7c118a780d9eabceb
SHA512

ad34362c042ecb00a5804c1dab0b55627726596d38ae09ab1d84c6321b6028f2f52c284943bbd2903549586d07221be44a4123bbb2c7890b1bc985baf13e5f2d
SSDEEP

1572864:v8VlOWyomcSk8IpG7V+VPhqSvE7WxylKN0iY4MHHLeqPNLtD5zq3BxZpW9ryN:vKYromcSkB05awStxyMZMHVLt1zq3juE

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2620	Bootstrapper1.55.exe
2620	Bootstrapper1.55.exe
2620	Bootstrapper1.55.exe
2620	Bootstrapper1.55.exe
2620	Bootstrapper1.55.exe
2620	Bootstrapper1.55.exe
2620	Bootstrapper1.55.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020b03-1317.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	Bootstrapper1.55.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2864	AUDIODG.EXE
Token: 33	2864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2864	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2620	2908	Bootstrapper1.55.exe	33
PID 2908 wrote to memory of 2620	2908	Bootstrapper1.55.exe	33
PID 2908 wrote to memory of 2620	2908	Bootstrapper1.55.exe	33

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2620

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29082\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
39475799bfaee65894f94a0f15d0d1fb

SHA1
f7a4e3dc3fb5133c53be4f1b7f1956d85f6f392e

SHA256
2d9f380091506eb22f0e92c68f6d8641c06fa92f733494fee9836fd748a294d5

SHA512
7156d60ee067f99d21c9d88883c90e8c83d75729807cdd77a37d74d6b15a8224d93189c1283c8756ef18a965bb8a11ad2da84bb6fe8acbffb83503fe6b5355a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29082\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29082\ucrtbase.dll

Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29082\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
d0842ac13c33e2287d8adfb16bc83e7a

SHA1
68cfd86a437bd755c2f06e59fd2ba87026d9bec1

SHA256
79f0ccfec37c99a53fa333c95adf94420765366d040eea78a76c545c89708ff6

SHA512
88a5e680ed5e42452d0b7f638327bc38e88af835ada391a11c44c43faebee040d9d30227dba12231ed4ffa0c8fd3cb461f5a682d48e40a9c29ec410f069ca346

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29082\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
f12c1674574b16ddc17f4ccf68955e59

SHA1
0c7d9b8b504a3ddc53c0b8e4066c8d829e65ae55

SHA256
a88202b5b8e62edeafb536af25580b2b1a437860d86cd5d8a6fba3c89b46acd6

SHA512
084776cb0c9e7e3708cd67bd2e075bd6878a13ec0dd70f46abb7532e7153ddc4c5afbcbbd477a62432bef0e1381e06a16f951f7c701b1c6eadec93514834bb39

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29082\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
915f1c029d8b51ce579fe6f5330a77ca

SHA1
1629e4611e444fcc2514c522e6ac626860f370a5

SHA256
8065d56d1442de48a43b98fec8a9788ee144d997604180629ce303ee9ba53d8e

SHA512
e0d6900b9d8bd496d41c8cc538054e39e20caca88b8c54b52a2ebc7f01b104db25d9fe2d5fc2b269040cf75ad1c35759d7930be874f034191d03e0dd458e3235

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29082\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
7b2caafbe6b2c3d6cbf232610dccc034

SHA1
ed3f3cb464c779f224729c62ed2a4318f8d0aefc

SHA256
ba0afa1fadd4429693538aa2e85230edccc2e481f80b89666907d108d31bed8c

SHA512
e32c3b6f31c9fe31381884ae683178bffaca4a88f030335a4502de42432cc014337f5ac2c2ecb726afea15ca3f4c52c26d4024abed1a4187c4773b8c6ff73977

Download Submit
memory/2620-1319-0x000007FEF6B20000-0x000007FEF6F8E000-memory.dmp

Filesize
4.4MB

Download
memory/2620-1320-0x000007FEF6B20000-0x000007FEF6F8E000-memory.dmp

Filesize
4.4MB

Download