Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Bootstrapper1.55.exe
windows7-x64
7Bootstrapper1.55.exe
windows10-2004-x64
9discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Resubmissions
30/12/2024, 00:00
241230-aagpcs1lgt 1029/12/2024, 23:59
241229-31rw8s1lhm 1025/12/2024, 13:51
241225-q5yjcsvjcw 10Analysis
-
max time kernel
719s -
max time network
728s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 00:00
Behavioral task
behavioral1
Sample
Bootstrapper1.55.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Bootstrapper1.55.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
discord_token_grabber.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
get_cookies.pyc
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
get_cookies.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
misc.pyc
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
misc.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
passwords_grabber.pyc
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
passwords_grabber.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
source_prepared.pyc
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
source_prepared.pyc
Resource
win10v2004-20241007-en
General
-
Target
Bootstrapper1.55.exe
-
Size
76.4MB
-
MD5
2c8781fb8af16e9646c0fc2ce303a699
-
SHA1
1444b640655d1e5494ca486d0333cff86aa1e3d6
-
SHA256
f110a7d8c7f741474e6b6cfdb33aba02a2de58280dbd92f7c118a780d9eabceb
-
SHA512
ad34362c042ecb00a5804c1dab0b55627726596d38ae09ab1d84c6321b6028f2f52c284943bbd2903549586d07221be44a4123bbb2c7890b1bc985baf13e5f2d
-
SSDEEP
1572864:v8VlOWyomcSk8IpG7V+VPhqSvE7WxylKN0iY4MHHLeqPNLtD5zq3BxZpW9ryN:vKYromcSkB05awStxyMZMHVLt1zq3juE
Malware Config
Signatures
-
Loads dropped DLL 7 IoCs
pid Process 2620 Bootstrapper1.55.exe 2620 Bootstrapper1.55.exe 2620 Bootstrapper1.55.exe 2620 Bootstrapper1.55.exe 2620 Bootstrapper1.55.exe 2620 Bootstrapper1.55.exe 2620 Bootstrapper1.55.exe -
resource yara_rule behavioral1/files/0x0003000000020b03-1317.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2620 Bootstrapper1.55.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2864 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2864 AUDIODG.EXE Token: 33 2864 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2864 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2620 2908 Bootstrapper1.55.exe 33 PID 2908 wrote to memory of 2620 2908 Bootstrapper1.55.exe 33 PID 2908 wrote to memory of 2620 2908 Bootstrapper1.55.exe 33
Processes
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:21⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2776
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper1.55.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2620
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2788
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD539475799bfaee65894f94a0f15d0d1fb
SHA1f7a4e3dc3fb5133c53be4f1b7f1956d85f6f392e
SHA2562d9f380091506eb22f0e92c68f6d8641c06fa92f733494fee9836fd748a294d5
SHA5127156d60ee067f99d21c9d88883c90e8c83d75729807cdd77a37d74d6b15a8224d93189c1283c8756ef18a965bb8a11ad2da84bb6fe8acbffb83503fe6b5355a1
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
961KB
MD52381e189321ead521ff71e72d08a6b17
SHA10db7fea07b4bc14f0f9d71ecfa6ddf3097229875
SHA2564918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806
SHA5122d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5
-
Filesize
11KB
MD5d0842ac13c33e2287d8adfb16bc83e7a
SHA168cfd86a437bd755c2f06e59fd2ba87026d9bec1
SHA25679f0ccfec37c99a53fa333c95adf94420765366d040eea78a76c545c89708ff6
SHA51288a5e680ed5e42452d0b7f638327bc38e88af835ada391a11c44c43faebee040d9d30227dba12231ed4ffa0c8fd3cb461f5a682d48e40a9c29ec410f069ca346
-
Filesize
11KB
MD5f12c1674574b16ddc17f4ccf68955e59
SHA10c7d9b8b504a3ddc53c0b8e4066c8d829e65ae55
SHA256a88202b5b8e62edeafb536af25580b2b1a437860d86cd5d8a6fba3c89b46acd6
SHA512084776cb0c9e7e3708cd67bd2e075bd6878a13ec0dd70f46abb7532e7153ddc4c5afbcbbd477a62432bef0e1381e06a16f951f7c701b1c6eadec93514834bb39
-
Filesize
12KB
MD5915f1c029d8b51ce579fe6f5330a77ca
SHA11629e4611e444fcc2514c522e6ac626860f370a5
SHA2568065d56d1442de48a43b98fec8a9788ee144d997604180629ce303ee9ba53d8e
SHA512e0d6900b9d8bd496d41c8cc538054e39e20caca88b8c54b52a2ebc7f01b104db25d9fe2d5fc2b269040cf75ad1c35759d7930be874f034191d03e0dd458e3235
-
Filesize
12KB
MD57b2caafbe6b2c3d6cbf232610dccc034
SHA1ed3f3cb464c779f224729c62ed2a4318f8d0aefc
SHA256ba0afa1fadd4429693538aa2e85230edccc2e481f80b89666907d108d31bed8c
SHA512e32c3b6f31c9fe31381884ae683178bffaca4a88f030335a4502de42432cc014337f5ac2c2ecb726afea15ca3f4c52c26d4024abed1a4187c4773b8c6ff73977