Overview

overview

9

Static

static

3

Bootstrapper.exe

windows7-x64

1

Bootstrapper.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • cURL User-Agent 8 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:3592
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.13.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.13.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\ProgramData\Solara\Solara.exe
        "C:\ProgramData\Solara\Solara.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Solara\Microsoft.Web.WebView2.Core.dll
    Filesize

    557KB

    MD5

    b037ca44fd19b8eedb6d5b9de3e48469

    SHA1

    1f328389c62cf673b3de97e1869c139d2543494e

    SHA256

    11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

    SHA512

    fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

    Download Submit

  • C:\ProgramData\Solara\Microsoft.Web.WebView2.Wpf.dll
    Filesize

    50KB

    MD5

    e107c88a6fc54cc3ceb4d85768374074

    SHA1

    a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

    SHA256

    8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

    SHA512

    b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

    Download Submit

  • C:\ProgramData\Solara\Monaco\combined.html
    Filesize

    14KB

    MD5

    c5611717d40fbd17ec2b4276fa4a3be3

    SHA1

    3580f7d5598be93bca5aca3360b43c62b4e398cf

    SHA256

    e122b05b104fac365c8304e3041416f65f299011bc70b6203c974bb98cbb76b2

    SHA512

    f46e267620b1f52d4f0d2f42ea496ab0b6df12b6da977e581c2b4f7929a6aaf61c1dfca097e67215d00c2529a9aca53b6c418e4cc1630897f7b1fdab4bb8c143

    Download Submit

  • C:\ProgramData\Solara\Monaco\index.html
    Filesize

    14KB

    MD5

    610eb8cecd447fcf97c242720d32b6bd

    SHA1

    4b094388e0e5135e29c49ce42ff2aa099b7f2d43

    SHA256

    107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7

    SHA512

    cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331

    Download Submit

  • C:\ProgramData\Solara\Newtonsoft.Json.dll
    Filesize

    695KB

    MD5

    195ffb7167db3219b217c4fd439eedd6

    SHA1

    1e76e6099570ede620b76ed47cf8d03a936d49f8

    SHA256

    e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    SHA512

    56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    Download Submit

  • C:\ProgramData\Solara\Solara.exe
    Filesize

    613KB

    MD5

    efa26a96b7af259f6682bc888a8b6a14

    SHA1

    9800a30228504c30e7d8aea873ded6a7d7d133bb

    SHA256

    18f4dca864799d7cd00a26ae9fb7eccf5c7cf3883c51a5d0744fd92a60ca1953

    SHA512

    7ca4539ab544aee162c7d74ac94b290b409944dd746286e35c8a2712db045d255b9907d1ebea6377d1406ddd87f118666121d0ec1abe0e9415de1bba6799f76e

    Download Submit

  • C:\ProgramData\Solara\SolaraV3.dll
    Filesize

    6.9MB

    MD5

    12daf1ddbc2b2634a1a76adc3ec2d66c

    SHA1

    9a03f18aca54fb3b3190c1d65e424ffb9a4e6ffe

    SHA256

    2b6a59eb5b1861138dd82e0d1ca304babe47886a0eeca29d45c5d36363cc3b23

    SHA512

    7af52091f371bdad89be6900a7d3636d4f74fad2c9614ad1a322df342515d8163f224447c73a8a66875a56285806e6437794a292062fca11f2e5eeee03bea597

    Download Submit

  • C:\ProgramData\Solara\WebView2Loader.dll
    Filesize

    133KB

    MD5

    a0bd0d1a66e7c7f1d97aedecdafb933f

    SHA1

    dd109ac34beb8289030e4ec0a026297b793f64a3

    SHA256

    79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

    SHA512

    2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

    Download Submit

  • C:\ProgramData\Solara\Wpf.Ui.dll
    Filesize

    5.2MB

    MD5

    aead90ab96e2853f59be27c4ec1e4853

    SHA1

    43cdedde26488d3209e17efff9a51e1f944eb35f

    SHA256

    46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

    SHA512

    f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.13.exe
    Filesize

    2.9MB

    MD5

    fdeda3eb502d7eec02277cf08c7d926f

    SHA1

    fbf43baa8e3c610933866630ba767b60bbd0313f

    SHA256

    4d73c67dc61543f6116f8c0a8f6794ece2993e78713793c6e2066285e2607fd0

    SHA512

    0f6e6074951eda7347cc527734b6103ed10002a2e28aaee2a74a4e346576b1e448175e10bbd8f8e9adbd36a15fa22557a7a7c6465c5fcb9dc772a41c00a0112d

    Download Submit

  • memory/1216-111-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-113-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-122-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-121-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-120-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-119-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-118-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-117-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-116-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-115-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-114-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-110-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-112-0x0000000180000000-0x0000000181173000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/1216-99-0x000001F4F3C40000-0x000001F4F3C50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1216-104-0x000001F4F4550000-0x000001F4F45E0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1216-92-0x000001F4D7DF0000-0x000001F4D7E8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1216-97-0x000001F4F3D80000-0x000001F4F3E32000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1216-94-0x000001F4F3F10000-0x000001F4F444C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1216-95-0x000001F4F3CC0000-0x000001F4F3D7A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2180-2-0x00007FF849A40000-0x00007FF84A501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2180-1-0x0000024130530000-0x00000241305FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2180-0-0x00007FF849A43000-0x00007FF849A45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2180-4-0x00007FF849A43000-0x00007FF849A45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2180-18-0x00007FF849A40000-0x00007FF84A501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2180-5-0x000002414C250000-0x000002414C272000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2184-35-0x000001C0351A0000-0x000001C0351BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2184-19-0x000001C056930000-0x000001C056C10000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2184-20-0x000001C058790000-0x000001C0587A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2184-21-0x000001C0769A0000-0x000001C0769A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2184-22-0x000001C076A20000-0x000001C076A58000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2184-38-0x000001C080000000-0x000001C080012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2184-36-0x000001C07FFA0000-0x000001C07FFAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2184-23-0x000001C0769F0000-0x000001C0769FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2184-33-0x000001C043BA0000-0x000001C043C52000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2184-31-0x000001C077220000-0x000001C077228000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2184-30-0x000001C076A10000-0x000001C076A1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2184-29-0x000001C076A90000-0x000001C076A9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2184-28-0x000001C0771F0000-0x000001C077206000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2184-27-0x000001C076AA0000-0x000001C076AA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2184-26-0x000001C076A60000-0x000001C076A86000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2184-25-0x000001C076A00000-0x000001C076A0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2184-24-0x000001C0770F0000-0x000001C0771F0000-memory.dmp

    Filesize

    1024KB

    Download