Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

Bootstrapper.exe

windows10-2004-x64

8

Bootstrapper.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 16:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    800KB

  • MD5

    02c70d9d6696950c198db93b7f6a835e

  • SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

  • SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

  • SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • SSDEEP

    12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Downloads MZ/PE file
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:4860
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.18.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.18.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    13.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.153.16.2.in-addr.arpa
    IN PTR
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    getsolara.dev
    Bootstrapper.exe
    Remote address:
    1.1.1.1:53
    Request
    getsolara.dev
    IN A
    Response
    getsolara.dev
    IN A
    172.67.203.125
    getsolara.dev
    IN A
    104.21.93.27
  • flag-us
    GET
    https://getsolara.dev/asset/discord.json
    Bootstrapper.exe
    Remote address:
    172.67.203.125:443
    Request
    GET /asset/discord.json HTTP/1.1
    Host: getsolara.dev
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 28 Jan 2025 16:16:15 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: W/"fc6947083d8e1302fbe09d3898ba6361"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kLDQkDGaqht8%2FO%2BwvfRZKq6gpTUYirM6Fy89eIYDCRCEa0YiQADVtjmlbnodbNbJDvfzEvY%2BRsXX7BZlCNwOlgMrTV0yGaL7qkNdc4alcVP%2FtYNJ4cH2iFHOxU5NBNDg"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    cf-cache-status: DYNAMIC
    Strict-Transport-Security: max-age=0
    Server: cloudflare
    CF-RAY: 909249302bb86525-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28130&min_rtt=26573&rtt_var=7929&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2975&recv_bytes=378&delivery_rate=137001&cwnd=253&unsent_bytes=0&cid=b0c7caced8f87651&ts=114&x=0"
  • flag-us
    GET
    https://getsolara.dev/api/endpoint.json
    Bootstrapper.exe
    Remote address:
    172.67.203.125:443
    Request
    GET /api/endpoint.json HTTP/1.1
    Host: getsolara.dev
    Response
    HTTP/1.1 200 OK
    Date: Tue, 28 Jan 2025 16:16:17 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: W/"8c459db729c1035143f867d3805c8d99"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8LIIpa%2FeRZ%2FPoNlkOUUxoK0yBM3Z1ThvrwzO9%2FjNRL8fypNstvYm%2FMs8KYC%2B1%2FSAGaIZdM3k4PhRaWB7L%2BrLYak%2FkgIiIE5HF5zISW1TIKAwZhKImxCL8GW660K4yLNs"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    cf-cache-status: DYNAMIC
    Strict-Transport-Security: max-age=0
    Server: cloudflare
    CF-RAY: 9092493d7c1e6525-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27939&min_rtt=26529&rtt_var=6328&sent=9&recv=8&lost=0&retrans=0&sent_bytes=4196&recv_bytes=463&delivery_rate=137001&cwnd=255&unsent_bytes=0&cid=b0c7caced8f87651&ts=2233&x=0"
  • flag-au
    DNS
    125.203.67.172.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    125.203.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    b44d28a3.solaraweb-alj.pages.dev
    Bootstrapper.exe
    Remote address:
    1.1.1.1:53
    Request
    b44d28a3.solaraweb-alj.pages.dev
    IN A
    Response
    b44d28a3.solaraweb-alj.pages.dev
    IN A
    172.66.47.197
    b44d28a3.solaraweb-alj.pages.dev
    IN A
    172.66.44.59
  • flag-us
    GET
    https://b44d28a3.solaraweb-alj.pages.dev/download/static/files/BootstrapperNew.exe
    Bootstrapper.exe
    Remote address:
    172.66.47.197:443
    Request
    GET /download/static/files/BootstrapperNew.exe HTTP/1.1
    Host: b44d28a3.solaraweb-alj.pages.dev
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 28 Jan 2025 16:16:18 GMT
    Content-Type: application/octet-stream
    Content-Length: 3004416
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: public, max-age=0, must-revalidate
    ETag: "8e709e57be966fad0b70aa9dcf62441e"
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    x-robots-tag: noindex
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i9K5Ve%2F66osLXINC89MSCLAH%2B2qINbjmu4OyMJmGp8ejftB1Tk8Zx63eNkefo8Rk14ZG8y9ILN6LcJxUsuAmyt%2F9hwdoFAhyEqFHhJkr0YJtqz9CriT1OQO9EpxzuCVxYW6S87u8l%2FAjbFAVvZGkfLMMlA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90924942780e63e4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=26913&min_rtt=26186&rtt_var=6440&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3021&recv_bytes=439&delivery_rate=134926&cwnd=232&unsent_bytes=0&cid=2c057f3cd5a52254&ts=121&x=0"
  • flag-au
    DNS
    197.47.66.172.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    197.47.66.172.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    167.190.18.2.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    167.190.18.2.in-addr.arpa
    IN PTR
    Response
    167.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-167deploystaticakamaitechnologiescom
  • flag-au
    DNS
    21.49.80.91.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    21.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-au
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    1.1.1.1:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 172.67.203.125:443
    https://getsolara.dev/api/endpoint.json
    tls, http
    Bootstrapper.exe
    951 B
     6.6kB
     11
    13

    HTTP Request

    GET https://getsolara.dev/asset/discord.json

    HTTP Response

    200

    HTTP Request

    GET https://getsolara.dev/api/endpoint.json

    HTTP Response

    200
  • 127.0.0.1:6463
    Bootstrapper.exe
  • 172.66.47.197:443
    https://b44d28a3.solaraweb-alj.pages.dev/download/static/files/BootstrapperNew.exe
    tls, http
    Bootstrapper.exe
    64.6kB
     3.1MB
     1304
    2238

    HTTP Request

    GET https://b44d28a3.solaraweb-alj.pages.dev/download/static/files/BootstrapperNew.exe

    HTTP Response

    200
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    13.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    13.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 224.0.0.251:5353
    158 B
     2
  • 1.1.1.1:53
    getsolara.dev
    dns
    Bootstrapper.exe
    59 B
     91 B
     1
    1

    DNS Request

    getsolara.dev

    DNS Response

    172.67.203.125
    104.21.93.27

  • 1.1.1.1:53
    125.203.67.172.in-addr.arpa
    dns
    73 B
     135 B
     1
    1

    DNS Request

    125.203.67.172.in-addr.arpa

  • 1.1.1.1:53
    b44d28a3.solaraweb-alj.pages.dev
    dns
    Bootstrapper.exe
    78 B
     110 B
     1
    1

    DNS Request

    b44d28a3.solaraweb-alj.pages.dev

    DNS Response

    172.66.47.197
    172.66.44.59

  • 1.1.1.1:53
    197.47.66.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    197.47.66.172.in-addr.arpa

  • 1.1.1.1:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 1.1.1.1:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 1.1.1.1:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 1.1.1.1:53
    167.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    167.190.18.2.in-addr.arpa

  • 1.1.1.1:53
    21.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    21.49.80.91.in-addr.arpa

  • 1.1.1.1:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.18.exe
    Filesize

    2.9MB

    MD5

    4d207914ab7b161d4a8e6bf45cd27de4

    SHA1

    accd340b49754a770fd8debc10a379fe587336f6

    SHA256

    3c4dcf944e748c91df983422349e3a10f8271d3ef77ceee73d071b3d5e764f1b

    SHA512

    7df470c7c3b1f695289202363826d86af5e878138aa7c50a5d678df1ee95c0e9e2e87dc913be007e212519b05ab56146766768fbe00c583f5b57b905fbbf3f19

    Download Submit

  • memory/972-0-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/972-1-0x00000201244D0000-0x000002012459E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/972-2-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/972-4-0x0000020126220000-0x0000020126242000-memory.dmp

    Filesize

    136KB

    Download

  • memory/972-17-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1780-20-0x00000202B8AF0000-0x00000202B8AF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1780-19-0x000002029B800000-0x000002029B810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1780-18-0x0000020299870000-0x0000020299B52000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1780-21-0x00000202B90C0000-0x00000202B90F8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1780-22-0x00000202B9090000-0x00000202B909E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1780-23-0x00000202B97C0000-0x00000202B98C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1780-24-0x00000202B90A0000-0x00000202B90AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1780-25-0x00000202B9100000-0x00000202B9126000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1780-26-0x00000202B9140000-0x00000202B9148000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1780-27-0x00000202B9150000-0x00000202B9166000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1780-28-0x00000202B9130000-0x00000202B913A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1780-29-0x00000202B90B0000-0x00000202B90BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1780-30-0x00000202B98C0000-0x00000202B98C8000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.