82077de6092ff44cd39b857ffc9ec49103049c47fa09528906aa8aa9ae38e0de

Analysis

max time kernel
6s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper-x64.exe
Size

250.0MB
MD5

490f7ac842d93c49d9f3ef0addb67d08
SHA1

e244439508fb286ca63ff24f6a31f26bcc24734a
SHA256

82077de6092ff44cd39b857ffc9ec49103049c47fa09528906aa8aa9ae38e0de
SHA512

6b048f6dc4bbb8ed27a025e55a633c6dede685ea26cdd4ba70f9950232855a85bfd282ff93d571bdcd91bce7d6b9fbe6974555baec0774d6a46091490440c0aa
SSDEEP

24576:JHAOPpUAftuW4lsDhha5tAOojrQNPifqH6WDZaG8cjZjo:LpfFVPabAOYXfADZbjZjo

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Bootstrapper-x64.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	Lid.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3116	tasklist.exe
4984	tasklist.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BedfordGambling	Bootstrapper-x64.exe
File opened for modification	C:\Windows\TonerAnalyzed	Bootstrapper-x64.exe
File opened for modification	C:\Windows\MalesMhz	Bootstrapper-x64.exe
File opened for modification	C:\Windows\StartupVirus	Bootstrapper-x64.exe
File opened for modification	C:\Windows\LoadCasting	Bootstrapper-x64.exe
File opened for modification	C:\Windows\QuantumAnthropology	Bootstrapper-x64.exe
File opened for modification	C:\Windows\ElLaunched	Bootstrapper-x64.exe
File opened for modification	C:\Windows\OutstandingAol	Bootstrapper-x64.exe
File opened for modification	C:\Windows\RevisedComp	Bootstrapper-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lid.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4972	Lid.com
4972	Lid.com
4972	Lid.com
4972	Lid.com
4972	Lid.com
4972	Lid.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	tasklist.exe
Token: SeDebugPrivilege	4984	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4972	Lid.com
4972	Lid.com
4972	Lid.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4972	Lid.com
4972	Lid.com
4972	Lid.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3992	5116	Bootstrapper-x64.exe	82
PID 5116 wrote to memory of 3992	5116	Bootstrapper-x64.exe	82
PID 5116 wrote to memory of 3992	5116	Bootstrapper-x64.exe	82
PID 3992 wrote to memory of 3116	3992	cmd.exe	84
PID 3992 wrote to memory of 3116	3992	cmd.exe	84
PID 3992 wrote to memory of 3116	3992	cmd.exe	84
PID 3992 wrote to memory of 1896	3992	cmd.exe	85
PID 3992 wrote to memory of 1896	3992	cmd.exe	85
PID 3992 wrote to memory of 1896	3992	cmd.exe	85
PID 3992 wrote to memory of 4984	3992	cmd.exe	87
PID 3992 wrote to memory of 4984	3992	cmd.exe	87
PID 3992 wrote to memory of 4984	3992	cmd.exe	87
PID 3992 wrote to memory of 456	3992	cmd.exe	88
PID 3992 wrote to memory of 456	3992	cmd.exe	88
PID 3992 wrote to memory of 456	3992	cmd.exe	88
PID 3992 wrote to memory of 1588	3992	cmd.exe	89
PID 3992 wrote to memory of 1588	3992	cmd.exe	89
PID 3992 wrote to memory of 1588	3992	cmd.exe	89
PID 3992 wrote to memory of 2116	3992	cmd.exe	90
PID 3992 wrote to memory of 2116	3992	cmd.exe	90
PID 3992 wrote to memory of 2116	3992	cmd.exe	90
PID 3992 wrote to memory of 1832	3992	cmd.exe	91
PID 3992 wrote to memory of 1832	3992	cmd.exe	91
PID 3992 wrote to memory of 1832	3992	cmd.exe	91
PID 3992 wrote to memory of 5088	3992	cmd.exe	92
PID 3992 wrote to memory of 5088	3992	cmd.exe	92
PID 3992 wrote to memory of 5088	3992	cmd.exe	92
PID 3992 wrote to memory of 1480	3992	cmd.exe	93
PID 3992 wrote to memory of 1480	3992	cmd.exe	93
PID 3992 wrote to memory of 1480	3992	cmd.exe	93
PID 3992 wrote to memory of 4972	3992	cmd.exe	94
PID 3992 wrote to memory of 4972	3992	cmd.exe	94
PID 3992 wrote to memory of 4972	3992	cmd.exe	94
PID 3992 wrote to memory of 408	3992	cmd.exe	95
PID 3992 wrote to memory of 408	3992	cmd.exe	95
PID 3992 wrote to memory of 408	3992	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\Bootstrapper-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper-x64.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Newark Newark.cmd & Newark.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 745469
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Representative
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Referring" Projectors
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 745469\Lid.com + Pty + Wp + Face + Filed + Fully + Terrible + Greeting + Build + Decades + Hometown 745469\Lid.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Graduation + ..\Fishing + ..\Spoken + ..\Fonts + ..\Homework + ..\Convert + ..\Streams l
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Users\Admin\AppData\Local\Temp\745469\Lid.com
    Lid.com l
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4972
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\745469\Lid.com

Filesize
875B

MD5
eb2cabaac7bed7d4bc3e2df167ca2da2

SHA1
49ea484032935ce74e248d21ed0c0d95ea66025f

SHA256
095c8e0e11802b7a61349542cd15e462aa0f9da8224fe19a4d533ef0e93d601f

SHA512
cdf847e3c819458f0edbdab56aefaab710c75a712ce61545c4a8695140ccbe695dfabf44f4dd0a0bafe1b8935760e319f468a05bdf70d6ad64da72e9e7f38f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\745469\Lid.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\745469\l

Filesize
466KB

MD5
29adf252936a7654fa048fa7c805a5f5

SHA1
2493613fc00fb6e494a7be96e83b25fa7c38f9d7

SHA256
1ec2e8aaa10fde7301eff0073ec99b61dd61fab3fd12b7aa93b73616a81360b6

SHA512
f0205445110fde25e013a5c5c8db8b1cb9448d7076880b9905c2e43ffe1e0dc4106fb93d7d0591ebd550d047ea1e8c8388c7b57b54d0f77fe19363c4f014e95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build

Filesize
89KB

MD5
74c326b3917c38b61adca95dc25e7e75

SHA1
19bee8ccc4d0c2868a885401704dda02209c442f

SHA256
9f5aa3676093ad7193caf71d0a11b6bf03c586e58f84f21ff79369182578db3e

SHA512
6a952d66bf1e13477afaf93462c7dd51c23399989187e642d6b1e06a087633ee8f2bd379ec06b1acc4915834db155ef58c9ab157cd2e88915d8e4c7e799e5464

Download Submit
C:\Users\Admin\AppData\Local\Temp\Convert

Filesize
55KB

MD5
4a7901fb5ebbfddb0a2c462e0cc3871a

SHA1
670cbda5bdfa8f24251fe660e8a263b716999006

SHA256
ae276cdb7a26cb85462285ca2ba7c4804521090d4dad4ddb9da9bb4e1d74151d

SHA512
264d1d3fbe18547f19abf36a60a637b8c97198bc4dfe26237ae76dc3bb640c9d204bdd062eda0371a5262a39628502f4995f4c6f01e84ecba759b95fd75c7f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decades

Filesize
78KB

MD5
97fe1406dbcb4077166567d15faa9e56

SHA1
cdb05483776d9ef95d0183419b9483456f099156

SHA256
31a2355e93507394608cc4d61e7094387fc74d1eb0d53c5c005d5bfca0f9a670

SHA512
3f92f95d90aed533052426903a9fecb0be92e83f7a74402c3fa0018b13fcebfdf36da22980f25b783d2b5d1b4642570c16dc1aa8b9675cf99dfd2c67a1fad7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Face

Filesize
137KB

MD5
48af1566f503feb0a36ee47d3136d152

SHA1
ec99515cadcbc8be92ba0177a377ed886de91caf

SHA256
09e4f679d3c59cf0ab6c5531e6f91edb34cb73d1ececaf48b31cde67d3833d35

SHA512
60ea4652545ade06fcf87ba868a0d295fef926b10285ecc22122d78a58fc166ff34b191b9411df07ac03add42ca3cd1cd8e5b4a34dcf8dd59352423981bd1408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filed

Filesize
91KB

MD5
26743e6535008569e011448e7cd5098d

SHA1
d3845e8288da3ab2ee6e74866ab63870d62ac21d

SHA256
4c35fd250632b5b6ecfada727e1bd3494441d359555da3667ad4730cafd402e1

SHA512
ea19c5606563ae4aec9b1c6c32c122889ec42fa057758d65c08ad27b7dfd61b940c3513805688b04669f6f704367cf665ef029efe5cfad1020ef2268b1325367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fishing

Filesize
53KB

MD5
879a810abc7c8d6ebb929b0e3381eceb

SHA1
efb1f2985103693cdf19d9fe88f2c100eb9a4a3a

SHA256
62589211a20d43b3ee45683e07fadeb9cdcfdd2f5c25a1c54fe252a430ddba1c

SHA512
a90d43be0ced226cab4dd86d5cc3e260c48386e259595d4f6748f7384fc2623b4250ac26a4460e3fe2b1ef862c56f34291f9cf8825f65d59410fb61c5236b517

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fonts

Filesize
55KB

MD5
d805770ff8df42c7a3234f96a28be52e

SHA1
eaa68a63df4d10d3405545e00778ba6c3ba17c71

SHA256
95ae65856c734370d7852e853939b5e9d3476643477b3a375c2f5afe75a7c36a

SHA512
00132ebb1a250990002f6aad10149649dbeb633fe795c6511855746e2583cf8095efe1068fbec65fa29eee591f4e56f9e7794ac685d86d2003d37008aa4f3edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fully

Filesize
115KB

MD5
81e4c6116222b5f064d52c826341e749

SHA1
922131a002cad2e0c88bd41c7cec051fe0618aad

SHA256
49ac85d6c96c5b4f410ef5491b4afdc84fd031c426fe8f22aa3767ae96c3ccb6

SHA512
4b040c24cac9d2dff95bb82ae3d284af18072031fbc01da7afb860dd0c46ece0dab8a0c27b693e0d6bc2c8d3ff671740253188627feb773c43b05202dc551713

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graduation

Filesize
79KB

MD5
f22b1a2a2bb3352236d6964cd6ef887f

SHA1
13b180c1a7de7fa20b2431bfb1454b2dfc6fc97a

SHA256
05dc207280e0b710e6158fbd1843af73afaad044ea721e0527b281d157907ace

SHA512
28e21f1494a86d88847cb35aa9fff0c8ce35d13826ebd27c5d37052328488c63ddf6f90fca6cffc6501fe7d67c66212626168117101b03edf851731e3d42bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Greeting

Filesize
53KB

MD5
e68c76645c912ca13ffecb33057ea364

SHA1
04ebac43b14189570ed7bd857536a2418f90ccdd

SHA256
db1a71261658e27a2a027a289fe2103c31446a3430e84cb180522873ec53208e

SHA512
822ba015b9ec96e2c5d4bfe9d4dfeb0098b117ee29df3d78149e13f29a21e92d754f29680e8245fee7496ec4dbaaf0b76bca5915e246c561ef639471be49985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hometown

Filesize
33KB

MD5
107eb60edb850d5040a2df91cb372eb0

SHA1
b5b1152b35cd4b7294f39192e421037e6ec53513

SHA256
455607fa87c6cb09d04d0f59063f579f543bbc4887ce6c3954ceaecb276f8111

SHA512
c6754ff3cbade3a6501f9b72328874a384aeb032c66f431284b1ab964cf17e414c5e259a3fecce2ea752c9a6395719d1f2dee998f776d28cb162466fec95482b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Homework

Filesize
66KB

MD5
bb699176ed2b30de414fd23a1a397cba

SHA1
16a745a056b9d3e867fa6ff903d686510f64a98d

SHA256
6271b6d036bdf74dfac1ea15ad8f177a20b7fa6f50cd3f6d65eeb5eae2e158bc

SHA512
bf6c0a1dbcccdf26ceb1dba0c97da2fc29bf35e9d9f93643fbbf3065b4cf290a1e9a3e085d4c64347b5e9552ca7f58fc1767fbd039991e89d309255ff197e1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newark

Filesize
13KB

MD5
a509ab024a99067b15af445b74bf0640

SHA1
0366b19d13fe9802bfc7f5a4db396286a8c2506e

SHA256
03ece069907c6c99d4ec266bf77e3d17b9a9036fc176425de619b65d701fc0a8

SHA512
82ba5c9b4980cd300074acf02b63406e8747a600ec708d6fd6a5bf3bdb42f6de4a68a20cd19f007f6442906c2ea6a9dc43ef87cfc9b7b468bf18a291cf14f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\Projectors

Filesize
884B

MD5
a9ebbabc02e091480c59d7e326859c4e

SHA1
db6586a4aad586d6668146fd8617e62c370b785b

SHA256
48b0a769f4614ad13624a3111b3e1a1fdee7946c857822764bf0da602e505359

SHA512
a6048296f61fc19f54eafccc1fb94d2aac49ebd47d91feefcc23803eae121316f4d4049c064643e8be87b753660b4b897154acf20471437bc50d323cc49f2084

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pty

Filesize
116KB

MD5
ea8e15765c2810b61265d8746477d2f2

SHA1
6bbf70cddd96f5b6a80a020d668595b83fb5fb76

SHA256
504b4ae73672d35c2fbeaf593f5b98bffceb539f26e90d02dbfc6289096afc3c

SHA512
22a820efb1d48dd6337ea34cebe6866e03e9708f703f3ccd39f2ab8ec696e62084f439434fed421a2637a46a5b8ac0277e8f29a20a8e9b785ee9494f50108060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Representative

Filesize
477KB

MD5
2a47700c7fe98938a045ce59bc268adf

SHA1
29272daefaca78c9f4bc4dee6585e710ace1a0ed

SHA256
b166bc36b2c2fa0ea0a580516877524934dee52c92d86808abef536525864ff4

SHA512
bc03b1336c3f67c5acd69d2989ec3245ba33323c0b40f781f419dac4348f6c29a9b4103af41d0ea8dac3573c36086040fc113e74f05ff1509bc93be3435a2d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spoken

Filesize
74KB

MD5
2819bd460015dbd520a00cfe399b80c6

SHA1
47ad6beb34c3661121aa4195ae879c51aeed991d

SHA256
27ae65745590a7bef60f79952e2f453963755c6795c8a7a7b4a6f18d9c00276a

SHA512
37ba8de873bf3659b26be778f15fdbd705b294fb8d4503926274021b8d5787af2b98c016a6929d02145987cf9bdb7fb7e5fc38f0eca380a06b33a4a1ee426189

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streams

Filesize
84KB

MD5
e54a657a4fe88ba1460590bed3402f1c

SHA1
7409cf7619d43129459fe8d827737b11a7ae02f3

SHA256
b3c755ab4d09afd1f2970c561d079e48e03f5087b8984047197afc17a3ce658c

SHA512
af3aca7268be2e6e3c451e2371ddc30651733415414fff94bd4622745639e87102f7d20586a667a037e482eca8728d7fa127848989c189f8cdc841783dabbe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terrible

Filesize
86KB

MD5
793e2837181c3f40761558bbaea1df6c

SHA1
483a1b0ff42b4891e35723ab20406886a22acca2

SHA256
7e502298d32525711aae4277d2c85d5451b870a7f4a7f9a686974e95ded47a9b

SHA512
90f143801e1250a5a037018c8a861542a093ca766c32ec53bd0a14dda67ca8bb4e224365fc06b42ac84d941b793e988e9ec9f9082eb868fc4d3225d8169f0796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wp

Filesize
126KB

MD5
91f1aaad558606e3a62ef9dedb297d62

SHA1
c3e6dcd00d34ce9f9bf68365c2009e1ffb6be1c4

SHA256
68baafd69f0a9f1852b9aca125438383c9e3826fed8300f4ed7edbc39ad81acd

SHA512
89abf35e835fe55b7f49018f1313e2465e01f3adde4da32f728b9b5686e06d8aa23702a08373cc597576930af98be48e94fd1829eadf02dcfa3bfb3b333b778a

Download Submit