Overview

overview

10

Static

static

1

Bootstrapperx-64.exe

windows7-x64

10

Bootstrapperx-64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2025 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapperx-64.exe

  • Size

    3.3MB

  • MD5

    38c66e9633c76cb1cf97f64b50c2a70f

  • SHA1

    11266ac4127867d1524186c54c64783d62ff1f5f

  • SHA256

    d4fdddf67ad137ecda25132a0c4e7eeeae875b6d549aad40193f8a05031c32a2

  • SHA512

    15509f36935bf30eb9a47a8fea2463228b8d783c29c408d4c1e3071c067e14a9f2ba5349e84e1e196adf1dc7ff3569bc9693dc4898c1cc7b1c794cca16be0604

  • SSDEEP

    49152:KSC9PLwyVeNnaJnue+3U9Saf22bHRkfC+fguSYh+BD3xz/9M5hrSkrX:ZCiN4uzU0afvbACQ3EVz9M5t

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Users\Admin\AppData\Local\Temp\is-MQQD0.tmp\Bootstrapperx-64.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-MQQD0.tmp\Bootstrapperx-64.tmp" /SL5="$4001C,2160511,119296,C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe
            "C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe" /VERYSILENT
            4⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1052
            • C:\Users\Admin\AppData\Local\Temp\is-LR7VV.tmp\Bootstrapperx-64.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-LR7VV.tmp\Bootstrapperx-64.tmp" /SL5="$30132,2160511,119296,C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe" /VERYSILENT
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:1408
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2592
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2812
                • C:\Windows\SysWOW64\find.exe
                  find /I "wrsa.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2456
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2524
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2260
                • C:\Windows\SysWOW64\find.exe
                  find /I "opssvc.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2912
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2920
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:832
                • C:\Windows\SysWOW64\find.exe
                  find /I "avastui.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1824
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1872
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2308
                • C:\Windows\SysWOW64\find.exe
                  find /I "avgui.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2316
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2288
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1680
                • C:\Windows\SysWOW64\find.exe
                  find /I "nswscsvc.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2296
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1792
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:796
                • C:\Windows\SysWOW64\find.exe
                  find /I "sophoshealth.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1960
              • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
                "C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe" preregulated.a3x
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1528
                • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
                  "C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe"
                  7⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1628
      • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
        "C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\preregulated.a3x
      Filesize

      1.1MB

      MD5

      a00d62c6933431bd2308175bf71cc1c9

      SHA1

      6c142eb1bc5d8aa4ff42c8707fb7fbc77683b908

      SHA256

      3e5cce91cb1cc1439bf99ebdb448cd62e7dffcfd58f4339c976b6af193c07f55

      SHA512

      47b6f0e475a10d0cc15d3a25b76f0e1352ca782d1a4a5eab5dc7e884da5c516d6d9c43223e1cb5aad3a3848796d7d520e48b4047633683af92a25eb4ee73e1a2

      Download Submit

    • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\preregulated.flv
      Filesize

      439KB

      MD5

      ac8beb8989fcb0a9058f337fd24d3a43

      SHA1

      5fadbe148b99764528b1d68a6d9c743437795994

      SHA256

      da4abd7c27852cdb41b50b19922e4724d7c8d7f6c863292bc10986026a8a4c13

      SHA512

      5d1b6165c887e1db9cadb9993007f39a9d0f9c7fed4398d41eb8457be551694dada73220b34356da85dd6d6e3670875246446380e354d904a418d670348035e4

      Download Submit

    • \ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
      Filesize

      921KB

      MD5

      3f58a517f1f4796225137e7659ad2adb

      SHA1

      e264ba0e9987b0ad0812e5dd4dd3075531cfe269

      SHA256

      1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

      SHA512

      acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-CRS02.tmp\_isetup\_iscrypt.dll
      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-CRS02.tmp\_isetup\_isdecmp.dll
      Filesize

      13KB

      MD5

      a813d18268affd4763dde940246dc7e5

      SHA1

      c7366e1fd925c17cc6068001bd38eaef5b42852f

      SHA256

      e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

      SHA512

      b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-CRS02.tmp\_isetup\_shfoldr.dll
      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-MQQD0.tmp\Bootstrapperx-64.tmp
      Filesize

      1.1MB

      MD5

      b1f9d665e52c29972b50d7145d88dce1

      SHA1

      df2c67a5c32a19bb110ec8372134522c0dab9ac2

      SHA256

      2ffabb0018d335267d2d0101a41cac7ac7d1aa80956fae91825e46aaa85c0787

      SHA512

      bcdce189402ffc1c17b9803ac4040bd1cb23e32ba2c1476cbcfae13438078e01f78ad3f76e1bf71a6ec204663aa5f5780990016fc074218763d63db1431f1e75

      Download Submit

    • memory/1052-25-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1052-32-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1052-51-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1052-72-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1324-8-0x0000000000400000-0x000000000052C000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1324-28-0x0000000000400000-0x000000000052C000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1408-70-0x0000000000400000-0x000000000052C000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1408-50-0x0000000000400000-0x000000000052C000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1628-83-0x0000000000AC0000-0x0000000000EC0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1628-85-0x00000000771F0000-0x0000000077399000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1628-84-0x0000000000AC0000-0x0000000000EC0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1628-77-0x0000000000080000-0x0000000000101000-memory.dmp

      Filesize

      516KB

      Download

    • memory/1628-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-80-0x0000000000080000-0x0000000000101000-memory.dmp

      Filesize

      516KB

      Download

    • memory/1628-87-0x0000000075320000-0x0000000075367000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1628-82-0x0000000000080000-0x0000000000101000-memory.dmp

      Filesize

      516KB

      Download

    • memory/2324-0-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2324-31-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2324-3-0x0000000000401000-0x0000000000412000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2788-89-0x0000000000080000-0x000000000008A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2788-92-0x00000000025D0000-0x00000000029D0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2788-95-0x0000000075320000-0x0000000075367000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2788-93-0x00000000771F0000-0x0000000077399000-memory.dmp

      Filesize

      1.7MB

      Download