Overview

overview

10

Static

static

3

BootstrapperNew.exe

windows7-x64

10

BootstrapperNew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2025, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BootstrapperNew.exe

  • Size

    3.2MB

  • MD5

    5d7608bf288d15a463991dd64a4a6833

  • SHA1

    568225dbe01f06297daedce0f7a161bc20c3f121

  • SHA256

    257f3886ec3712e93b4358a75a0bbedd236bae9d4f0ecb899664dd751de78f1b

  • SHA512

    af3c3b12066eedfdf7302ad1632d475c29cc74a7627584773e556a2ad7779102ae0f431192fb6404a7d191a7a38eda9e46d3d406f569de066a4d5a426f7218fb

  • SSDEEP

    98304:f0HJOQVG56a9CyT3hpbMhtYy/z+SSoYzYnix:wA2s6aUyT3hWr+FoUYn

Score
10/10
umbralxwormexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1345563600563081236/GZtFNjEkLtJVtAzkn2iuPtsNvHDVfN9T4KKvHQkKe2uwIcUso69vFJFK67xNihrhEyDY

Extracted

Family

xworm

C2

127.0.0.1:34930

minimum-ball.gl.at.ply.gg:34930
Attributes
  • Install_directory

    %AppData%

  • install_file

    SolaraX.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 4 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperNe.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\Solara.exe
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1892
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2568
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1456
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:1648
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:2136
        • C:\Users\Admin\AppData\Local\Temp\SolaraNew.exe
          "C:\Users\Admin\AppData\Local\Temp\SolaraNew.exe"
          3⤵
          • Executes dropped EXE
          PID:2948
        • C:\Users\Admin\AppData\Local\Temp\SolaraX.exe
          "C:\Users\Admin\AppData\Local\Temp\SolaraX.exe"
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraX.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraX.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraX.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SolaraX" /tr "C:\Users\Admin\AppData\Roaming\SolaraX.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1424
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {151BD2DB-334C-4572-A622-D2ED40AA873D} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Users\Admin\AppData\Roaming\SolaraX.exe
        C:\Users\Admin\AppData\Roaming\SolaraX.exe
        2⤵
        • Executes dropped EXE
        PID:2660
      • C:\Users\Admin\AppData\Roaming\SolaraX.exe
        C:\Users\Admin\AppData\Roaming\SolaraX.exe
        2⤵
        • Executes dropped EXE
        PID:1900

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BootstrapperNe.exe
      Filesize

      3.2MB

      MD5

      d88ee0d360d34eedfbc293290a73616a

      SHA1

      42e76126180ad0837cf5df031e1716081b091000

      SHA256

      6ade19e337fb670efee7a84e1ef68501c4dfcbfd10f57f8332539fbe1447ffb0

      SHA512

      1b4d40c733d65e7f42935a838a4922dc89ffd9bb35d4ccce8dce9b0825742a54e12f81bf84f698c4cf02b5b51d5f4f2e78922afc7949ebce8c481ab559c479c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Solara.exe
      Filesize

      227KB

      MD5

      58e07162ded5e3a8a3ed89e3386d6d7d

      SHA1

      57bd70b8bc62e1715e4d67ebf7fd67c3d795712d

      SHA256

      acb94b9228a393f88637b7296b08ebc7c73b9d47162de6be7a15cdfa3d59a929

      SHA512

      0abfda8019dc37095db7f35ff4cdeb3256a0b469e8283fb16d2238e1454030435ef5ef4f5615bfb2243765eab0e21c33fc173ff01cb49ef6ff5b503146eeb137

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SolaraX.exe
      Filesize

      74KB

      MD5

      aef41983064b12d1e648100e8141bf19

      SHA1

      b258d4a810e818e9c9dcaba62f75f34036b60fcd

      SHA256

      834bcea2665dc99b4c16fe87095f3e2b44e2e013ec1017407a061a1203c2f3cf

      SHA512

      2e4e3fdf7cd1892b73cf1989dfd82d91c677653a4501f44bb2d74b153b72982e069998b5bef097a7645970838c13ac86ec546173f6baf3afb7cbc26e6c9d5524

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      f9b2fe6b65445658485271aeb3916342

      SHA1

      a082645cf454611e58eeee30a56d23ded53a050f

      SHA256

      d72d9b46670e4730c0830f7607cdd2e195e709ff1d882b8bd4d266191ff1f3bc

      SHA512

      6caa292a990242f82d01b75bd326a7d1c804c1c76b2cbd22ccf2b41364432f7a563c2913cf14561c713ced62b0322cbeaf9a43fc264ec3a0c94eddc9f0c82719

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SolaraNew.exe
      Filesize

      2.9MB

      MD5

      f227cdfd423b3cc03bb69c49babf4da3

      SHA1

      3db5a97d9b0f2545e7ba97026af6c28512200441

      SHA256

      cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

      SHA512

      b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

      Download Submit

    • memory/1648-108-0x00000000022F0000-0x00000000022F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1680-62-0x000000001B1A0000-0x000000001B482000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1680-63-0x0000000002920000-0x0000000002928000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1900-119-0x0000000001130000-0x0000000001148000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2156-7-0x00000000003A0000-0x00000000006D4000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2156-27-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2600-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-1-0x0000000000100000-0x0000000000438000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2660-116-0x00000000009B0000-0x00000000009C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2808-26-0x00000000012F0000-0x0000000001308000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2828-13-0x00000000012D0000-0x0000000001310000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2852-45-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2852-46-0x0000000002410000-0x0000000002418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2948-25-0x0000000000C80000-0x0000000000F62000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2948-38-0x00000000023F0000-0x00000000023FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2948-39-0x000000001AE50000-0x000000001AE58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2948-37-0x00000000025E0000-0x00000000025EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2948-36-0x000000001AE30000-0x000000001AE46000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2948-35-0x00000000026A0000-0x00000000026A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2948-34-0x0000000002670000-0x0000000002696000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2948-33-0x0000000002400000-0x000000000240A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2948-32-0x000000001DE90000-0x000000001DF90000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2948-102-0x0000000000780000-0x000000000078A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2948-30-0x0000000000780000-0x0000000000790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-29-0x0000000000780000-0x000000000078A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2948-28-0x0000000000780000-0x000000000078A000-memory.dmp

      Filesize

      40KB

      Download