| File name: | Bootstrapper.exe |
| Full analysis: | https://app.any.run/tasks/b38776f2-3238-42c3-b77b-9454447abe91 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | August 07, 2024, 02:44:28 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 3AF8103C6E2BA160987B5B4E87B231D2 |
| SHA1: | B65C5F0351E1689B7D1E1E68E2E443176831378C |
| SHA256: | 66CD57C5830BB579D017A0A7B4924E03A4177BA40C82045100DA383EA2144946 |
| SSDEEP: | 12288:c/0fLyJk3xO7oGQihfUSyhZx73dbbfyge91:eyyJkB2oGQihfUSyhZx73dbbfygeD |
MALICIOUS
Drops the executable file immediately after the start
- Bootstrapper.exe (PID: 6888)
Actions looks like stealing of personal data
- Bootstrapper.exe (PID: 6888)
SUSPICIOUS
Executes application which crashes
- Bootstrapper.exe (PID: 6888)
INFO
Reads the computer name
- Bootstrapper.exe (PID: 6888)
Checks supported languages
- Bootstrapper.exe (PID: 6888)
Disables trace logs
- Bootstrapper.exe (PID: 6888)
Checks proxy server information
- Bootstrapper.exe (PID: 6888)
- WerFault.exe (PID: 7084)
Reads the machine GUID from the registry
- Bootstrapper.exe (PID: 6888)
Reads Environment values
- Bootstrapper.exe (PID: 6888)
Reads the software policy settings
- Bootstrapper.exe (PID: 6888)
- WerFault.exe (PID: 7084)
Creates files or folders in the user directory
- WerFault.exe (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:08:06 06:25:44+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 812544 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc845e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | SolaraBootstrapper |
| FileVersion: | 1.0.0.0 |
| InternalName: | SolaraBootstrapper.exe |
| LegalCopyright: | Copyright © 2024 |
| LegalTrademarks: | - |
| OriginalFileName: | SolaraBootstrapper.exe |
| ProductName: | SolaraBootstrapper |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
116
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6764 | "C:\Users\admin\Desktop\Bootstrapper.exe" | C:\Users\admin\Desktop\Bootstrapper.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: SolaraBootstrapper Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 6888 | "C:\Users\admin\Desktop\Bootstrapper.exe" | C:\Users\admin\Desktop\Bootstrapper.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: SolaraBootstrapper Exit code: 3762504530 Version: 1.0.0.0 Modules
| |||||||||||||||
| 6900 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Bootstrapper.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7084 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6888 -s 2080 | C:\Windows\SysWOW64\WerFault.exe | Bootstrapper.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
11 532
Read events
11 509
Write events
20
Delete events
3
Modification events
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6888) Bootstrapper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7084 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Bootstrapper.exe_a99368c5ff5870c56e61264da9c67196b67a5ab_92d2c24c_50650e8d-ff08-41ee-8dcf-da875abef41d\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7084 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\Bootstrapper.exe.6888.dmp | — | |
MD5:— | SHA256:— | |||
| 7084 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CB9.tmp.dmp | dmp | |
MD5:B4C71D24B93EDF3A83CE407BD4F683A2 | SHA256:FB81A1185508F4B0532CC067CF041DED7131D18732C4105DD41B98288E13ADB4 | |||
| 7084 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F1C.tmp.xml | xml | |
MD5:94EC475222EE4CCEC634E17E6AD1B4ED | SHA256:9E23AC743CBC638B93240860E4E9518A3684BCF017E680BA6F25553C15E855D8 | |||
| 7084 | WerFault.exe | C:\Windows\appcompat\Programs\Amcache.hve | hiv | |
MD5:1F141B05E6EFFE8792EE7AE47791A0B4 | SHA256:D6805725C247CEB4BD49D875E25DEB6426E032FEBAFDA17AC79D87E9583F826E | |||
| 7084 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EEC.tmp.WERInternalMetadata.xml | xml | |
MD5:831C95F77DD687A4D7F857A4C5EB43CE | SHA256:2E86689B1ED8E2977EFA892EC1796F38AA7CFBE89C18755111BCE9C6E0C5C0EA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
16
DNS requests
5
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 76.76.21.164:443 | https://solaraweb.vercel.app/asset/discord.txt | unknown | binary | 98 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6888 | Bootstrapper.exe | 76.76.21.22:443 | solaraweb.vercel.app | AMAZON-02 | US | unknown |
7084 | WerFault.exe | 20.189.173.20:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
solaraweb.vercel.app |
| unknown |
watson.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloud infrastructure to build app (vercel .app) |
2256 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Canva designs and to share platform (static .canva .com) |