analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://k-storage.com/krnl_bootstrapper.exe

Full analysis: https://app.any.run/tasks/17eb0860-2bf6-4f89-b6f3-e71292d3a712
Verdict: Malicious activity
Analysis date: January 14, 2022, 21:00:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

BE8BDFD89816E3EFF894F6866DE85E17

SHA1:

FB450E1E156A32C2D01E3E4B8F71C5FBBFB0F1F3

SHA256:

6C86401F5FC675E2AA611F42C4051AAC6625A05DAB2E8FCF81F1A766A736934B

SSDEEP:

3:N8EsXA3OXL0qDXEw4A:2EsXDXxLEw4A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • krnl_bootstrapper.exe (PID: 2712)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 964)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 612)

    • Drops a file with a compile date too recent

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 612)

    • Drops a file that was compiled in debug mode

      • iexplore.exe (PID: 612)

    • Checks supported languages

      • krnl_bootstrapper.exe (PID: 2712)

    • Reads the computer name

      • krnl_bootstrapper.exe (PID: 2712)

    • Reads Environment values

      • krnl_bootstrapper.exe (PID: 2712)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 612)
      • WISPTIS.EXE (PID: 3576)

    • Reads the computer name

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 612)
      • WISPTIS.EXE (PID: 3576)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 612)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 612)
      • krnl_bootstrapper.exe (PID: 2712)

    • Application launched itself

      • iexplore.exe (PID: 612)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 612)

    • Changes internet zones settings

      • iexplore.exe (PID: 612)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe krnl_bootstrapper.exe wisptis.exe no specs wisptis.exe

Process information

PID
CMD
Path
Indicators
Parent process
612"C:\Program Files\Internet Explorer\iexplore.exe" "https://k-storage.com/krnl_bootstrapper.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
964"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:612 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2712"C:\Users\admin\Downloads\krnl_bootstrapper.exe" C:\Users\admin\Downloads\krnl_bootstrapper.exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Description:
krnl_bootstrapper
Exit code:
3489660927
Version:
1.0.0.0
Modules
Images
c:\users\admin\downloads\krnl_bootstrapper.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\rpcrt4.dll
2808"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXEkrnl_bootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
3576"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXE
krnl_bootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
15 190
Read events
15 026
Write events
163
Delete events
1

Modification events

(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30935433
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30935433
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
7
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\krnl_bootstrapper[1].exeexecutable
MD5:5332998BD933A7999AD2B432A2737681
SHA256:AF6318EF27ADE1A41AAC89551316AF63728B7A2715EDC8B5F899D006EF9484ED
612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:F204430F6B8CF72CDDA5E851194EE8EB
SHA256:E4792FB6A0F1EA69761314CD8D0D22C6635826ED89FFC98FDB29B84E66F53C1A
612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FD646595-757C-11EC-A20C-12A9866C77DE}.datbinary
MD5:9AD1F8D0A35E4DE182370D4D61325733
SHA256:C2CA39A3379124DE7385BAF1FBAD3E882AABF773A2BD74806335C7349DCC5267
964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:3A9132FB193502EF5E73B14A1CF53955
SHA256:D8960D8C731B72AC75CCB4E9680234A9A7B085AEC9B5F446478B62F0C2438456
612iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFDFF363FD5917B859.TMPgmc
MD5:414E0145DC9DEFC79A3B249604BA233E
SHA256:EBB42F88F14ADB7D4DA0204E7C33A070502E6E06D4BB74DA8223642A45E30EDE
612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FD646597-757C-11EC-A20C-12A9866C77DE}.datbinary
MD5:711FD68BBAA0D6E33E90F2EC15C42E09
SHA256:1050D1F36BF3EB257F01B8279F7E2DEE0F0677F3E6F55F6BE0235E3FB86E4E0F
612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:ACE427D9E2E5197DA2F600C887DCFCB1
SHA256:9D985EC5E3675B2C7DED4535F7DE2CBE39934D67046E25C3D0466220FAFE9651
964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:2B51CA3D953D24AFA03FC79EDCAEC30D
SHA256:C790996D85C40F1CE48506761FC43FD491B259A01BEF99EFF74D6565320CC197
964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D0460912EFD29CCAD7A93B60EA5C0401
SHA256:DFFE3FAA3D69B5DC52B83EC45C534C2FA3D616B4326A10032637F4F9E9CF2C14
612iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7D892E46931BD041.TMPgmc
MD5:A2EA9C12E03153F405EDFE423DA989EA
SHA256:27095EA5BA58C666D95D4885CB59C35A0F8E350357B88DAFD096CE7E0BFDCE00
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
964
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
964
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d8ce35b610dd58be
US
compressed
4.70 Kb
whitelisted
964
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?50539304c6442a1b
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.2:53
whitelisted
612
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
964
iexplore.exe
104.21.59.160:443
k-storage.com
Cloudflare Inc
US
suspicious
2712
krnl_bootstrapper.exe
172.67.147.98:443
cdn.krnl.ca
US
malicious
2712
krnl_bootstrapper.exe
104.21.59.160:443
k-storage.com
Cloudflare Inc
US
suspicious
964
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
612
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
964
iexplore.exe
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
k-storage.com
  • 104.21.59.160
  • 172.67.180.232
malicious
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
www.microsoft.com
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
cdn.krnl.ca
  • 172.67.147.98
  • 104.21.39.171
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://k-storage.com/krnl_bootstrapper.exe