Overview

overview

7

Static

static

1

BuilderTri...21.exe

windows7-x64

7

BuilderTri...21.exe

windows10-2004-x64

7

Resubmissions

16/02/2023, 22:19

230216-18qm2aca41 7

16/02/2023, 21:01

230216-zt5b7sbf3y 7

Analysis

  • max time kernel
    29s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-es
  • resource tags

    arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    16/02/2023, 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BuilderTrialSetup_v421.exe

  • Size

    14.0MB

  • MD5

    b47f848f5cea33277904f09b0c19a801

  • SHA1

    417612ba19caa0a85082a4c3453bc20c81822d0e

  • SHA256

    e8e4eda49700f8b5dac70bcaab5ac159b4d2460adbbc1eac6494598b4cb4bc64

  • SHA512

    9da2ad81a3ccb17b6b075073aa2be05d568ea9df655a2e4512e8fb102d785b6c7caf5fa3a98448652ee4d7a15c50eddcdc3dd22ea07e01a6fa1314d81a92f8b7

  • SSDEEP

    196608:jrtMyZPifnNbT/3vl9gncxEBxtRNwXOvX72h0WzfDeoqvw1YF8jD+EshvGf12+:3iwPifFn8xtRGXOvX7y0a6oC8v8r+

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 63 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BuilderTrialSetup_v421.exe
    "C:\Users\Admin\AppData\Local\Temp\BuilderTrialSetup_v421.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\is-TAKIR.tmp\BuilderTrialSetup_v421.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TAKIR.tmp\BuilderTrialSetup_v421.tmp" /SL5="$70132,14295506,228864,C:\Users\Admin\AppData\Local\Temp\BuilderTrialSetup_v421.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Users\Admin\AppData\Local\Temp\is-VH33E.tmp\_isetup\_setup64.tmp
        helper 105 0x1CC
        3⤵
        • Executes dropped EXE
        PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-TAKIR.tmp\BuilderTrialSetup_v421.tmp
    Filesize

    869KB

    MD5

    fb119f40853685d8c63258db515b5add

    SHA1

    182ea9074ca47070fd3f3db850038f1744df7797

    SHA256

    1654fd77b14dc5ace932add32ff59f0be3a0ac0cb2622c05ddd626812de48444

    SHA512

    5f89ac0193c908e790079e38f5ab36dc8299e03da699ff9f4bc914177642185f531de28a89c86d5b267f3f564ade334ee30ef868f50f81dda946009363b04c8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-TAKIR.tmp\BuilderTrialSetup_v421.tmp
    Filesize

    869KB

    MD5

    fb119f40853685d8c63258db515b5add

    SHA1

    182ea9074ca47070fd3f3db850038f1744df7797

    SHA256

    1654fd77b14dc5ace932add32ff59f0be3a0ac0cb2622c05ddd626812de48444

    SHA512

    5f89ac0193c908e790079e38f5ab36dc8299e03da699ff9f4bc914177642185f531de28a89c86d5b267f3f564ade334ee30ef868f50f81dda946009363b04c8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-VH33E.tmp\_isetup\_setup64.tmp
    Filesize

    6KB

    MD5

    e4211d6d009757c078a9fac7ff4f03d4

    SHA1

    019cd56ba687d39d12d4b13991c9a42ea6ba03da

    SHA256

    388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

    SHA512

    17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

    Download Submit

  • \Program Files\Adaptrade Software\Adaptrade Builder 4.2.1\BuilderTrial.exe
    Filesize

    16.8MB

    MD5

    f4e9db8d6430f4f2be65266f5a25979b

    SHA1

    6e66e6fd0f9c13b2f8d8d570482f7ce03354fa01

    SHA256

    f09250345471a560d2debc92ce6e3becbfca67dd936ba6a8bdf3eaea86062b5c

    SHA512

    dde439a5135c9ff42ec63952be6b50234688918bf71e226b8875e800afc02b33ad3a4abf2b50d29e4101434fd563c5552fc8d7263ac2a6eacec932b7da278ad4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-TAKIR.tmp\BuilderTrialSetup_v421.tmp
    Filesize

    869KB

    MD5

    fb119f40853685d8c63258db515b5add

    SHA1

    182ea9074ca47070fd3f3db850038f1744df7797

    SHA256

    1654fd77b14dc5ace932add32ff59f0be3a0ac0cb2622c05ddd626812de48444

    SHA512

    5f89ac0193c908e790079e38f5ab36dc8299e03da699ff9f4bc914177642185f531de28a89c86d5b267f3f564ade334ee30ef868f50f81dda946009363b04c8d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-VH33E.tmp\_isetup\_setup64.tmp
    Filesize

    6KB

    MD5

    e4211d6d009757c078a9fac7ff4f03d4

    SHA1

    019cd56ba687d39d12d4b13991c9a42ea6ba03da

    SHA256

    388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

    SHA512

    17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

    Download Submit

  • memory/532-66-0x0000000074A71000-0x0000000074A73000-memory.dmp

    Filesize

    8KB

    Download

  • memory/672-65-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1124-61-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1124-54-0x0000000076331000-0x0000000076333000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1124-55-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download