Overview

overview

7

Static

static

3

APmenu.exe

windows10-1703-x64

7

$PLUGINSDI...ls.dll

windows10-1703-x64

3

$PLUGINSDI...em.dll

windows10-1703-x64

3

LICENSES.c...m.html

windows10-1703-x64

1

buil.exe

windows10-1703-x64

7

d3dcompiler_47.dll

windows10-1703-x64

1

ffmpeg.dll

windows10-1703-x64

1

libEGL.dll

windows10-1703-x64

1

libGLESv2.dll

windows10-1703-x64

1

locales/uk.ps1

windows10-1703-x64

1

resources/elevate.exe

windows10-1703-x64

1

vk_swiftshader.dll

windows10-1703-x64

1

vulkan-1.dll

windows10-1703-x64

1

$PLUGINSDI...7z.dll

windows10-1703-x64

3

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-02-2024 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    buil.exe

  • Size

    154.7MB

  • MD5

    eb4db120164dceb943d6a0dfa3334bbe

  • SHA1

    375e8322e5db1057ff59615e83ac6befa624307c

  • SHA256

    c36d9e9168d32ffc1517ae6404899f4372277bac2a48f2190fc04ac706ee1f76

  • SHA512

    a7f42c27d649441523513fd450592c9a2a7a5b8f015767d51ba8bfe9381ee7930428bbd25486c73fe36d83f36eae8be42142058ab965c69ce734f04c74cc33c9

  • SSDEEP

    1572864:OCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:0DAgZi

Score
7/10
spywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\buil.exe
    "C:\Users\Admin\AppData\Local\Temp\buil.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3496
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,55,213,127,179,217,50,135,73,161,47,158,187,232,16,175,48,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,155,143,185,165,169,13,167,161,224,25,145,155,23,157,194,128,183,40,108,145,255,68,207,119,255,113,95,107,47,25,40,220,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,10,153,216,39,183,151,38,44,15,232,88,79,203,158,225,106,186,42,125,129,148,130,50,229,23,213,236,26,92,18,11,133,48,0,0,0,208,224,85,52,250,179,179,137,172,76,37,163,137,35,111,63,153,32,163,98,16,221,64,70,125,181,13,203,227,42,3,218,116,169,103,78,0,23,193,113,61,73,102,108,68,228,147,13,64,0,0,0,176,119,235,239,1,23,125,232,199,79,39,226,166,113,225,148,190,225,253,224,153,129,150,179,177,142,161,191,22,136,0,88,232,47,90,80,119,153,166,55,141,168,186,42,254,179,29,23,203,13,254,255,171,115,150,112,195,200,76,29,94,20,159,157), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,55,213,127,179,217,50,135,73,161,47,158,187,232,16,175,48,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,155,143,185,165,169,13,167,161,224,25,145,155,23,157,194,128,183,40,108,145,255,68,207,119,255,113,95,107,47,25,40,220,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,10,153,216,39,183,151,38,44,15,232,88,79,203,158,225,106,186,42,125,129,148,130,50,229,23,213,236,26,92,18,11,133,48,0,0,0,208,224,85,52,250,179,179,137,172,76,37,163,137,35,111,63,153,32,163,98,16,221,64,70,125,181,13,203,227,42,3,218,116,169,103,78,0,23,193,113,61,73,102,108,68,228,147,13,64,0,0,0,176,119,235,239,1,23,125,232,199,79,39,226,166,113,225,148,190,225,253,224,153,129,150,179,177,142,161,191,22,136,0,88,232,47,90,80,119,153,166,55,141,168,186,42,254,179,29,23,203,13,254,255,171,115,150,112,195,200,76,29,94,20,159,157), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:420
    • C:\Users\Admin\AppData\Local\Temp\buil.exe
      "C:\Users\Admin\AppData\Local\Temp\buil.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\buil" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1788,i,7201427309038693703,13920902660598697252,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:2784
      • C:\Users\Admin\AppData\Local\Temp\buil.exe
        "C:\Users\Admin\AppData\Local\Temp\buil.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\buil" --mojo-platform-channel-handle=2056 --field-trial-handle=1788,i,7201427309038693703,13920902660598697252,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:2200
        • C:\Users\Admin\AppData\Local\Temp\buil.exe
          "C:\Users\Admin\AppData\Local\Temp\buil.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\buil" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1788,i,7201427309038693703,13920902660598697252,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqyfkbfa.gwp.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • \Users\Admin\AppData\Local\Temp\f5a1dad6-5c9a-4cc7-8f7e-51945d641c92.tmp.node
        Filesize

        1.8MB

        MD5

        3072b68e3c226aff39e6782d025f25a8

        SHA1

        cf559196d74fa490ac8ce192db222c9f5c5a006a

        SHA256

        7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

        SHA512

        61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

        Download Submit

      • memory/5004-14-0x000001E24F5A0000-0x000001E24F5C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5004-16-0x00007FFF96360000-0x00007FFF96D4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/5004-19-0x000001E267B70000-0x000001E267B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5004-17-0x000001E267B70000-0x000001E267B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5004-20-0x000001E267C80000-0x000001E267CF6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5004-47-0x000001E267AD0000-0x000001E267B20000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5004-77-0x00007FFF96360000-0x00007FFF96D4C000-memory.dmp

        Filesize

        9.9MB

        Download