Overview
overview
10Static
static
3ProjectMainGitHub.zip
windows7-x64
1ProjectMainGitHub.zip
windows10-2004-x64
1ProjectGit...ine.js
windows7-x64
1ProjectGit...ine.js
windows10-2004-x64
1ProjectGit...er.exe
windows7-x64
7ProjectGit...er.exe
windows10-2004-x64
10ProjectGit...on.dll
windows7-x64
1ProjectGit...on.dll
windows10-2004-x64
1ProjectGit...rB.exe
windows7-x64
1ProjectGit...rB.exe
windows10-2004-x64
7ProjectGit...rS.exe
windows7-x64
1ProjectGit...rS.exe
windows10-2004-x64
7ProjectGit...cv.jar
windows7-x64
1ProjectGit...cv.jar
windows10-2004-x64
1ProjectGit...32.dll
windows10-2004-x64
1ProjectGit..._datas
windows7-x64
1ProjectGit..._datas
windows10-2004-x64
1ProjectGit...prefix
windows7-x64
1ProjectGit...prefix
windows10-2004-x64
1ProjectGit...tingss
windows7-x64
1ProjectGit...tingss
windows10-2004-x64
1ProjectGit...ersion
windows7-x64
1ProjectGit...ersion
windows10-2004-x64
1ProjectGit...ersion
windows7-x64
1ProjectGit...ersion
windows10-2004-x64
1ProjectGit...et.dll
windows7-x64
1ProjectGit...et.dll
windows10-2004-x64
1Analysis
-
max time kernel
44s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
ProjectMainGitHub.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ProjectMainGitHub.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
ProjectGitHubMain/Engine.js
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ProjectGitHubMain/Engine.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
ProjectGitHubMain/Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
ProjectGitHubMain/Loader.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
ProjectGitHubMain/Newtonsoft.Json.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
ProjectGitHubMain/Newtonsoft.Json.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
ProjectGitHubMain/bin/UbuilderB.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
ProjectGitHubMain/bin/UbuilderB.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ProjectGitHubMain/bin/UbuilderS.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
ProjectGitHubMain/bin/UbuilderS.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
ProjectGitHubMain/bin/scv.jar
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
ProjectGitHubMain/bin/scv.jar
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
ProjectGitHubMain/opengl32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
ProjectGitHubMain/packages/key_datas
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
ProjectGitHubMain/packages/key_datas
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
ProjectGitHubMain/packages/prefix
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
ProjectGitHubMain/packages/prefix
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
ProjectGitHubMain/packages/settingss
Resource
win7-20240215-en
Behavioral task
behavioral21
Sample
ProjectGitHubMain/packages/settingss
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
ProjectGitHubMain/user_data/cache/version
Resource
win7-20240220-en
Behavioral task
behavioral23
Sample
ProjectGitHubMain/user_data/cache/version
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
ProjectGitHubMain/user_data/media_cache/version
Resource
win7-20231129-en
Behavioral task
behavioral25
Sample
ProjectGitHubMain/user_data/media_cache/version
Resource
win10v2004-20240319-en
Behavioral task
behavioral26
Sample
ProjectGitHubMain/xNet.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
ProjectGitHubMain/xNet.dll
Resource
win10v2004-20240226-en
General
-
Target
ProjectGitHubMain/Loader.exe
-
Size
66.5MB
-
MD5
ab5dcb490674475c7d9937d8022fa500
-
SHA1
8c85c43c9bb5f230362458a9b086cb0c6831fa57
-
SHA256
f34c10bcc40f46873231ea3b379a405a95a6dd152503adb5b764d22348a7bd23
-
SHA512
a52ab0a78ca0c62329d34ee1077d4a3e28b803ead82ed19fe5ea42b6b5517a8a754a1bbc23e5c9ebe7aacd542772f3d263ae5477e845794d43ab13655ae300d8
-
SSDEEP
393216:mJov7+fr01+Mdu48o+UDWluZyiA5rptiv/slzx8uy60d+HEYXEyN:myvSzCkYJWl0arptin4xbyJdQZ/N
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid Process 2636 driver1.exe -
Loads dropped DLL 1 IoCs
Processes:
Loader.exepid Process 1720 Loader.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 1612 schtasks.exe 1964 schtasks.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 5 Go-http-client/1.1 HTTP User-Agent header 7 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2488 powershell.exe 2544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
powershell.exepowershell.exewmic.exedescription pid Process Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeIncreaseQuotaPrivilege 2396 wmic.exe Token: SeSecurityPrivilege 2396 wmic.exe Token: SeTakeOwnershipPrivilege 2396 wmic.exe Token: SeLoadDriverPrivilege 2396 wmic.exe Token: SeSystemProfilePrivilege 2396 wmic.exe Token: SeSystemtimePrivilege 2396 wmic.exe Token: SeProfSingleProcessPrivilege 2396 wmic.exe Token: SeIncBasePriorityPrivilege 2396 wmic.exe Token: SeCreatePagefilePrivilege 2396 wmic.exe Token: SeBackupPrivilege 2396 wmic.exe Token: SeRestorePrivilege 2396 wmic.exe Token: SeShutdownPrivilege 2396 wmic.exe Token: SeDebugPrivilege 2396 wmic.exe Token: SeSystemEnvironmentPrivilege 2396 wmic.exe Token: SeRemoteShutdownPrivilege 2396 wmic.exe Token: SeUndockPrivilege 2396 wmic.exe Token: SeManageVolumePrivilege 2396 wmic.exe Token: 33 2396 wmic.exe Token: 34 2396 wmic.exe Token: 35 2396 wmic.exe Token: SeIncreaseQuotaPrivilege 2396 wmic.exe Token: SeSecurityPrivilege 2396 wmic.exe Token: SeTakeOwnershipPrivilege 2396 wmic.exe Token: SeLoadDriverPrivilege 2396 wmic.exe Token: SeSystemProfilePrivilege 2396 wmic.exe Token: SeSystemtimePrivilege 2396 wmic.exe Token: SeProfSingleProcessPrivilege 2396 wmic.exe Token: SeIncBasePriorityPrivilege 2396 wmic.exe Token: SeCreatePagefilePrivilege 2396 wmic.exe Token: SeBackupPrivilege 2396 wmic.exe Token: SeRestorePrivilege 2396 wmic.exe Token: SeShutdownPrivilege 2396 wmic.exe Token: SeDebugPrivilege 2396 wmic.exe Token: SeSystemEnvironmentPrivilege 2396 wmic.exe Token: SeRemoteShutdownPrivilege 2396 wmic.exe Token: SeUndockPrivilege 2396 wmic.exe Token: SeManageVolumePrivilege 2396 wmic.exe Token: 33 2396 wmic.exe Token: 34 2396 wmic.exe Token: 35 2396 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Loader.exedescription pid Process procid_target PID 1720 wrote to memory of 2488 1720 Loader.exe 29 PID 1720 wrote to memory of 2488 1720 Loader.exe 29 PID 1720 wrote to memory of 2488 1720 Loader.exe 29 PID 1720 wrote to memory of 2544 1720 Loader.exe 31 PID 1720 wrote to memory of 2544 1720 Loader.exe 31 PID 1720 wrote to memory of 2544 1720 Loader.exe 31 PID 1720 wrote to memory of 2396 1720 Loader.exe 33 PID 1720 wrote to memory of 2396 1720 Loader.exe 33 PID 1720 wrote to memory of 2396 1720 Loader.exe 33 PID 1720 wrote to memory of 2636 1720 Loader.exe 35 PID 1720 wrote to memory of 2636 1720 Loader.exe 35 PID 1720 wrote to memory of 2636 1720 Loader.exe 35 PID 1720 wrote to memory of 1612 1720 Loader.exe 38 PID 1720 wrote to memory of 1612 1720 Loader.exe 38 PID 1720 wrote to memory of 1612 1720 Loader.exe 38 PID 1720 wrote to memory of 1964 1720 Loader.exe 40 PID 1720 wrote to memory of 1964 1720 Loader.exe 40 PID 1720 wrote to memory of 1964 1720 Loader.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:1612
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5c9ba72dd40efccd9ea8b199984bfcea8
SHA1047bb1776528de85752efb7e5cd8505637db610f
SHA2561ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481
SHA5122bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F77MPMEYIAUPPSS7KL03.temp
Filesize7KB
MD506057887ade6eb73cf58b921f039021c
SHA138c3449442275fa9d0734cdc01f349e75654d680
SHA2567332c0511b7407e632c228283b758b69da001e3a4e0517cbd4efd0a569844d3a
SHA512523ee08c93a2d2fcd721239c6e95b3e3265860ff3ec386a6239be21c8f01e1774bf820980c4ade9be0e39ef49e7370f5bb9bf6252153292110864031987ddd86