Overview
overview
8Static
static
3MetaBuilder.zip
windows10-2004-x64
1MetaBuilde...in.dll
windows10-2004-x64
1MetaBuilde...er.exe
windows10-2004-x64
8MetaBuilde...xe.xml
windows10-2004-x64
1MetaBuilde...er.pdb
windows10-2004-x64
3MetaBuilder/dnlib.dll
windows10-2004-x64
1MetaBuilder/dnlib.xml
windows10-2004-x64
1MetaBuilde...st.exe
windows10-2004-x64
3Analysis
-
max time kernel
226s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 19:06
Static task
static1
Behavioral task
behavioral1
Sample
MetaBuilder.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
MetaBuilder/MaterialSkin.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
MetaBuilder/MetaBuilder.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
MetaBuilder/MetaBuilder.exe.xml
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
MetaBuilder/MetaBuilder.pdb
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
MetaBuilder/dnlib.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
MetaBuilder/dnlib.xml
Resource
win10v2004-20240611-en
Behavioral task
behavioral8
Sample
MetaBuilder/localhost.exe
Resource
win10v2004-20240508-en
General
-
Target
MetaBuilder/localhost.exe
-
Size
15KB
-
MD5
370da482fb58f93035d09077248b9b5c
-
SHA1
7ae2de3498675051b4510080fe0a6bc35ff994d7
-
SHA256
0e74f8d729d60528def2b52cb20e45b60828d816dadfc6c3b2ec672e346ba659
-
SHA512
8d41e28eef203b416ebeba8d8f6e2d5de32eac32ec40f5e9a0f43d82e919b5fd6a57a386058c4feaa65adba10e12de1fd7a7a80da430f51183c6a2ede927baa5
-
SSDEEP
192:e57hld1ooEEt6dmi/yXYO9ghZcuyK+slH9gN8wYLgCQqF+h:g7LgREt6dmyyZ9ghCnKrH9DzLvQB
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 3300 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
localhost.exedescription pid Process Token: SeDebugPrivilege 1436 localhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
localhost.execmd.exedescription pid Process procid_target PID 1436 wrote to memory of 4620 1436 localhost.exe 80 PID 1436 wrote to memory of 4620 1436 localhost.exe 80 PID 4620 wrote to memory of 3300 4620 cmd.exe 82 PID 4620 wrote to memory of 3300 4620 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetaBuilder\localhost.exe"C:\Users\Admin\AppData\Local\Temp\MetaBuilder\localhost.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c timeout /t 1 && DEL /f localhost.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\system32\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:3300
-
-