Overview

overview

7

Static

static

3

builder.exe

windows7-x64

7

builder.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    834s
  • max time network
    871s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    builder.exe

  • Size

    1.9MB

  • MD5

    0f13b4c0708eed6b069980e54aadd23e

  • SHA1

    e6e527ceaefb3720315fdcf7d3d846af7a663c88

  • SHA256

    c0844a38173264b931e81c45724383ce6c5ec2080d8e3fdb55db219ac19e1d08

  • SHA512

    089009f40035255e2639237d0a9593dcd43419fbc9dfdd12d71cce8c02628a494ad833ad79f706099fbe0f72545ceb9c9062fa88d216e59a27ce8f70aa4d7159

  • SSDEEP

    24576:2TbBv5rUyXV4mEz82Z6d+aj9J2FxeZ3lN7pGg+5c9zC5idrUCLWlu+56iWQ:IBJ4n82UgF493lGF5UpyCLWYSf

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\builder.exe
    "C:\Users\Admin\AppData\Local\Temp\builder.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containersaves\8uySZoy98fCiqtbcRIfNjg.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\containersaves\eWVyYUAXBt0pGoflKtBAovPk1T6a5FOOAXrP9rnub34L56gBaGIA2jLwGwBU.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\containersaves\Agentreview.exe
          "C:\containersaves/Agentreview.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kG8uJzjuxE.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4428
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4536
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:5048
                • C:\Users\Default User\cmd.exe
                  "C:\Users\Default User\cmd.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1140
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://v9lu.gitbook.io/builder-za-usd15-kto-stoit-zakulisami-celestialrat/
                    7⤵
                      PID:2348
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4500,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
          1⤵
            PID:3632
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3412,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:1
            1⤵
              PID:2532
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=1280,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:1
              1⤵
                PID:2892
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4844,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:1
                1⤵
                  PID:4884
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5432,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:8
                  1⤵
                    PID:1576
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5460,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
                    1⤵
                      PID:3564
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5276,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:1
                      1⤵
                        PID:4988
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6000,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
                        1⤵
                          PID:4928
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5736,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
                          1⤵
                            PID:3900
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5448,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
                            1⤵
                              PID:3992

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\kG8uJzjuxE.bat
                              Filesize

                              205B

                              MD5

                              d922c98357beead3cb1f4af7ba306b8c

                              SHA1

                              604fc0d270cd6122bb429b802dcba5668dba181e

                              SHA256

                              43a7f1b75441c4fad0c32e604f589dc5dd7ff73057dd103988d0f6ff3a9270b1

                              SHA512

                              383db1f6768ab4a2a4d14b987df90b702bbc2c136b42545f2c554f3d3d4dbb65558d02dacd52276ab2fd7314e36246e52485cba75c898192a22370e57b90a388

                              Download Submit

                            • C:\containersaves\8uySZoy98fCiqtbcRIfNjg.vbe
                              Filesize

                              252B

                              MD5

                              c2090f1d6715e0748933951e17fcecad

                              SHA1

                              6a07f3b90aa338b7c2f95a93bb2de5a0daf5aa7b

                              SHA256

                              60357f512a9f6b3b7c88e8902f11f2b294a5acacc277974d2b95e110fd6fa831

                              SHA512

                              fd5d3479d24511035773b3e0b92aef580c42b7399373d713bb9e0fa415bc70824140288c8c77e62658d9cbe5358898449a10ba58e018f8a140d090216c78f4b6

                              Download Submit

                            • C:\containersaves\Agentreview.exe
                              Filesize

                              1.6MB

                              MD5

                              1e6b3c0a7b128d05959b265c3e23704f

                              SHA1

                              102112823136d6ffed9abfdc0313fdcafb9f4870

                              SHA256

                              3b14895e2fd31f6632d51b61d93abac3549c88b0c208fe385282c23ea7b46d0d

                              SHA512

                              77096ae02cdbcf9978c2e05854d014f7baf43340d08a54c6481312e95e18cbec5c8f02435091e3a7899e8be6bbae68954aa53725e5be378c075850ee6bd49a62

                              Download Submit

                            • C:\containersaves\eWVyYUAXBt0pGoflKtBAovPk1T6a5FOOAXrP9rnub34L56gBaGIA2jLwGwBU.bat
                              Filesize

                              78B

                              MD5

                              470ff6d6cb43db98d95687fab539386f

                              SHA1

                              d991bf6bc20eaf162f3b0c568063fe1247e1a216

                              SHA256

                              506fa240ad01db0c86849be9c1da30b2754663b4a8f5bb76fec78e22dbf0ded9

                              SHA512

                              e2fee7237493bdbf49be89d222f4ff37a3f5451e000eaef6ad49b85a9c7daebb24ad5d79789d11053dbfeea8e86b376c286918b861fe135674ca87b4c4c2c3a4

                              Download Submit

                            • memory/1140-38-0x00000000023E0000-0x00000000023F0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2492-14-0x00007FFB401F3000-0x00007FFB401F5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2492-15-0x0000000000CD0000-0x0000000000E68000-memory.dmp

                              Filesize

                              1.6MB

                              Download

                            • memory/2492-32-0x000000001BC20000-0x000000001BDC9000-memory.dmp

                              Filesize

                              1.7MB

                              Download