Overview

overview

10

Static

static

10

brbbot.exe

windows11-21h2-x64

6

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-08-2024 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brbbot.exe

  • Size

    74KB

  • MD5

    1c7243c8f3586b799a5f9a2e4200aa92

  • SHA1

    4db5a8e237937b6d7b435a8506b8584121a7e9e3

  • SHA256

    f47060d0f7de5ee651878eb18dd2d24b5003bdb03ef4f49879f448f05034a21e

  • SHA512

    56cdf52cfcc102d2c8cc90e5a298eeaefd44002061108b0d6b330bb93c3590b3f8b2c3c4e1fa208fafeefa7dafa092bd0f57d3cf905382f88b9f66a5d84357fd

  • SSDEEP

    1536:b6sMD3H8V3jsUnHLiREsTbDV/48OO4vh47483gLi9+LSG:b6srVzJiRrTHVORe75g4+LS

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brbbot.exe
    "C:\Users\Admin\AppData\Local\Temp\brbbot.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:328
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4800
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:3764
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:3980
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ClearUpdate.docx" /o ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4168
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\WatchResize.svg
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80b863cb8,0x7ff80b863cc8,0x7ff80b863cd8
        2⤵
          PID:3928
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,10007768421006911084,2235620729470394665,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2
          2⤵
            PID:4076
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,10007768421006911084,2235620729470394665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3728
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,10007768421006911084,2235620729470394665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
            2⤵
              PID:3864
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10007768421006911084,2235620729470394665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
              2⤵
                PID:4588
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10007768421006911084,2235620729470394665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                2⤵
                  PID:4352
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:4600
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3092

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    b0177afa818e013394b36a04cb111278

                    SHA1

                    dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

                    SHA256

                    ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

                    SHA512

                    d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    9af507866fb23dace6259791c377531f

                    SHA1

                    5a5914fc48341ac112bfcd71b946fc0b2619f933

                    SHA256

                    5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

                    SHA512

                    c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    1f96587a15a42a61bb5f7a7ca4e34d78

                    SHA1

                    3fe8a4b933b45c6280eda8378d713a6947f3c899

                    SHA256

                    0a4e479349731e75a75ba1092e7f42384c067d7e657d2b7a368898b4d09d3056

                    SHA512

                    b2b7a93e5fa4863863d9c2008f6bd708d11d3976d46ce4161076e5b708b05e555370a0eaaf3372c1f1e136c73cd1a2cf87c63035feed27a68da6c83ca7f867c5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    9ed7c4b162614f168b4c3d89052ecad5

                    SHA1

                    697c9b7c7bb2b04224ef2d8bec998b2c69207842

                    SHA256

                    319eb28b4d68eb515e1d7ef77f1a45afcb4cc3fa5b61141994852f0a0dbecdaf

                    SHA512

                    ac51d81ba9dd8446526185d23dba6a6dcededeadbb6d71c195372f06f852522a83ee5fbbedc299272301d301deaefdb22d70425590b5f08cc4388231d1026b2e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    10KB

                    MD5

                    1e52cea1d00250f6dc2a4c2f7da89876

                    SHA1

                    3caeb1fa79f0e1193731549ef214fbbb694faa9c

                    SHA256

                    bf5873dfaf44d657b2f7a3f9a239a01ff20533e8ce38d916d76650a1070587f2

                    SHA512

                    b6c0daf989ef411c9e55f070966ca8132e927e231f75582a743e58e4dd8604e8efe5b1eb138f41cb23058b345dd47df00c1b614b319e3d6f70c2027901f73fa5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                    Filesize

                    350B

                    MD5

                    c473e0d52f987b7833f3f1d981081acd

                    SHA1

                    3211ed429005c825d5b1fc99b91d2675d1f2c82b

                    SHA256

                    ab5627d07451c23a868216ac265328c92a0addf844a32c3660b9ca218852f311

                    SHA512

                    e3d463644ee1a51c27822e629f525494f2d49774ef8cc12db8a5d78fa3dd94eb26baeffdbaf26a044aa61a066ce990c1c88efa4723fe3e0a2e189bd4295b200a

                    Download Submit

                  • \??\pipe\LOCAL\crashpad_2764_LPDDTUXFDVJXDEYZ
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit

                  • memory/4168-6-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-43-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-44-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-45-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-46-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-12-0x00007FF7EA030000-0x00007FF7EA040000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-11-0x00007FF7EA030000-0x00007FF7EA040000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-8-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-9-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-7-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4168-10-0x00007FF7EC370000-0x00007FF7EC380000-memory.dmp

                    Filesize

                    64KB

                    Download