Overview
overview
7Static
static
7droidkit-en-setup.exe
windows11-21h2-x64
4$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...Vs.dll
windows11-21h2-x64
3$PLUGINSDI...ib.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...up.exe
windows11-21h2-x64
7$PLUGINSDI...00.dll
windows11-21h2-x64
1$PLUGINSDI...00.dll
windows11-21h2-x64
1$PLUGINSDIR/nsDui.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...ss.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3$PLUGINSDI...ry.dll
windows11-21h2-x64
3$PLUGINSDI...ll.exe
windows11-21h2-x64
4$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...ib.dll
windows11-21h2-x64
3$PLUGINSDI...el.dll
windows11-21h2-x64
7$PLUGINSDI...tn.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI..._1.dll
windows11-21h2-x64
3$PLUGINSDI..._1.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ss.dll
windows11-21h2-x64
3$PLUGINSDI...ry.dll
windows11-21h2-x64
3$PLUGINSDIR/un.exe
windows11-21h2-x64
3Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-08-2024 07:59
Behavioral task
behavioral1
Sample
droidkit-en-setup.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/CheckProVs.dll
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/GoogleTracingLib.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/dotNetFx45_Full_setup.exe
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/msvcp100.dll
Resource
win11-20240802-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/msvcr100.dll
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDui.dll
Resource
win11-20240802-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win11-20240802-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/registry.dll
Resource
win11-20240802-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/uninstall.exe
Resource
win11-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win11-20240802-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/GoogleTracingLib.dll
Resource
win11-20240802-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win11-20240802-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/SkinBtn.dll
Resource
win11-20240802-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/libcrypto-1_1.dll
Resource
win11-20240802-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/libssl-1_1.dll
Resource
win11-20240802-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240802-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win11-20240802-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/registry.dll
Resource
win11-20240802-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/un.exe
Resource
win11-20240802-en
General
-
Target
$PLUGINSDIR/uninstall.exe
-
Size
8.1MB
-
MD5
b73940b9b108c8196600617a7f734d64
-
SHA1
f70aee50bcd93db0180ac0969126562882934bd4
-
SHA256
5bd33a6ba5e012c3e6f8ccc5ab322728d5df31e9e7b74daaf327aa54fc95028f
-
SHA512
ebd98143c766b12e12198ce8b310423cd6e4e638fca809afb006ff5953f65ee820b7140264bc93cbfe2f6015d4e00f26b696e7773ee55ad6da67baf5d973cc02
-
SSDEEP
196608:+l18/QDobE0TSkJzTtpQF6ZBPTS8y5BFwGIR6ip2eyWzi+8LX+1ZxWj:+H8/1EglTvS+S897pgGiNLeZxG
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
uninstall.exepid process 4760 uninstall.exe -
Loads dropped DLL 6 IoCs
Processes:
uninstall.exepid process 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
uninstall.exeuninstall.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninstall.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
uninstall.exepid process 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe 2876 uninstall.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uninstall.exedescription pid process Token: SeDebugPrivilege 4760 uninstall.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
uninstall.exepid process 2876 uninstall.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
uninstall.exedescription pid process target process PID 2876 wrote to memory of 4760 2876 uninstall.exe uninstall.exe PID 2876 wrote to memory of 4760 2876 uninstall.exe uninstall.exe PID 2876 wrote to memory of 4760 2876 uninstall.exe uninstall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\uninstall.exe" "av:1.0.1" "gv:1.0.1.1" "gs:Official-com" "gi:UA-85655135-28" "an:DroidKit" "c:iMobie"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5d8fca35ff95fe00a7174177181f8bd13
SHA1fbafea4d2790dd2c0d022dfb08ded91de7f5265e
SHA256ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c
SHA512eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba
-
Filesize
4KB
MD529818862640ac659ce520c9c64e63e9e
SHA1485e1e6cc552fa4f05fb767043b1e7c9eb80be64
SHA256e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb
SHA512ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
7.4MB
MD5839640ba4c87b4a0fbd4d81fc54f8f51
SHA10fdf3cf3685de715f8206400a232bf389ce319d6
SHA25658b8642b2665efde3974c18c2613b6e27dcf31fbb4b048339f93b2019c26d6df
SHA51214b97fd80c8b58422949b9d8db2660e93c6ee7c41873e8388cc9b62396e791f346346465527088a50a58d6d9a358e21a8652a0934149dd6ed3947841a7e59354