e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef

Analysis

max time kernel
12s
max time network
12s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-09-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.exe
Size

470KB
MD5

8c689dc9e82c9356b990d2b67b4943e1
SHA1

6bdc415b9c356bbeaea75c7336cd72910b95a644
SHA256

e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef
SHA512

fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4
SSDEEP

12288:7tDkI5O/1MHOvEIfRfaXNCTL98vy7anEvY86vM1kiY4XotXpEKAoiO5wBmrkAUfM:7tQcOdu4BcCTL98vy7anEvY86vM1kiYt

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698578223492059"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4592	3496	chrome.exe	81
PID 3496 wrote to memory of 4592	3496	chrome.exe	81
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 2000	3496	chrome.exe	82
PID 3496 wrote to memory of 700	3496	chrome.exe	83
PID 3496 wrote to memory of 700	3496	chrome.exe	83
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84
PID 3496 wrote to memory of 5000	3496	chrome.exe	84

C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffb482acc40,0x7ffb482acc4c,0x7ffb482acc58
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,913353878216666983,16180469088825201709,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8e4821d08b38ac8f84597590371726ae

SHA1
f7b9eb4a12c88ca7a3671fdbe737500905fcd060

SHA256
9cfa1485f3b89dfa576d1c762ecda9742ac06ada7aa0b80e158bcf4b69af991c

SHA512
6c82715e79a235ba4809051bac03da1f0b1d8c632a1828e27ee92e09edefac54109719e5265b98300471281e74516c2b4b04cf220c329e37b147ce986b80d704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit