826aff8ab1c2d827327b767b7a4b9fd1ded77cd2b754763cd85a74cf0fad7da1

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
23/09/2024, 04:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

droidkit-es-setup.exe
Size

19.5MB
MD5

62bb374cfdce0efcafcc2a7a00dd2592
SHA1

cfd63681034f94cfe7cf1443235182ad34dd4a15
SHA256

826aff8ab1c2d827327b767b7a4b9fd1ded77cd2b754763cd85a74cf0fad7da1
SHA512

c3a3dff8c5add31410f206fc97f28ef9f97ac056bd83efbfca9d7a2f79e31a27c3e901a22c261776ec277908ef133b44c0c5dce6f3c3084b96262bd565c0b028
SSDEEP

393216:20jWRGJpgTvSPhHSrK1noL7ohk2UIsBwc6XYbTkrXDTNiDRUGJwPAEWXk:25oJyOPhHCKq0zYUX3NiDRUGJ2YU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	droidkit-es-setup.exe

Loads dropped DLL 16 IoCs

pid	Process
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\iMobie\DroidKit\droidkit.7z	droidkit-es-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	droidkit-es-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	droidkit-es-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	droidkit-es-setup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe
4924	droidkit-es-setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4760	4924	droidkit-es-setup.exe	82
PID 4924 wrote to memory of 4760	4924	droidkit-es-setup.exe	82
PID 4924 wrote to memory of 4760	4924	droidkit-es-setup.exe	82
PID 4760 wrote to memory of 2948	4760	cmd.exe	84
PID 4760 wrote to memory of 2948	4760	cmd.exe	84
PID 4760 wrote to memory of 2948	4760	cmd.exe	84
PID 4924 wrote to memory of 2392	4924	droidkit-es-setup.exe	93
PID 4924 wrote to memory of 2392	4924	droidkit-es-setup.exe	93
PID 4924 wrote to memory of 2392	4924	droidkit-es-setup.exe	93
PID 2392 wrote to memory of 4404	2392	cmd.exe	95
PID 2392 wrote to memory of 4404	2392	cmd.exe	95
PID 2392 wrote to memory of 4404	2392	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\droidkit-es-setup.exe
"C:\Users\Admin\AppData\Local\Temp\droidkit-es-setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"202BA931\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-es\",\"install_trackversion\":\"1.0.1.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"202BA931\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-es\",\"install_trackversion\":\"1.0.1.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"202BA931\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-es\",\"install_trackversion\":\"1.0.1.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"202BA931\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-es\",\"install_trackversion\":\"1.0.1.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\nsDui.dll

Filesize
10.0MB

MD5
368841af8b0074e348418f106716e603

SHA1
75469510665b651b38e3b4fb7c4240722c756126

SHA256
3be54dea5aedc0d8d16d6c4bd4e046e2d93bfc550a1a035a94768c2d5901e327

SHA512
3804afa3930a90f258a2b4e7106e1d0211e5d4ca6a7f5ba23da11e3908b4e202295ddbcb1ecf1e15215bc9a0aece1a46efad07ad94feddd4f316b0de674c50d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDC38.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\lang_info.xml

Filesize
3KB

MD5
b36489cb554c11a7bf85cd14c7c1cb84

SHA1
c7349c67c34aa9d536dba6c20e5aaa65095db710

SHA256
85ced2c6b72c435ca255179c6136c8b25061fe1a6981c9b7fdfd8c7d359955d2

SHA512
fd3adc41759e7f789110a8d13a60a5503ea45fccd3fe7d773ad44a284dc3eed89585c76422678051a390266711c11cc5a3bb9aff569f0ddced3bc359b3054922

Download Submit