Analysis
-
max time kernel
122s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 22:09
Behavioral task
behavioral1
Sample
Release/Discord rat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Release/Discord rat.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral3
Sample
builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
builder.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dnlib.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
dnlib.dll
Resource
win10v2004-20240802-en
General
-
Target
builder.exe
-
Size
10KB
-
MD5
4f04f0e1ff050abf6f1696be1e8bb039
-
SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce
-
SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa
-
SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12
-
SSDEEP
96:IJXYAuB2glBLgyOk3LxdjP2rm549JSTuwUYXzP+B1izXTa/HFpff3LG+tzNt:IJXDk7LI4uwtDPC1ijCHffSs
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2396 POWERPNT.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2728 builder.exe 2728 builder.exe 2728 builder.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2396 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2036 2396 POWERPNT.EXE 35 PID 2396 wrote to memory of 2036 2396 POWERPNT.EXE 35 PID 2396 wrote to memory of 2036 2396 POWERPNT.EXE 35 PID 2396 wrote to memory of 2036 2396 POWERPNT.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\builder.exe"C:\Users\Admin\AppData\Local\Temp\builder.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2728
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2652
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Downloads\BackupUnregister.ppsx"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2036
-