4e7982c1a982141773e2a47f43d0212c6e966457a4f96f7d05f5476d3e18a9af

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

droidkit-en-setup.exe
Size

19.6MB
MD5

8635f94c18c6372a4df1001cac67e366
SHA1

c6b35959a3afe487581509ba1853ff93c8e4e5df
SHA256

4e7982c1a982141773e2a47f43d0212c6e966457a4f96f7d05f5476d3e18a9af
SHA512

f633b6c883909e9d56434020520a4a2def688e3b4f39be69279bf443822d331daf685c90308d0985454039e6af8d14d82bc6e00ba7ff0b053923dad35e0a5f6d
SSDEEP

393216:tQ5BRfYlfUtUVISRRAgnu+tqDgfUIsBws6XYbTkrXDTNiDRUGJwPAEWXOO:t4YlfUtUVIS8gnu+tlDYUX3NiDRUGJ24

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe
1704	droidkit-en-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	droidkit-en-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	droidkit-en-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	droidkit-en-setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2760	1704	droidkit-en-setup.exe	30
PID 1704 wrote to memory of 2760	1704	droidkit-en-setup.exe	30
PID 1704 wrote to memory of 2760	1704	droidkit-en-setup.exe	30
PID 1704 wrote to memory of 2760	1704	droidkit-en-setup.exe	30

C:\Users\Admin\AppData\Local\Temp\droidkit-en-setup.exe
"C:\Users\Admin\AppData\Local\Temp\droidkit-en-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"2F81C6AF\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjBCAC.tmp\CheckProVs.dll

Filesize
18KB

MD5
5422e399fabd3a344e8dcc807a48637e

SHA1
59b0830698b15993671eb0dd43020041c351deb8

SHA256
64e6aad5d6628bc743196a42e28df3f8dc71cdf0d2ad4c250bab872d2a3991c7

SHA512
9d102954e0d7bb7e69219a14158e410c18adb85d1cca9e269f3955d3fc5e61b23872313b78d16cd6488eaac0f835b233356152575bf130f8ec91e0d481aa1493

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCAC.tmp\GoogleTracingLib.dll

Filesize
46KB

MD5
3a914fc853188765010b73ff99834383

SHA1
374b9c4bcc852e42e85aab7b142ecdd80f0c40a1

SHA256
5b8cadf540dd47d19b1020bf5c0aca1b6d14d9d875b0a5794b432401c60ee5c7

SHA512
1e1a26dcb480cae7dc0fb89c0e8b560206b23b85a6f56458e2019af9c67ca9f942e2c75e78052e4e0eebcfff5e7a3c5eafb5538ba776c0a40b39cafee0bce0e7

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCAC.tmp\System.dll

Filesize
22KB

MD5
86a488bf743dfab80ff142713adb5d48

SHA1
02e4b39f2fa40cd4edcc42cb524dc3ce911bfdac

SHA256
3924b57f8993a880d53e1e4e18eb6ba9b5dc610cbb00345c954c7e8a9078c309

SHA512
0ed09bcddd5bd13a91e7b99b78e37a01a36d62a29ad74acaacbe0da6446c8523e83ed2c089d2847e4d1ba467da93e2fd2de104feb51bcda445511b334bf932c8

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCAC.tmp\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCAC.tmp\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCAC.tmp\nsDui.dll

Filesize
10.0MB

MD5
368841af8b0074e348418f106716e603

SHA1
75469510665b651b38e3b4fb7c4240722c756126

SHA256
3be54dea5aedc0d8d16d6c4bd4e046e2d93bfc550a1a035a94768c2d5901e327

SHA512
3804afa3930a90f258a2b4e7106e1d0211e5d4ca6a7f5ba23da11e3908b4e202295ddbcb1ecf1e15215bc9a0aece1a46efad07ad94feddd4f316b0de674c50d5

Download Submit