Overview

overview

10

Static

static

10

Release/Di...at.exe

windows10-ltsc 2021-x64

10

builder.exe

windows10-ltsc 2021-x64

3

dnlib.dll

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    65s
  • max time network
    64s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03-12-2024 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    builder.exe

  • Size

    10KB

  • MD5

    4f04f0e1ff050abf6f1696be1e8bb039

  • SHA1

    bebf3088fff4595bfb53aea6af11741946bbd9ce

  • SHA256

    ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

  • SHA512

    94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

  • SSDEEP

    96:IJXYAuB2glBLgyOk3LxdjP2rm549JSTuwUYXzP+B1izXTa/HFpff3LG+tzNt:IJXDk7LI4uwtDPC1ijCHffSs

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\builder.exe
    "C:\Users\Admin\AppData\Local\Temp\builder.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4876
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c486b76c-080e-467d-8bad-97991469f478} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" gpu
        3⤵
          PID:2992
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425248cb-650a-4ce6-9c88-bce8eaafb585} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" socket
          3⤵
          • Checks processor information in registry
          PID:2744
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3048 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 2996 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {904c41e2-01b1-4aba-9b7a-f2a2b09861b5} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
          3⤵
            PID:2752
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {817bced5-fe9d-4645-b887-75c30a88db7a} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
            3⤵
              PID:4012
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 2608 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a91096ca-20b8-455b-9693-bf523b89e2a5} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" utility
              3⤵
              • Checks processor information in registry
              PID:2384
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5512 -prefMapHandle 5532 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4ae14f-2241-4ae3-adc6-59c530b82d58} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
              3⤵
                PID:4948
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {289c0e57-606e-42b1-a993-35df26a52f0d} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
                3⤵
                  PID:5056
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5448 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b208c15-2542-4059-9e47-bca0ad5c3481} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab
                  3⤵
                    PID:1556

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                Filesize

                15KB

                MD5

                96c542dec016d9ec1ecc4dddfcbaac66

                SHA1

                6199f7648bb744efa58acf7b96fee85d938389e4

                SHA256

                7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                SHA512

                cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin
                Filesize

                6KB

                MD5

                53bb3439868b2bab58b9c5df8a1985e6

                SHA1

                b91429d7b4b49edcb7f6c1878e468f420c42da44

                SHA256

                63bd83ba3d6c177ef287f2b2b28116d4ddedd54a95f94f7b53b7932009bb49b7

                SHA512

                50b6ff6904bb83017d7ecc47f6281b401545cd6d4c125121c177902a51638822da5585897dc712e97bb2655494b9b8b08599268b35b96f78c938b84fef909eed

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                57d787d79c6ad37acd6fdc52db8d7af1

                SHA1

                5a291f9a208d0ab6c8743e60ce7c6914f7438df1

                SHA256

                296946a849ff19f77639be2931603210fc5d5260c976dd65cd5ce9428c5474bc

                SHA512

                7cbbe2b72296320b33c41dbc88fae64f6602733fdf73874db5fea535a8e0b650dd67e49509e500d84112d55c213c059c4d92fe0167dd61bcb187856e4660b70f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                6KB

                MD5

                68ed9c6f0d61e266338b04953b2b0379

                SHA1

                e148f92e5b67516a5916e6ead5239905ccf5792b

                SHA256

                7827e2e101d2d93ef1d8aec05199d798fa99fe58e12f8408f9aa6873ceceb55b

                SHA512

                bdda3cad7c8b2617e9567c320b9a2f22bc04d7f18d3df4ac761b632179989a8a0236ba8fd1064d593ecb50ebd64863e4f749088a654f91cf336ead840a86d261

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\835b4c23-1127-419f-9d00-7ed70c725000
                Filesize

                671B

                MD5

                742f27cd9f4c9cf042c42a52973ab5c1

                SHA1

                a9f8822cd03702314ef6d5d833ea51dfbee96031

                SHA256

                782ef2ec5bc8be0b8f93d22edce86ddcfaf2269615d7b4fc39468efc28ad76e0

                SHA512

                f41c09db748f430398a6b0565cc8b09180ca8095f82d005795d2d3d221157b6867aaa1002e64364244e6c338cbb04614616cf3a10aea69481deadb8e4ac013e5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\8c8ab3c3-1f85-46ac-bc90-41db0168eef7
                Filesize

                28KB

                MD5

                b6f4834a6c5711c3b0178e88714240db

                SHA1

                3a6d6278609e5b00a2e6471b41e8eabc4a065ad7

                SHA256

                3d987818186455622e13d39b8fcb2ed20761bfb1371b47b0c8c0a5c814c24472

                SHA512

                2acd193302e3168e1c33ea536580095b964e98363b9202bdcf515b0545b75abd90808d52179c7c175a3cdba6458246a4e08725795d53fb8721ef6831afdd480d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\aedceda9-ad60-4fbb-b728-1c0a5bc8b5de
                Filesize

                982B

                MD5

                790e09f7cc7d0313abd5f72998ea127d

                SHA1

                c22bcb220cce212bda484c9ab72b4f844c221fb5

                SHA256

                95c220c5896049dc983dc1c8ae24a31bad0a47eb26c4fb277dd7b735f4a1cd73

                SHA512

                393f773ded80fba2858048e2b723e82ed1f5671062bfd5fa0cd793054ab546af2f21350ec69b5ac2633604457e820e9f10753d17b54f563114a2b5c336dc146e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js
                Filesize

                10KB

                MD5

                a5ad72750f34474a15a95b6e5807ceca

                SHA1

                bd658ba1240a0a5568fa855774c87d9907c6875e

                SHA256

                52b21e435d2b2d2026a6a80abb5f29b4b368e9bc561f5568766861f4ea06c6d0

                SHA512

                da1306e0a2c6694edac0aef69881e627be233c123dba7f74e8592e2d24b30d0e99d8c9498a75f78248971686072f277b6dc977423bc328d3c5346d143834be24

                Download Submit

              • memory/4876-4-0x0000000005860000-0x000000000586A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4876-8-0x00000000094B0000-0x00000000095D2000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/4876-7-0x00000000752D0000-0x0000000075A81000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4876-6-0x00000000752DE000-0x00000000752DF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4876-5-0x00000000752D0000-0x0000000075A81000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4876-0-0x00000000752DE000-0x00000000752DF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4876-3-0x00000000057C0000-0x0000000005852000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4876-2-0x0000000005CD0000-0x0000000006276000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4876-1-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

                Filesize

                32KB

                Download