664ee273d850e82e2b13819c224a46e08f1740ded02deed3df51074788cfb3d2

Analysis

max time kernel
72s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dead.builder.exe
Size

3.5MB
MD5

843cb08b973c9003b0fb086da217b63d
SHA1

0fd13e058ae7ffd15b8a303700710e879a5927f9
SHA256

664ee273d850e82e2b13819c224a46e08f1740ded02deed3df51074788cfb3d2
SHA512

f46cb8f145d26223d2f4b4d49462c9f06202cd2803f9760a76eb2a5bf2bd94b1ae6995b687c5f1e6e00c7a41037c9557d35285e4769ecbe39af5241dd6cfee02
SSDEEP

98304:FkjozJ9/im8XVBKl6tmJVP2sRx/E0T7zN3HtHMSGuA+i1i:5zJpjS346tmJ1ds+7ptHM9uAm

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2988-3-0x00000275038F0000-0x0000027503910000-memory.dmp	agile_net
behavioral2/memory/2988-2-0x00000275038D0000-0x00000275038F0000-memory.dmp	agile_net
behavioral2/memory/2988-5-0x000002751C250000-0x000002751C2AA000-memory.dmp	agile_net
behavioral2/memory/2988-4-0x0000027503920000-0x000002750392E000-memory.dmp	agile_net
behavioral2/memory/2988-7-0x000002751C2B0000-0x000002751C31E000-memory.dmp	agile_net
behavioral2/memory/2988-6-0x0000027503930000-0x0000027503940000-memory.dmp	agile_net
behavioral2/memory/2988-8-0x0000027503950000-0x000002750396E000-memory.dmp	agile_net
behavioral2/memory/2988-10-0x000002751C450000-0x000002751C59A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

31 discord.com
32 discord.com
33 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
31	discord.com
32	discord.com
33	discord.com

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{A91B9D42-ADB8-4FE9-9D5E-793AC973EE7D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dead.builder.exe

pid	process
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe
2988	dead.builder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dead.builder.exe

description pid process

Token: SeDebugPrivilege 2988 dead.builder.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

dead.builder.exe

description pid process target process

PID 2988 wrote to memory of 3924 2988 dead.builder.exe msedge.exe
PID 2988 wrote to memory of 3924 2988 dead.builder.exe msedge.exe

description	pid	process
Token: SeDebugPrivilege	2988	dead.builder.exe

description	pid	process	target process
PID 2988 wrote to memory of 3924	2988	dead.builder.exe	msedge.exe
PID 2988 wrote to memory of 3924	2988	dead.builder.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\dead.builder.exe
"C:\Users\Admin\AppData\Local\Temp\dead.builder.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/VYsbQ7DEWk
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=1876,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1
1⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4592,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4792 /prefetch:1
1⤵
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5444,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:1
1⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5604,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
1⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5928,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:1
1⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5192,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:1
1⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4768,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
1⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:8
1⤵
- Modifies registry class
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6360,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
1⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5764,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:8
1⤵
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2988-0-0x00007FFB408D3000-0x00007FFB408D5000-memory.dmp

Filesize
8KB

Download
memory/2988-1-0x0000027501900000-0x0000027501C82000-memory.dmp

Filesize
3.5MB

Download
memory/2988-3-0x00000275038F0000-0x0000027503910000-memory.dmp

Filesize
128KB

Download
memory/2988-2-0x00000275038D0000-0x00000275038F0000-memory.dmp

Filesize
128KB

Download
memory/2988-5-0x000002751C250000-0x000002751C2AA000-memory.dmp

Filesize
360KB

Download
memory/2988-4-0x0000027503920000-0x000002750392E000-memory.dmp

Filesize
56KB

Download
memory/2988-7-0x000002751C2B0000-0x000002751C31E000-memory.dmp

Filesize
440KB

Download
memory/2988-6-0x0000027503930000-0x0000027503940000-memory.dmp

Filesize
64KB

Download
memory/2988-8-0x0000027503950000-0x000002750396E000-memory.dmp

Filesize
120KB

Download
memory/2988-9-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download
memory/2988-10-0x000002751C450000-0x000002751C59A000-memory.dmp

Filesize
1.3MB

Download
memory/2988-11-0x000002751C5A0000-0x000002751C6B6000-memory.dmp

Filesize
1.1MB

Download
memory/2988-12-0x000002751C6C0000-0x000002751C6F0000-memory.dmp

Filesize
192KB

Download
memory/2988-13-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download
memory/2988-14-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download
memory/2988-15-0x000002751C6F0000-0x000002751C899000-memory.dmp

Filesize
1.7MB

Download
memory/2988-17-0x00007FFB408D3000-0x00007FFB408D5000-memory.dmp

Filesize
8KB

Download
memory/2988-16-0x000002751C6F0000-0x000002751C899000-memory.dmp

Filesize
1.7MB

Download
memory/2988-18-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download
memory/2988-19-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download
memory/2988-21-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download
memory/2988-25-0x000002751C6F0000-0x000002751C899000-memory.dmp

Filesize
1.7MB

Download
memory/2988-27-0x000002751C6F0000-0x000002751C899000-memory.dmp

Filesize
1.7MB

Download
memory/2988-28-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

Filesize
10.8MB

Download