101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0

Analysis

max time kernel
227s
max time network
224s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
Size

98KB
MD5

faf329147129be7355d83a4675cae571
SHA1

d4fdc4ee314cb358a61a5dfd6b14b3f4685ae600
SHA256

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0
SHA512

4218ec704bcc9a3c9de97c00174aa4e48ee59f114034d7f86ff1c08e174a66c47b3eea41d2c8eedc49cad9add1193db4982b29c2bbdc1c0f87579a2d8cd9e048
SSDEEP

3072:Hnj9jtfU+INndIc0Jo5iNgiUelAXQmk0y:HjbeiTgLNgx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

STUBCR~1.EXESTUBCR~1.exef2r0d3r1.exef2r0d3r1.exe

pid process

1340 STUBCR~1.EXE
1840 STUBCR~1.exe
884 f2r0d3r1.exe
928 f2r0d3r1.exe

pid	process
1340	STUBCR~1.EXE
1840	STUBCR~1.exe
884	f2r0d3r1.exe
928	f2r0d3r1.exe

Loads dropped DLL 5 IoCs

Processes:

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exeSTUBCR~1.EXESTUBCR~1.exe

pid	process
888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
1340	STUBCR~1.EXE
1340	STUBCR~1.EXE
1840	STUBCR~1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

STUBCR~1.exe101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows Live Messenger = "f2r0d3r1.exe"	STUBCR~1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	STUBCR~1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

STUBCR~1.EXEf2r0d3r1.exe

description	pid	process	target process
PID 1340 set thread context of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 884 set thread context of 928	884	f2r0d3r1.exe	f2r0d3r1.exe

Drops file in Windows directory 3 IoCs

Processes:

STUBCR~1.exef2r0d3r1.exe

description	ioc	process
File created	C:\Windows\f2r0d3r1.exe	STUBCR~1.exe
File opened for modification	C:\Windows\f2r0d3r1.exe	STUBCR~1.exe
File opened for modification	C:\Windows\f2r0d3r1.exe	f2r0d3r1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

STUBCR~1.EXEf2r0d3r1.exe

pid process

1340 STUBCR~1.EXE
884 f2r0d3r1.exe

pid	process
1340	STUBCR~1.EXE
884	f2r0d3r1.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exeSTUBCR~1.EXESTUBCR~1.exef2r0d3r1.exe

description	pid	process	target process
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 888 wrote to memory of 1340	888	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1340 wrote to memory of 1840	1340	STUBCR~1.EXE	STUBCR~1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 1840 wrote to memory of 884	1840	STUBCR~1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe
PID 884 wrote to memory of 928	884	f2r0d3r1.exe	f2r0d3r1.exe

C:\Users\Admin\AppData\Local\Temp\101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
"C:\Users\Admin\AppData\Local\Temp\101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\f2r0d3r1.exe
      "C:\Windows\f2r0d3r1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\f2r0d3r1.exe
        
        C:\Windows\f2r0d3r1.exe
        5⤵
        Executes dropped EXE
        
        PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Windows\f2r0d3r1.exe

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Windows\f2r0d3r1.exe

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Windows\f2r0d3r1.exe

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
memory/884-80-0x0000000000000000-mapping.dmp

Download
memory/888-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/928-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/928-92-0x0000000000405222-mapping.dmp

Download
memory/1340-57-0x0000000000000000-mapping.dmp

Download
memory/1840-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-71-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-72-0x0000000000405222-mapping.dmp

Download
memory/1840-97-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download