101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0

General

Target

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
Size

98KB
MD5

faf329147129be7355d83a4675cae571
SHA1

d4fdc4ee314cb358a61a5dfd6b14b3f4685ae600
SHA256

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0
SHA512

4218ec704bcc9a3c9de97c00174aa4e48ee59f114034d7f86ff1c08e174a66c47b3eea41d2c8eedc49cad9add1193db4982b29c2bbdc1c0f87579a2d8cd9e048
SSDEEP

3072:Hnj9jtfU+INndIc0Jo5iNgiUelAXQmk0y:HjbeiTgLNgx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

STUBCR~1.EXESTUBCR~1.exef2r0d3r1.exef2r0d3r1.exe

pid process

228 STUBCR~1.EXE
4268 STUBCR~1.exe
792 f2r0d3r1.exe
3472 f2r0d3r1.exe

pid	process
228	STUBCR~1.EXE
4268	STUBCR~1.exe
792	f2r0d3r1.exe
3472	f2r0d3r1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exeSTUBCR~1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	STUBCR~1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows Live Messenger = "f2r0d3r1.exe"	STUBCR~1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

STUBCR~1.EXEf2r0d3r1.exe

description	pid	process	target process
PID 228 set thread context of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 792 set thread context of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe

Drops file in Windows directory 3 IoCs

Processes:

STUBCR~1.exef2r0d3r1.exe

description	ioc	process
File created	C:\Windows\f2r0d3r1.exe	STUBCR~1.exe
File opened for modification	C:\Windows\f2r0d3r1.exe	STUBCR~1.exe
File opened for modification	C:\Windows\f2r0d3r1.exe	f2r0d3r1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

STUBCR~1.EXEf2r0d3r1.exe

pid process

228 STUBCR~1.EXE
792 f2r0d3r1.exe

pid	process
228	STUBCR~1.EXE
792	f2r0d3r1.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exeSTUBCR~1.EXESTUBCR~1.exef2r0d3r1.exe

description	pid	process	target process
PID 2696 wrote to memory of 228	2696	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 2696 wrote to memory of 228	2696	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 2696 wrote to memory of 228	2696	101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe	STUBCR~1.EXE
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 228 wrote to memory of 4268	228	STUBCR~1.EXE	STUBCR~1.exe
PID 4268 wrote to memory of 792	4268	STUBCR~1.exe	f2r0d3r1.exe
PID 4268 wrote to memory of 792	4268	STUBCR~1.exe	f2r0d3r1.exe
PID 4268 wrote to memory of 792	4268	STUBCR~1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe
PID 792 wrote to memory of 3472	792	f2r0d3r1.exe	f2r0d3r1.exe

C:\Users\Admin\AppData\Local\Temp\101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe
"C:\Users\Admin\AppData\Local\Temp\101bf531989118896084c365e004f70126cf7e71856e94bbbf0819dcb695e7f0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\f2r0d3r1.exe
      "C:\Windows\f2r0d3r1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\f2r0d3r1.exe
        
        C:\Windows\f2r0d3r1.exe
        5⤵
        Executes dropped EXE
        
        PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUBCR~1.EXE

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Windows\f2r0d3r1.exe

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Windows\f2r0d3r1.exe

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
C:\Windows\f2r0d3r1.exe

Filesize
75KB

MD5
f68788c526f7e7473b518b6d37f34c79

SHA1
505192ec29160903cc35c845559457d977c25415

SHA256
11520c06f4784a80ac7df99c9baf20562c168a35c64e12a629c229748001b93b

SHA512
4507daf88966b9c61c1c15eba70b2e290c63b78e99d9a7cfbd8aaab5434b0f2d5d99a1641558d961850e579b76f3392c0987c3e27a8fbe23db67c4a4c382fe22

Download Submit
memory/228-132-0x0000000000000000-mapping.dmp

Download
memory/792-143-0x0000000000000000-mapping.dmp

Download
memory/3472-148-0x0000000000000000-mapping.dmp

Download
memory/4268-137-0x0000000000000000-mapping.dmp

Download
memory/4268-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4268-141-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads