fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7

Analysis

max time kernel
206s
max time network
167s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
Size

76KB
MD5

980c2a5956ee18cfd60d17f899ee3115
SHA1

3d146224490bd8473565a994af03559eb3d335c6
SHA256

fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7
SHA512

c0a11a748da1d2692a934a6052b32b23b7a9f47dc56d3ae8fd88779a2089a19caa370042010ed5c313aebe45149a6a8d07b294a4394a71978d2d89ffcaed3712
SSDEEP

1536:xDxbxMhRI3Jihyd3js7A6s74tBTF3s0loJTljub8:xDxbxMhRI3IhKjR7iH3VoTl1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
628	WINDVBR.EXE
1772	WINDVBR.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winservice = "WINDVBR.EXE"	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 628 set thread context of 1772	628	WINDVBR.EXE	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\emule\incoming\Counter-Strike KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\Windows XP Keygen	WINDVBR.EXE
File created	C:\Program Files (x86)\tesla\files\Myspace Bruteforce.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Myspace Bruteforce.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\Adobe Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Myspace Attack.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\icq\shared folder\PhotoShop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Kaspersky Crck.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\tesla\files\Windows XP Keygen	WINDVBR.EXE
File created	C:\Program Files (x86)\winmx\shared\Microsoft Visual C++ 2009 KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Microsoft Visual Studio 6 KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\bearshare\shared\Limewire Pro Downloader.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Myspace Attack.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Kaspersky Crck.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Steam Account Stealer.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Adobe Photoshop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\RuneScape Gold Exploit.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\AOL Triton Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\Half-Life 2 WORKS-ON-STEAM.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\tesla\files\Counter-Strike Source KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\DeadSpace KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Hotmail Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\ICQ Account Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\Virus Generator.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Myspace Bruteforce.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\Adobe Photoshop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\winmx\shared\Windows XP Keygen	WINDVBR.EXE
File created	C:\Program Files (x86)\winmx\shared\Nod32 Crack.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\RuneScape 2008 - Newest Exploits.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Adobe Photoshop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\Kaspersky Crck.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\grokster\my grokster\FTP Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\Hotmail Hacker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Limewire Speed Patch	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\Kaspersky Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Microsoft Visual Basic 6 KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\icq\shared folder\AOL Triton Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\Myspace Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\tesla\files\RuneScape 2008 - Newest Exploits.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Kaspersky 2009 Full Suite Crack.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Kaspersky Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\icq\shared folder\Counter-Strike KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\Adobe Photoshop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Microsoft Visual C++ 2009 KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\Microsoft Visual Studio 2009 KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\limewire\shared\PhotoShop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\winmx\shared\Project 7 Private 4.8.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\PhotoShop Keygen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Microsoft Visual Basic 6 KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\Windows Vista Keygen	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Nod32 Crack.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\bearshare\shared\AOL Instant Messenger (AIM) Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\winmx\shared\Limewire Speed Patch	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\RuneScape Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\RuneScape 2008 - Newest Exploits.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\emule\incoming\AOL Password Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\tesla\files\Windows 2009 Server KeyGen.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\tesla\files\Windows XP Crack.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\YIM HAcker 2010.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Tcpip Patch.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\bearshare\shared\Myspace Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\bearshare\shared\FTP Cracker.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\grokster\my grokster\RuneScape 2008 - Newest Exploits.exe	WINDVBR.EXE
File created	C:\Program Files (x86)\bearshare\shared\AOL Hacker 2010.exe	WINDVBR.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\WINDVBR.EXE	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
File opened for modification	C:\Windows\WINDVBR.EXE	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
File opened for modification	C:\Windows\WINDVBR.exe	WINDVBR.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
628	WINDVBR.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1192 wrote to memory of 1020	1192	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	28
PID 1020 wrote to memory of 628	1020	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	29
PID 1020 wrote to memory of 628	1020	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	29
PID 1020 wrote to memory of 628	1020	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	29
PID 1020 wrote to memory of 628	1020	fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe	29
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30
PID 628 wrote to memory of 1772	628	WINDVBR.EXE	30

C:\Users\Admin\AppData\Local\Temp\fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
"C:\Users\Admin\AppData\Local\Temp\fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
  C:\Users\Admin\AppData\Local\Temp\fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\WINDVBR.EXE
    "C:\Windows\WINDVBR.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\WINDVBR.EXE
      C:\Windows\WINDVBR.EXE
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1214520366-621468234-4062160515-1000\699c4b9cdebca7aaea5193cae8a50098_48ba80a0-b4f2-4449-9b22-a470b66c8a87

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Windows\WINDVBR.EXE

Filesize
76KB

MD5
980c2a5956ee18cfd60d17f899ee3115

SHA1
3d146224490bd8473565a994af03559eb3d335c6

SHA256
fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7

SHA512
c0a11a748da1d2692a934a6052b32b23b7a9f47dc56d3ae8fd88779a2089a19caa370042010ed5c313aebe45149a6a8d07b294a4394a71978d2d89ffcaed3712

Download Submit
C:\Windows\WINDVBR.EXE

Filesize
76KB

MD5
980c2a5956ee18cfd60d17f899ee3115

SHA1
3d146224490bd8473565a994af03559eb3d335c6

SHA256
fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7

SHA512
c0a11a748da1d2692a934a6052b32b23b7a9f47dc56d3ae8fd88779a2089a19caa370042010ed5c313aebe45149a6a8d07b294a4394a71978d2d89ffcaed3712

Download Submit
C:\Windows\WINDVBR.exe

Filesize
76KB

MD5
980c2a5956ee18cfd60d17f899ee3115

SHA1
3d146224490bd8473565a994af03559eb3d335c6

SHA256
fe4d37b2cb758773830a785ed89020e7d31a58a03397221cd93ce0cacb87b7d7

SHA512
c0a11a748da1d2692a934a6052b32b23b7a9f47dc56d3ae8fd88779a2089a19caa370042010ed5c313aebe45149a6a8d07b294a4394a71978d2d89ffcaed3712

Download Submit
memory/1020-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1020-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1020-60-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1020-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1772-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download