b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe
Size

440KB
MD5

71afe1b865d2d93eccaee3db24e4c9c1
SHA1

1024877d912d0c92e7145ac3fb4fb55682770504
SHA256

b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf
SHA512

bc164baf1863d76224b34af77e3bc11c4941d0e0ed94f36d96135a69e4dccbed7cef50a76bd3ef80d3fdb706945c2d19fc5b8c67afa721d1f78ea86b9f61a2ff
SSDEEP

6144:s8sHTS1+HMO1+eofVMSQUV1uC0D1Al47nhTISe3/:sBHTVsuoNqUzuC0D1k+nZev

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
620	Stub.exe
1100	Stub.exe

Loads dropped DLL 9 IoCs

pid	Process
1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe
1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe
620	Stub.exe
620	Stub.exe
620	Stub.exe
620	Stub.exe
1100	Stub.exe
1100	Stub.exe
1100	Stub.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 1100	620	Stub.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	Stub.exe
1100	Stub.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	Stub.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 1464 wrote to memory of 620	1464	b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe	27
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 620 wrote to memory of 1100	620	Stub.exe	28
PID 1100 wrote to memory of 1392	1100	Stub.exe	10
PID 1100 wrote to memory of 1392	1100	Stub.exe	10
PID 1100 wrote to memory of 1392	1100	Stub.exe	10
PID 1100 wrote to memory of 1392	1100	Stub.exe	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe
  "C:\Users\Admin\AppData\Local\Temp\b034fdecb5124dd4f5621451d1f0525cef407a2696a2f2bb97b74730ce6864cf.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
288KB

MD5
bc860912f5b3eebee11e1e946ed6156a

SHA1
2973f0b2dfb7bce959fd26f45e2fe789428d3ced

SHA256
65ed058a95e9f027263372a0fb41fe4b1a69ea41ea99c216c28db7a57cc470a7

SHA512
78d9d0374494bbafbe24c2fdaddbc6f2c263ed848977150972fd134b8d8d8d4e351c1ed4942c6bf2c41ec338f48604ae60824976782361e9bfdd3d53b8d77346

Download Submit
memory/1100-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-78-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1100-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1392-79-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1464-66-0x00000000001A0000-0x000000000020E000-memory.dmp

Filesize
440KB

Download
memory/1464-65-0x0000000001000000-0x000000000106E000-memory.dmp

Filesize
440KB

Download
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1464-77-0x0000000001000000-0x000000000106E000-memory.dmp

Filesize
440KB

Download