561933ad96269891ec98e18db02322c6c697e121c193370a65509a8f34e7bc24

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.0MB
MD5

6065621288b2b1731fcd771d0ba5f537
SHA1

01625a415d6a8c0a20413bf389a8dce5390f9545
SHA256

561933ad96269891ec98e18db02322c6c697e121c193370a65509a8f34e7bc24
SHA512

cfdebfcec671e074690bcf74d4d9c138dfa7ba509dd20e3f3b6ca7f356e2e09aab5f329bf5851c63a4556efee3048117b8d4441a964159e3af777eca46ee29d7
SSDEEP

49152:q3a9626oGnkcmLbjfM4DlusnQ7N09OJ1/3uBka4v62hdbgZocilkfknJ1g17+SLf:f426oGmLbTM4tuNZv6SFbgZocilgknJQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Stub.exe

pid process

3260 Stub.exe
Loads dropped DLL 4 IoCs

Processes:

Stub.exe

pid process

3260 Stub.exe
3260 Stub.exe
3260 Stub.exe
3260 Stub.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Stub.exe

pid process

3260 Stub.exe
3260 Stub.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Stub.exe

description pid process

Token: SeDebugPrivilege 3260 Stub.exe

pid	process
3260	Stub.exe

pid	process
3260	Stub.exe
3260	Stub.exe
3260	Stub.exe
3260	Stub.exe

pid	process
3260	Stub.exe
3260	Stub.exe

description	pid	process
Token: SeDebugPrivilege	3260	Stub.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1020 wrote to memory of 3260	1020	tmp.exe	Stub.exe
PID 1020 wrote to memory of 3260	1020	tmp.exe	Stub.exe
PID 1020 wrote to memory of 3260	1020	tmp.exe	Stub.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\7zSCF302336\Stub.exe
".\Stub.exe" /c "193309" /u "http://acs.pandasoftware.com/Panda/FREEAV/193309/FREEAV.exe" /a "FRAVBRZPIL0322" /p "4252"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
2KB

MD5
afd82ee215ca16a82e5cb0b24c282497

SHA1
2b0939a27f0ef0ac92d753e7c4c7d9e5f99d3e57

SHA256
210ede358a158d5e15837123935286453f8caf87c595a70683c2f4a897993db0

SHA512
84d9fb435a33fa4a94f50ac9f72bb50d7f419956de9d5b1b11504a8170dd669d2d7f115ae572aa8d9775a3343897eb8d90555a0807e02e89a75cad7e9fab6e0b

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
2KB

MD5
afd82ee215ca16a82e5cb0b24c282497

SHA1
2b0939a27f0ef0ac92d753e7c4c7d9e5f99d3e57

SHA256
210ede358a158d5e15837123935286453f8caf87c595a70683c2f4a897993db0

SHA512
84d9fb435a33fa4a94f50ac9f72bb50d7f419956de9d5b1b11504a8170dd669d2d7f115ae572aa8d9775a3343897eb8d90555a0807e02e89a75cad7e9fab6e0b

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
2KB

MD5
2ea985c5a5a085067c0ef1fae156eb6e

SHA1
c7463bb9183c3d0807230d9949e5b3f564ebb791

SHA256
ba963d11898c4f8e180f0864c5088eaef1aaa981c12572f51f964bd5ed34e7dc

SHA512
dd207a2fe6f90cd8e0223a7d86530efafcebe870c695654b9c5ec9135862b1713989ac68f9b5f82e9867dac39ed52b3d346458d002abeff0a98fb3b5622a8902

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
3KB

MD5
8b30359c16fc5ec02762fb98e196edef

SHA1
67df72a46ab6e59adc4ad11c99475c8e4194044b

SHA256
895da8f6766901591c6ca66156adacb3d0dfbffc096cdea5dd7468370b73b48a

SHA512
52c81971bb5093f5140c130c9ec853de898a609f9dee7c841bf08a63bec76eaf0d3f67004a7e8fe2c803d8c8bb9ae575758fd9b6400d6ab23ff94084f6b66af1

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
4KB

MD5
4a638ff5e27fa2176f23fb4cf33c6158

SHA1
65361afc373b3505bb8677a44b8d7d2d2e67bf55

SHA256
e031e6df51923c542884e39b136d2fec82df9765733ba3fe4cd87184812e1f7d

SHA512
368f8ee4e7eb3000ad19086d82fb2ec10ed06b04d4608b6edc99563740a24b154ee1d9d90c34f90631ea8cac279c3330046746679ea1ec75799adea715a6de30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\AvDetect.dat

Filesize
23KB

MD5
9a17b5ac44705cc4bc3608c6232e1f16

SHA1
4a5f78bc37a704d5181f51aa32cefcb51c66d3cf

SHA256
4ad849f737b18084b060828c7cca48bcf512cc2ada2a937f5cfbab79f1b29677

SHA512
79db7e450faa9e81f27789f328a58860438713e58aef7ddd37661f1c62ed4cafc437cb7499273e7f36e805edbd93405153f66f6dc37cdd09fd0aea611ca91ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\CommsWrapper.dll

Filesize
82KB

MD5
de835b63304969aab279fd08ff927a8d

SHA1
ffa8608c831d0fd782265dff342eed71d53bfcdd

SHA256
a474a520c9dac0e66678a967e9b94923fcbd084e449403399f96b1f0879cf0e6

SHA512
31ab5e134da5b55cc28d0478e8b55016449a9753c81e92f0c37f8803cf621d52ecaaf11cea4fa6dcf038ae0562d7faca6e6e58cfa45c4189dc359beea90b2002

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\CommsWrapper.dll

Filesize
82KB

MD5
de835b63304969aab279fd08ff927a8d

SHA1
ffa8608c831d0fd782265dff342eed71d53bfcdd

SHA256
a474a520c9dac0e66678a967e9b94923fcbd084e449403399f96b1f0879cf0e6

SHA512
31ab5e134da5b55cc28d0478e8b55016449a9753c81e92f0c37f8803cf621d52ecaaf11cea4fa6dcf038ae0562d7faca6e6e58cfa45c4189dc359beea90b2002

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\InstallRes.dll

Filesize
1.2MB

MD5
acf7d45e9b3e5be0fb4c1a2c38a6000b

SHA1
c737b90454f6f308eafc5d042e7ac570756b8eeb

SHA256
d5a071d71a25eadfe9782a53aea53dfa807992e9c3f2d0eefb8c6c1a67865a0a

SHA512
7ddf01c454ea7119da9612afd229d2e7cd61ab30460191fafb244aed7ff4af202bef5b378a76ca4d2d80141babc56b7b8b4c11fad9cd9d119234f54bd30b8549

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\Splash.dll

Filesize
96KB

MD5
cae3bdf938e570dc1d06d9b669de35f3

SHA1
50c190667b3d6c0fbf4a181136951fb1bc2111f9

SHA256
daddee5633db37c0968befd9339dac7e202b9265bdeef364341e8287ba38b85a

SHA512
4d3f84a68790649e075e6f51bd20d42fa10d5699ccca7ac4c609d9d6d57df323387cd0ef114f153f1f1ac89b71719ff27ced30f2723421b72368590066112f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\Stub.exe

Filesize
1.2MB

MD5
4ce3dad5815ba7ab73a16998d07e394c

SHA1
d8093d93511c87499e7179384c80dc615e8e4ce2

SHA256
52ecc36c7e6e2d0a694227f35158d23d78592887e688291e7fd3c79e45f47bf1

SHA512
6ab9854eeb5a76c2bcf64f858218605b54ec64e2c569dc42f2a42097600181b875cfab7d36b214941e33dea6b8e6dc0e5fdc5428a5809856984ddb7ca9cf113c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\StubInstaller.dat

Filesize
5KB

MD5
238dcab1cb4709a2cb212a4acf1944d2

SHA1
5693a7ac7bc35da7e3b8ff3a74c6832c1ff41376

SHA256
17b5f3d0697f2b41cf09d65f595e030b90de23b2afcdfb85be1969b57c9a4b72

SHA512
0bba56bccbeca5b98790ddb09311a375426d55dd6415891b00b5749d50cd143c0327d4ae54fcccbe12644b19e671bdaf5627dd1770c20b55624a64ada17cbaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\msvcp100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\res\StubInstaller.ico

Filesize
361KB

MD5
b1c57c999f8a3bdec9529abe456eed97

SHA1
58a29bdde7d7834aebb4381a8df5f58458d53263

SHA256
e64df356b9e79a982daa7c3d35db3bf85a800d4d7f870a64c666216bde731657

SHA512
ebe6062d3abdd5df7c89bd5aee7254f1f1e19fc2c452015bcdd8ce7438ccf0f3fed8036259ab02a0cb9bab3888a1f85528e8dad561aea34016a722df3a7fdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\res\background.png

Filesize
163KB

MD5
66f91f2b36927e1b51344bda4b373b04

SHA1
3f316487c2116c0dd4eb6ca709ebee0d18fb2df1

SHA256
dae5e3f303d3cab68a7d920f081923bf89dd8fd1c58621c6bc3cad8b880f1494

SHA512
029238de264b3450c64da59757ff98c2bb8fc68e7234243ed9f36b99ab27d9fc15d2a1a83274dece6a8fd993709de366be2436b376f54498419b109b37331fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\res\img_product2.png

Filesize
4KB

MD5
fd92546fc781efef844196c15e45f570

SHA1
318ae93b9f903d21bc66751ad8d8a17215cafb35

SHA256
99466f827368ef2fe2783e0112b683fdb29973055bea1d88b30462918d776993

SHA512
ac68648ad49c468b478dce94bd070bf59e91bd2d57bf656690ec90d164adff8221cf01d7dd33df541c475ca060669fe7b5b00f7f6689828dd5360fff63078b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\splash.dll

Filesize
96KB

MD5
cae3bdf938e570dc1d06d9b669de35f3

SHA1
50c190667b3d6c0fbf4a181136951fb1bc2111f9

SHA256
daddee5633db37c0968befd9339dac7e202b9265bdeef364341e8287ba38b85a

SHA512
4d3f84a68790649e075e6f51bd20d42fa10d5699ccca7ac4c609d9d6d57df323387cd0ef114f153f1f1ac89b71719ff27ced30f2723421b72368590066112f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF302336\stubinstaller.ini

Filesize
3KB

MD5
89ebf03f1e8e8b68df2a9dec9f2f7e15

SHA1
926e242b47b2f63585fc7b8a22d94824e4f8ceb8

SHA256
d09a785e773a17b349098278631918e7ebebe31b86d207fa7729b333fb904811

SHA512
7d0dc7c614a5b36f2619cdc1114f786d4070702bd5c317c7340ede292fe0c7d1da6eb277cc260879aef1f9504bfc5bfbef2a0c5b43c92788a3fe39f4879c6213

Download Submit
memory/3260-327-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download