Overview
overview
10Static
static
10Builder.exe
windows7-x64
1Builder.exe
windows10-2004-x64
1Builder.exe
windows7-x64
1Builder.exe
windows10-2004-x64
1Mono.Cecil.Mdb.dll
windows7-x64
1Mono.Cecil.Mdb.dll
windows10-2004-x64
1Mono.Cecil.Pdb.dll
windows7-x64
1Mono.Cecil.Pdb.dll
windows10-2004-x64
1Mono.Cecil.Rocks.dll
windows7-x64
1Mono.Cecil.Rocks.dll
windows10-2004-x64
1Mono.Cecil.dll
windows7-x64
1Mono.Cecil.dll
windows10-2004-x64
1SixLabors....rp.dll
windows7-x64
1SixLabors....rp.dll
windows10-2004-x64
1Spectre.Co...rp.dll
windows7-x64
1Spectre.Co...rp.dll
windows10-2004-x64
1Spectre.Console.dll
windows7-x64
1Spectre.Console.dll
windows10-2004-x64
1Stub/stub.exe
windows7-x64
1Stub/stub.exe
windows10-2004-x64
10Analysis
-
max time kernel
106s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2023 18:32
Behavioral task
behavioral1
Sample
Builder.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Builder.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Builder.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Builder.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Mono.Cecil.Mdb.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Mono.Cecil.Mdb.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Mono.Cecil.Pdb.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Mono.Cecil.Pdb.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Mono.Cecil.Rocks.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Mono.Cecil.Rocks.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Mono.Cecil.dll
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Mono.Cecil.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
SixLabors.ImageSharp.dll
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
SixLabors.ImageSharp.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Spectre.Console.ImageSharp.dll
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
Spectre.Console.ImageSharp.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Spectre.Console.dll
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
Spectre.Console.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Stub/stub.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
Stub/stub.exe
Resource
win10v2004-20230220-en
General
-
Target
Stub/stub.exe
-
Size
1.6MB
-
MD5
0bbe9bc948d0154a739c23b4b0521ea1
-
SHA1
74a5c37500bfec5286ec4f0e56663eafb536b9f3
-
SHA256
8a37cfdf9c3d4beca639ead3b11688360333a550aedb60d4dbff82140b9b417e
-
SHA512
78eac69129b53416221fd6663158db0b6d528ad070b8c9887293212639a2c28c20eddbf148c024bd84ea8386992dcb989ded93727d747a46c97ee751f96e92da
-
SSDEEP
24576:i3i2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL4:nTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392330222" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f3e392a24bb20646b8f832a33b7e91bf00000000020000000000106600000001000020000000455fbab9cdd00c53a894f560f08dbfea263788636a20292e7f0809b4fcd6c245000000000e80000000020000200000009b968e1d539e28f56c82d431c1faeba10c184ba81123cb5b53391e975e13b208900000005cf3c8c4dcbb8257afed463ef78ef93723a3f04bc6b36699b4e8bd07e194e49a022194aa09ae50e86c3ccf8ef4eba038e6dc3e59730fd281f67ae35afdb6f7d1cb1af5cc57873c968626771bcb89e405c11b192962962d02e6997608d5f28600d83f35cd4ae81870a741ae27cc9146df310b9f6ac2c3710d6c7d54c02f158781ad15ba4fba536007ea080c78609c41d740000000b493c13442f460c336b3889b9f7fa213a7e9736a7416238b0178f7b4449acfcddad408fd0debea9591a0d39ec663ed76a04deed20339ad076ed171da7de7f6fb iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DBF31A1-FFF2-11ED-9E96-7621D5A708C1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f3e392a24bb20646b8f832a33b7e91bf00000000020000000000106600000001000020000000a467d528bf74bfbf8733b301e8d086420901ca2198136cb8016519691902d056000000000e8000000002000020000000dd780aac15501f0827c900d15cfe88ffb0927cfe1d8959278a596f66e7eba1fb20000000759aa0054c78ce0fba285af6f707a8e020ecb0de1ae6cd6dff89d116b8a50210400000006c6ebd7e4aa849ec30cf7c706455c290ff9f7742c3447d7f34a380da85325093221f69c0116bd946d2bf2d6cdd3ca29982fee55ed7f1998a1a3811e34fbfdb7a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ecff5cff93d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1224 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1224 iexplore.exe 1224 iexplore.exe 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
stub.exeiexplore.exedescription pid process target process PID 1220 wrote to memory of 1224 1220 stub.exe iexplore.exe PID 1220 wrote to memory of 1224 1220 stub.exe iexplore.exe PID 1220 wrote to memory of 1224 1220 stub.exe iexplore.exe PID 1220 wrote to memory of 1224 1220 stub.exe iexplore.exe PID 1224 wrote to memory of 1468 1224 iexplore.exe IEXPLORE.EXE PID 1224 wrote to memory of 1468 1224 iexplore.exe IEXPLORE.EXE PID 1224 wrote to memory of 1468 1224 iexplore.exe IEXPLORE.EXE PID 1224 wrote to memory of 1468 1224 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=stub.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.02⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fd9ea2041f16c1106ee20262b6a82209
SHA125baed1e8a36021a0a98c428793ddb6da5cecc53
SHA25638662a1d672d650bce13c499c78465b8525141b222eb524703c8baad08e518fb
SHA5123caa40816aaf9be5d88d8f95d3d7043d4c245542cb0878a81d4a02c24aa01020f0946ba48f82df3e5d98de183a3695f75d7ef3a1d05ac2601fbee951ea6d38bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51f0a5c8f142fa738e93648c14c504d13
SHA1f65cea0e3843f0ad8aa20bd6b7b3e2ffcea987b8
SHA25699f6c98f032ed221d7ab59d84cf6b445a1210238da357830ae5f5cbe6eed38a6
SHA51258b98855b2d9a137b847ccca33c2a26a3387005b09742619478e04467a2c963c1a0f266543fd8ffe71a7626a2b603825533da777e0f8a66a76e296972156c0fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bcbb89c3e9735ef2517e7e83cde02f64
SHA157b47f423d60452bdea35e43cd26aa1ffd54a7e3
SHA256b8879628e7580823536946b10148bba523e621ae220edc0c85482c02d19dc16d
SHA512a06c5f28c34411bfe720eb05838f5d68de45bee0eb169d62adfbbe6c4342b370f8cd7e278f9e82c6a3ee9e020577a57b4863537c25a86375302c112cf9b91153
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51ddb00141bb2f1b70112045b597d6595
SHA1c659c132cbdeb57533d8b80be4cc5764afd76e4d
SHA256653360fd359baf5d9aecd133a894e811ce55960d53ae279b3ff885a838cb48b7
SHA51294ed5d6bf787df393c3875859cd74e1424dac77de29a66dc6b28ddf8a2d9b8dcca60b4a919a65c448ceb7283015ccbf6e3594e7d970e8b7446bc4efb82ccb2e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51d79322c1e3cd905a05c1cbdc8bedb5b
SHA173c93d6165d3a752e228c0b4381645376326fc9c
SHA2569eff1d106285cdf9de6aec4980abd9f979098551a9435fff85cb8c7939a87bb5
SHA51281f7879955496c157a713c784cfed490848998b36f59f245ac5ed81b1b697ce71097e9e83d0b8c613f2cf2975d711e2f5d615921b0546f620af75d433f1e8dcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5907a9776d7c2f421d0258120bd18ecee
SHA16b7a732d5486d98bd3aa3037845560b7bd287478
SHA256e4287f7de586aff37c968c21b02e56a3285633d3820c6a86f61a0551df012683
SHA5124686579c317e8088afb10a0b35fffdb4e866a1b708005eb084fae830ebcbd6b19987f5c8e08c963d920db991c7a539aac54ceada82245bf60fc2ab595dc75f38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e5fbd56e2b65c3a0ea31597741936a2b
SHA10e9d598f5141e163779a6bd580dfccc14850032c
SHA256b06a4b24d6d7e787fe763302c82fc23c66e9de97d9e7c757f53c49ef21f2f988
SHA512ffe2794d28145a6b9be7ef1a668850642a4091fa942b191e90b47b7e6561beb7bf4e8c61e6e1d447d173808c223a29828733d43e316cc7be09e46faec4fc03b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f10aa065bb228b5226ae80776ef23518
SHA1b381af1bb30ad0eca0ad176f2f993231f7f4462b
SHA256ca4d16704c6604936fc1e209259c153e17035c5144100f5993fa1f3c72ae94a0
SHA512400fde5b512760c263cf9aff87c3de687a1b7989470d48729f2e3dfa98e390115f6f8e3ca05689f5ab691fe072e7f793e999f9c084ab4134339384bca9707baf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52b93f347419eb7f87464f446d5501ae9
SHA1bb89df49afa8561861dba2ff299d464694e1bcf6
SHA256a4f49e7c37eadd7c3a8ff854f58174bd566b39967a44633bbb09b78fcab4756b
SHA512b11a95b5ca7fb570771c4eba0a15d0c7e6170acad393bbe08ec3ce0070e654efcffd300fbe7cde401e8f6b1b9b66c09e2abb110594cf169e0563512e3712d8c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TEOMB6VC\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
607B
MD5ac1b402a3a3b3d77d33d1017772a1a34
SHA13dec87f518583cc5dd003733415a675cef2c3aa4
SHA2560849e41fe1bd2d8906c56837fb89b6ab34cd2cda54846b8dd3e1eb659b77681e
SHA512fa3208e3fb575e24777444ddb25f8974e4baf8421cd90189c2c79c6d58a7a22fb0f24b5951819053a648e00dec547702c879c38560e78856b87b7d98f3369de7