cfd6db8c8772825444dfe37e4855f16beb708bfa73199c2e19ff8f04397ce8d7

Analysis

max time kernel
271s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/06/2023, 05:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FabFilter - Total Bundle/R2R/FabFilter_KeyGen.exe
Size

860KB
MD5

72be38542e02fee398987398f1f93fba
SHA1

376db72305a2b5623e1d548fc4b7853e53329559
SHA256

1ff6fce352e865268407d54fdcb1c739b744f6a0dc81e29ff497ae8b7ea2cc4f
SHA512

94e81b69bb8ac69eec50c4d6ab768fdba99e07cac4a68910ac35d00d62e2178325ca6761591669891b436c029a2fcb261807db733882f3be490e3576d8893a21
SSDEEP

12288:Wo6c9t2SllyLELib6VmssxSsG0S2WSPOr3KNklwPQ9Ujka0KMeCt5GU/xupxBCYI:Wo6cLU8Psx1xISaKNklwPBb0KcJup6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1336	keygen.exe

Loads dropped DLL 4 IoCs

pid	Process
1520	FabFilter_KeyGen.exe
1520	FabFilter_KeyGen.exe
1336	keygen.exe
1336	keygen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1336	keygen.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1476	AUDIODG.EXE
Token: 33	1476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1476	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1336	1520	FabFilter_KeyGen.exe	28
PID 1520 wrote to memory of 1336	1520	FabFilter_KeyGen.exe	28
PID 1520 wrote to memory of 1336	1520	FabFilter_KeyGen.exe	28
PID 1520 wrote to memory of 1336	1520	FabFilter_KeyGen.exe	28

C:\Users\Admin\AppData\Local\Temp\FabFilter - Total Bundle\R2R\FabFilter_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter - Total Bundle\R2R\FabFilter_KeyGen.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RFBFKG.dll

Filesize
233KB

MD5
098c88aa084267d7e53b3fa4093e20cb

SHA1
ef0e6f63c79da0f144431deb972068fbe0e223e7

SHA256
638193931a8e47a7a3e595efd25e410aca85de03ebf38b0cd730bcba7e6ee78d

SHA512
64512a98987d4a942979c1686ccfd537e1130d656779dba1fd432e55c1e9ec49d811b958f47bd347e9f01b030c87c91b70de3a8124ead3b87598ec2b49451731

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgm.it

Filesize
80KB

MD5
5e3c083251880c635f5ea6a0a6ed8e76

SHA1
e7fb44133e223140057243493159bdce01c5f080

SHA256
9d460a48d7f7f461967c9065182456871606eef1c27f21767335b7d81384e141

SHA512
b4a6a5ad71a13f51989e1fccedb542ab528f6ab9bc3d60a4c93c59e544b8eaa06ca7b9fe79c1d9a5c92b61345c18e38736561cd21426bc9e43ae3a4c59424284

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
512KB

MD5
84dedafe1278c895381af0f26e170a7d

SHA1
d6ea7cb2881b72d7d4b898fe0fce47d987456f25

SHA256
673bd99022a16a8fa1d7bccc89fe13946c90c0c85b20da4b0808d9194ce26016

SHA512
030ab2524c971922805335dca97a75cc70e54fa12ffacc395bbe9077f7289411f4bfbd22c3b7111cc19112334cb3cc1827eb80098c3a690e8e320acc9a6898e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
512KB

MD5
84dedafe1278c895381af0f26e170a7d

SHA1
d6ea7cb2881b72d7d4b898fe0fce47d987456f25

SHA256
673bd99022a16a8fa1d7bccc89fe13946c90c0c85b20da4b0808d9194ce26016

SHA512
030ab2524c971922805335dca97a75cc70e54fa12ffacc395bbe9077f7289411f4bfbd22c3b7111cc19112334cb3cc1827eb80098c3a690e8e320acc9a6898e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
512KB

MD5
84dedafe1278c895381af0f26e170a7d

SHA1
d6ea7cb2881b72d7d4b898fe0fce47d987456f25

SHA256
673bd99022a16a8fa1d7bccc89fe13946c90c0c85b20da4b0808d9194ce26016

SHA512
030ab2524c971922805335dca97a75cc70e54fa12ffacc395bbe9077f7289411f4bfbd22c3b7111cc19112334cb3cc1827eb80098c3a690e8e320acc9a6898e4

Download Submit
\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\R2RFBFKG.dll

Filesize
233KB

MD5
098c88aa084267d7e53b3fa4093e20cb

SHA1
ef0e6f63c79da0f144431deb972068fbe0e223e7

SHA256
638193931a8e47a7a3e595efd25e410aca85de03ebf38b0cd730bcba7e6ee78d

SHA512
64512a98987d4a942979c1686ccfd537e1130d656779dba1fd432e55c1e9ec49d811b958f47bd347e9f01b030c87c91b70de3a8124ead3b87598ec2b49451731

Download Submit
\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
512KB

MD5
84dedafe1278c895381af0f26e170a7d

SHA1
d6ea7cb2881b72d7d4b898fe0fce47d987456f25

SHA256
673bd99022a16a8fa1d7bccc89fe13946c90c0c85b20da4b0808d9194ce26016

SHA512
030ab2524c971922805335dca97a75cc70e54fa12ffacc395bbe9077f7289411f4bfbd22c3b7111cc19112334cb3cc1827eb80098c3a690e8e320acc9a6898e4

Download Submit
\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
512KB

MD5
84dedafe1278c895381af0f26e170a7d

SHA1
d6ea7cb2881b72d7d4b898fe0fce47d987456f25

SHA256
673bd99022a16a8fa1d7bccc89fe13946c90c0c85b20da4b0808d9194ce26016

SHA512
030ab2524c971922805335dca97a75cc70e54fa12ffacc395bbe9077f7289411f4bfbd22c3b7111cc19112334cb3cc1827eb80098c3a690e8e320acc9a6898e4

Download Submit
memory/1336-90-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-98-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-73-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-75-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-76-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-78-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-81-0x0000000001F00000-0x0000000001F9D000-memory.dmp

Filesize
628KB

Download
memory/1336-80-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-84-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-86-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-88-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-71-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-92-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-93-0x0000000001F00000-0x0000000001F9D000-memory.dmp

Filesize
628KB

Download
memory/1336-94-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-96-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-72-0x0000000001F00000-0x0000000001F9D000-memory.dmp

Filesize
628KB

Download
memory/1336-100-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-102-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-104-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-106-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-108-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-110-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-112-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-114-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-116-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-118-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-119-0x0000000001F00000-0x0000000001F9D000-memory.dmp

Filesize
628KB

Download
memory/1336-120-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-121-0x0000000001F00000-0x0000000001F9D000-memory.dmp

Filesize
628KB

Download
memory/1336-122-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-126-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1336-127-0x0000000001F00000-0x0000000001F9D000-memory.dmp

Filesize
628KB

Download
memory/1336-128-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download