90a0f491e64700ffe523857b5e4c920e6483b81416d8c8b68c6f3113d7f235d2

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stubclean.exe
Size

5.1MB
MD5

6e49292c03ecfa4534aafc7e8bc8af83
SHA1

68d86b78857e688e08ec6db7e000cfe2fdae2b3e
SHA256

90a0f491e64700ffe523857b5e4c920e6483b81416d8c8b68c6f3113d7f235d2
SHA512

b52de6b1bf6f41579aa3e720ad53c4519224676fb1745c9853ff7c1da0ae7a98a800114486460aa107f9bff5b38e98500fbf0b70cdb154c42b4cfae85b1cb8e9
SSDEEP

49152:z8Op2rDgjNiS6Q80QNuo0rLAxR6iA64g1/zz/yRM0jZvf/SAdWdcexigVNWzYMb/:zPdcuoSt6r1/zzifVHtEwMAwq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rust = "C:/ProgramData x86/stubclean.exe"	stubclean.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1636	2596	stubclean.exe	29
PID 2596 wrote to memory of 1636	2596	stubclean.exe	29
PID 2596 wrote to memory of 1636	2596	stubclean.exe	29
PID 2596 wrote to memory of 1840	2596	stubclean.exe	30
PID 2596 wrote to memory of 1840	2596	stubclean.exe	30
PID 2596 wrote to memory of 1840	2596	stubclean.exe	30

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1636	attrib.exe
1840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\stubclean.exe
"C:\Users\Admin\AppData\Local\Temp\stubclean.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\attrib.exe
  "attrib" +h "C:/ProgramData x86"
  2⤵
  - Views/modifies file attributes
  PID:1636
- C:\Windows\system32\attrib.exe
  "attrib" +h "C:/ProgramData x86\stubclean.exe"
  2⤵
  - Views/modifies file attributes
  PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData x86\stubclean.exe

Filesize
5.1MB

MD5
6e49292c03ecfa4534aafc7e8bc8af83

SHA1
68d86b78857e688e08ec6db7e000cfe2fdae2b3e

SHA256
90a0f491e64700ffe523857b5e4c920e6483b81416d8c8b68c6f3113d7f235d2

SHA512
b52de6b1bf6f41579aa3e720ad53c4519224676fb1745c9853ff7c1da0ae7a98a800114486460aa107f9bff5b38e98500fbf0b70cdb154c42b4cfae85b1cb8e9

Download Submit
memory/2596-56-0x000000013F3A0000-0x000000013F859000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads