b3fa5fad4215614071651b47ed6376ae2b387cb5bd9448d88a0bf8c522725915

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PANDAVPN.exe
Size

3.0MB
MD5

29ac3c117bd5fd360d4fa43666554464
SHA1

c2ef2e5b1673769335c26addd8ea9c1adc2cebd0
SHA256

b3fa5fad4215614071651b47ed6376ae2b387cb5bd9448d88a0bf8c522725915
SHA512

4ae64123d0ddd601459d5bbb7026128204577813c1320f879722309a8a5a2fd8ea6652c5e3b972cd9417065319a65aea13c1739e9aa052935745e0b80709a39f
SSDEEP

98304:AWxnQjLvTM4tuNZv6SFbgZoc2lgknJ1g9+8LMRuKk:AWe/8TT9SMk

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
2676	Stub.exe

Loads dropped DLL 5 IoCs

pid	Process
2552	PANDAVPN.exe
2676	Stub.exe
2676	Stub.exe
2676	Stub.exe
2676	Stub.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PANDAVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stub.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2676	Stub.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2676	Stub.exe
Token: SeDebugPrivilege	2676	Stub.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30
PID 2552 wrote to memory of 2676	2552	PANDAVPN.exe	30

C:\Users\Admin\AppData\Local\Temp\PANDAVPN.exe
"C:\Users\Admin\AppData\Local\Temp\PANDAVPN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\Stub.exe
  ".\Stub.exe" /c "190613" /u "http://acs.pandasoftware.com/Panda/FREEAV/190613/FREEAV.exe" /a "VPNFWBFRPR1017" /p "4252"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
1KB

MD5
fe875c8b874495e61f03988d6409c727

SHA1
7e8b904a52f90a4eea16b1aaeb92dbd088f6ce5c

SHA256
e04065d45d24ebdaa9e34fbeb74eba92a21c8ba1ae315c6a55a8753939b282c1

SHA512
f881691a280ec1ca5fa11bc8a4bff2017b4b929b8769f3c3e99d2232cd7477873ca02a1f59e5c95bbec6891ec8ea29ccf5d7d6531cb72e86b248c4f6d1ccf187

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
2KB

MD5
9dab44c35812f73a969e607a5d36371f

SHA1
15223f4bdd6538808d61b9c805c85653e8ff7eaf

SHA256
8cdf5fdeee40ec9746e18dddc5b783d4c44c63c4477d1b2fa0e6549df346c0bf

SHA512
615c166a4e5d23d22f10b8e89ae8a768148c4348760e6d991f1acf811cb7aed3bab83bd078aca9c94fa4263026eeb69a6044ba4d3d2b5ac1f8c5c06162b9d3b4

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
3KB

MD5
6665f8591cf5a04ca7cb7aa6f47c5361

SHA1
35a723a809f1709bcc02141b1d3ddb9ba7ba641f

SHA256
5d1c60d15ca4ed8537cbbc027355056e7b8385d2872987f5398ef03308c40e61

SHA512
6335a074f496780017caf186e13c515d2fbf2f7ac82dfed3ad5bc49eb234a34f5954301b801ebbab9e08f5072d1adaa66f601e0c78168902541a863d946653e8

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
4KB

MD5
194d02dbdc40f617b836def47fad80f2

SHA1
a9fb4ad07dbdb680ce7f29515efa54a4a63fb0e2

SHA256
e07ce8d4fb45fba5f0d79ce73717dc9dc2c38d85e54150076066781909a7943a

SHA512
6c3dc7a1ccdfcb2e10a4d3710d7034b29fec69046b52319dab5965e5215c7e598209e9a25b5c913b58b10e47128e6336a2f0745fea5746bf193945e80ed3da4a

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
621B

MD5
d5adeee2c25f2bbc449cd3a5928dfeb6

SHA1
decad6c93ba348fa5c8c593057dc2c7dfffb09f5

SHA256
ca4c9a86f17f446628ae6fc76bce1c631a36d16f118d566d6ace83f24204f77c

SHA512
71ece378f6fb969b2f77f9937a71b3248823399ac32fbeb8578b06f04b44d9f0cd99edd81057862420bb35fe3bf8960434334eb5c8baf131049d8e261a512869

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\AvDetect.dat

Filesize
23KB

MD5
9a17b5ac44705cc4bc3608c6232e1f16

SHA1
4a5f78bc37a704d5181f51aa32cefcb51c66d3cf

SHA256
4ad849f737b18084b060828c7cca48bcf512cc2ada2a937f5cfbab79f1b29677

SHA512
79db7e450faa9e81f27789f328a58860438713e58aef7ddd37661f1c62ed4cafc437cb7499273e7f36e805edbd93405153f66f6dc37cdd09fd0aea611ca91ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\CommsWrapper.dll

Filesize
82KB

MD5
de835b63304969aab279fd08ff927a8d

SHA1
ffa8608c831d0fd782265dff342eed71d53bfcdd

SHA256
a474a520c9dac0e66678a967e9b94923fcbd084e449403399f96b1f0879cf0e6

SHA512
31ab5e134da5b55cc28d0478e8b55016449a9753c81e92f0c37f8803cf621d52ecaaf11cea4fa6dcf038ae0562d7faca6e6e58cfa45c4189dc359beea90b2002

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\InstallRes.dll

Filesize
1.2MB

MD5
acf7d45e9b3e5be0fb4c1a2c38a6000b

SHA1
c737b90454f6f308eafc5d042e7ac570756b8eeb

SHA256
d5a071d71a25eadfe9782a53aea53dfa807992e9c3f2d0eefb8c6c1a67865a0a

SHA512
7ddf01c454ea7119da9612afd229d2e7cd61ab30460191fafb244aed7ff4af202bef5b378a76ca4d2d80141babc56b7b8b4c11fad9cd9d119234f54bd30b8549

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\StubInstaller.dat

Filesize
5KB

MD5
238dcab1cb4709a2cb212a4acf1944d2

SHA1
5693a7ac7bc35da7e3b8ff3a74c6832c1ff41376

SHA256
17b5f3d0697f2b41cf09d65f595e030b90de23b2afcdfb85be1969b57c9a4b72

SHA512
0bba56bccbeca5b98790ddb09311a375426d55dd6415891b00b5749d50cd143c0327d4ae54fcccbe12644b19e671bdaf5627dd1770c20b55624a64ada17cbaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\res\StubInstaller.ico

Filesize
361KB

MD5
b1c57c999f8a3bdec9529abe456eed97

SHA1
58a29bdde7d7834aebb4381a8df5f58458d53263

SHA256
e64df356b9e79a982daa7c3d35db3bf85a800d4d7f870a64c666216bde731657

SHA512
ebe6062d3abdd5df7c89bd5aee7254f1f1e19fc2c452015bcdd8ce7438ccf0f3fed8036259ab02a0cb9bab3888a1f85528e8dad561aea34016a722df3a7fdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\res\background.png

Filesize
163KB

MD5
66f91f2b36927e1b51344bda4b373b04

SHA1
3f316487c2116c0dd4eb6ca709ebee0d18fb2df1

SHA256
dae5e3f303d3cab68a7d920f081923bf89dd8fd1c58621c6bc3cad8b880f1494

SHA512
029238de264b3450c64da59757ff98c2bb8fc68e7234243ed9f36b99ab27d9fc15d2a1a83274dece6a8fd993709de366be2436b376f54498419b109b37331fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\res\img_product2.png

Filesize
4KB

MD5
fd92546fc781efef844196c15e45f570

SHA1
318ae93b9f903d21bc66751ad8d8a17215cafb35

SHA256
99466f827368ef2fe2783e0112b683fdb29973055bea1d88b30462918d776993

SHA512
ac68648ad49c468b478dce94bd070bf59e91bd2d57bf656690ec90d164adff8221cf01d7dd33df541c475ca060669fe7b5b00f7f6689828dd5360fff63078b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\splash.dll

Filesize
96KB

MD5
cae3bdf938e570dc1d06d9b669de35f3

SHA1
50c190667b3d6c0fbf4a181136951fb1bc2111f9

SHA256
daddee5633db37c0968befd9339dac7e202b9265bdeef364341e8287ba38b85a

SHA512
4d3f84a68790649e075e6f51bd20d42fa10d5699ccca7ac4c609d9d6d57df323387cd0ef114f153f1f1ac89b71719ff27ced30f2723421b72368590066112f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\stubinstaller.ini

Filesize
3KB

MD5
74954d67008299690e8a41686c07e19f

SHA1
6b84e1fe07b463873d293caa84bf0fb1966a6f0e

SHA256
9a83289d090147c0111f48bbb3fc2a218f8dc139a41371e8065cbb5cee709883

SHA512
9775eb8977dc8fe8bdea836fabe2b8c96dd0c1b115ea83a46bdc302ace49c0cfa312dba9cc00b19173d9239dedeec19b39f1441ba4ecfd36d9c37aca56b704cd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8F9CCF96\Stub.exe

Filesize
1.4MB

MD5
157cab848548168938c890a4b95048c0

SHA1
dcac73b5babbb18ce88e9134a8fc95cc9782a269

SHA256
3294d06e3b0e6b42c12e1ecf2de8097a687e143e3bea9beb9d0845b4fcb561d0

SHA512
28cb7fabf2f1759e0a5e2ce42aeb92a0d0131d73a1bb85b5e7dfc211eb0db4bfb69d3acf3254ec7581171935380dbedad4f0edf150c99a3c4a9aac2d554b4222

Download Submit
memory/2676-193-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/2676-201-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download