b3fa5fad4215614071651b47ed6376ae2b387cb5bd9448d88a0bf8c522725915

Analysis

max time kernel
93s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PANDAVPN.exe
Size

3.0MB
MD5

29ac3c117bd5fd360d4fa43666554464
SHA1

c2ef2e5b1673769335c26addd8ea9c1adc2cebd0
SHA256

b3fa5fad4215614071651b47ed6376ae2b387cb5bd9448d88a0bf8c522725915
SHA512

4ae64123d0ddd601459d5bbb7026128204577813c1320f879722309a8a5a2fd8ea6652c5e3b972cd9417065319a65aea13c1739e9aa052935745e0b80709a39f
SSDEEP

98304:AWxnQjLvTM4tuNZv6SFbgZoc2lgknJ1g9+8LMRuKk:AWe/8TT9SMk

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
3628	Stub.exe

Loads dropped DLL 4 IoCs

pid	Process
3628	Stub.exe
3628	Stub.exe
3628	Stub.exe
3628	Stub.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PANDAVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stub.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3628	Stub.exe
3628	Stub.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	Stub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 3628	724	PANDAVPN.exe	85
PID 724 wrote to memory of 3628	724	PANDAVPN.exe	85
PID 724 wrote to memory of 3628	724	PANDAVPN.exe	85

C:\Users\Admin\AppData\Local\Temp\PANDAVPN.exe
"C:\Users\Admin\AppData\Local\Temp\PANDAVPN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Local\Temp\7zS4D240557\Stub.exe
  ".\Stub.exe" /c "190613" /u "http://acs.pandasoftware.com/Panda/FREEAV/190613/FREEAV.exe" /a "VPNFWBFRPR1017" /p "4252"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
2KB

MD5
80ad7a4cf898af00be7df4173ed5f887

SHA1
bc390fa32a9b2b22accfe7b56264190f5c815224

SHA256
b653ea080bb0745d1dcb1d7b13fac5ad8bd2ac38c3641cdb6adb2cf4cb6d02bb

SHA512
5108f249dbd6f13c0092e6773326d9c2d27ac0d83ee51cdf8d4780c7be207a6f929bea1ce9c2ace7deac3b9e3ad0e0b56532a66600e66bf1ec7841c2f995ffb4

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
4KB

MD5
7f1291f174f6eda9fd0655a8ba652849

SHA1
acc45dcb2ee793fa94771171c2b5dd82cc38c91b

SHA256
78e2c7477e402fe89dd95542f12f51a565cf5041d253549e5d666ac9352015e7

SHA512
0d4713ba5551c1fff04206ba02b320b90997fcd745cff024e698a14550f8074776630d2cc407418546123e883a5454f9024fba6e7fb93a60acb56df79cafa976

Download Submit
C:\ProgramData\Panda Security\PSLogs\Stub_exe.log

Filesize
4KB

MD5
73d6055a47e39c01d999e6027078ebd1

SHA1
2f5bf5a931234eb54f1a3c2bd37bbcb8302c98e1

SHA256
0c5fb717aab1807edf8b18a626a852b07aef878e84d52ad506efdc822f09b96d

SHA512
528f4ed428cbf50ebc1e19a116f9d6f6ece3ed78b6aac16993c6aafe8da15b4aaefda8b73087274edf9f2e1a9a73992cd841ba5fb107fc794602f551bed5c737

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\AvDetect.dat

Filesize
23KB

MD5
9a17b5ac44705cc4bc3608c6232e1f16

SHA1
4a5f78bc37a704d5181f51aa32cefcb51c66d3cf

SHA256
4ad849f737b18084b060828c7cca48bcf512cc2ada2a937f5cfbab79f1b29677

SHA512
79db7e450faa9e81f27789f328a58860438713e58aef7ddd37661f1c62ed4cafc437cb7499273e7f36e805edbd93405153f66f6dc37cdd09fd0aea611ca91ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\CommsWrapper.dll

Filesize
82KB

MD5
de835b63304969aab279fd08ff927a8d

SHA1
ffa8608c831d0fd782265dff342eed71d53bfcdd

SHA256
a474a520c9dac0e66678a967e9b94923fcbd084e449403399f96b1f0879cf0e6

SHA512
31ab5e134da5b55cc28d0478e8b55016449a9753c81e92f0c37f8803cf621d52ecaaf11cea4fa6dcf038ae0562d7faca6e6e58cfa45c4189dc359beea90b2002

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\InstallRes.dll

Filesize
1.2MB

MD5
acf7d45e9b3e5be0fb4c1a2c38a6000b

SHA1
c737b90454f6f308eafc5d042e7ac570756b8eeb

SHA256
d5a071d71a25eadfe9782a53aea53dfa807992e9c3f2d0eefb8c6c1a67865a0a

SHA512
7ddf01c454ea7119da9612afd229d2e7cd61ab30460191fafb244aed7ff4af202bef5b378a76ca4d2d80141babc56b7b8b4c11fad9cd9d119234f54bd30b8549

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\Stub.exe

Filesize
1.4MB

MD5
157cab848548168938c890a4b95048c0

SHA1
dcac73b5babbb18ce88e9134a8fc95cc9782a269

SHA256
3294d06e3b0e6b42c12e1ecf2de8097a687e143e3bea9beb9d0845b4fcb561d0

SHA512
28cb7fabf2f1759e0a5e2ce42aeb92a0d0131d73a1bb85b5e7dfc211eb0db4bfb69d3acf3254ec7581171935380dbedad4f0edf150c99a3c4a9aac2d554b4222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\StubInstaller.dat

Filesize
5KB

MD5
238dcab1cb4709a2cb212a4acf1944d2

SHA1
5693a7ac7bc35da7e3b8ff3a74c6832c1ff41376

SHA256
17b5f3d0697f2b41cf09d65f595e030b90de23b2afcdfb85be1969b57c9a4b72

SHA512
0bba56bccbeca5b98790ddb09311a375426d55dd6415891b00b5749d50cd143c0327d4ae54fcccbe12644b19e671bdaf5627dd1770c20b55624a64ada17cbaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\res\StubInstaller.ico

Filesize
361KB

MD5
b1c57c999f8a3bdec9529abe456eed97

SHA1
58a29bdde7d7834aebb4381a8df5f58458d53263

SHA256
e64df356b9e79a982daa7c3d35db3bf85a800d4d7f870a64c666216bde731657

SHA512
ebe6062d3abdd5df7c89bd5aee7254f1f1e19fc2c452015bcdd8ce7438ccf0f3fed8036259ab02a0cb9bab3888a1f85528e8dad561aea34016a722df3a7fdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\res\background.png

Filesize
163KB

MD5
66f91f2b36927e1b51344bda4b373b04

SHA1
3f316487c2116c0dd4eb6ca709ebee0d18fb2df1

SHA256
dae5e3f303d3cab68a7d920f081923bf89dd8fd1c58621c6bc3cad8b880f1494

SHA512
029238de264b3450c64da59757ff98c2bb8fc68e7234243ed9f36b99ab27d9fc15d2a1a83274dece6a8fd993709de366be2436b376f54498419b109b37331fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\res\img_product2.png

Filesize
4KB

MD5
fd92546fc781efef844196c15e45f570

SHA1
318ae93b9f903d21bc66751ad8d8a17215cafb35

SHA256
99466f827368ef2fe2783e0112b683fdb29973055bea1d88b30462918d776993

SHA512
ac68648ad49c468b478dce94bd070bf59e91bd2d57bf656690ec90d164adff8221cf01d7dd33df541c475ca060669fe7b5b00f7f6689828dd5360fff63078b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\splash.dll

Filesize
96KB

MD5
cae3bdf938e570dc1d06d9b669de35f3

SHA1
50c190667b3d6c0fbf4a181136951fb1bc2111f9

SHA256
daddee5633db37c0968befd9339dac7e202b9265bdeef364341e8287ba38b85a

SHA512
4d3f84a68790649e075e6f51bd20d42fa10d5699ccca7ac4c609d9d6d57df323387cd0ef114f153f1f1ac89b71719ff27ced30f2723421b72368590066112f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D240557\stubinstaller.ini

Filesize
3KB

MD5
74954d67008299690e8a41686c07e19f

SHA1
6b84e1fe07b463873d293caa84bf0fb1966a6f0e

SHA256
9a83289d090147c0111f48bbb3fc2a218f8dc139a41371e8065cbb5cee709883

SHA512
9775eb8977dc8fe8bdea836fabe2b8c96dd0c1b115ea83a46bdc302ace49c0cfa312dba9cc00b19173d9239dedeec19b39f1441ba4ecfd36d9c37aca56b704cd

Download Submit
memory/3628-194-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3628-202-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download