Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:57
Static task
static1
Behavioral task
behavioral1
Sample
gbs.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
gbs.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
gbs.dll
-
Size
490KB
-
MD5
7e6b567873d7922bb8e168e56fdc8f17
-
SHA1
e5204f9a8a106b8e1c931c32226d1904dd0b4fda
-
SHA256
f9604372c577e72a1560e02bede724a35e0f011406fe19f409083a59867850ac
-
SHA512
635fa8c1e723b6fa0adb0043e9d0949990801e6f839ba740fa074db534a5c04cf484eeacf4dc4caa7df01232dcece7cf46e780332e91b2bf126f37f3c0cda3ed
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nozyvoe = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Tukeel\\afez.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1268 set thread context of 2688 1268 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1160 wrote to memory of 1268 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 1268 1160 rundll32.exe rundll32.exe PID 1160 wrote to memory of 1268 1160 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2688 1268 rundll32.exe msiexec.exe PID 1268 wrote to memory of 2688 1268 rundll32.exe msiexec.exe PID 1268 wrote to memory of 2688 1268 rundll32.exe msiexec.exe PID 1268 wrote to memory of 2688 1268 rundll32.exe msiexec.exe PID 1268 wrote to memory of 2688 1268 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gbs.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gbs.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken