3d24275f33cfb0d01a1541f3aed83ed6ec22e90acc6df0deca325d658c1f1e58

Analysis

max time kernel
50s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe
Size

2.7MB
MD5

30a1ebe4f8232629bbded7ffea78db5e
SHA1

5c7d07d8c8e47f590f7389c309ae3d63c031f1a6
SHA256

965e71a220a0b6a3b8071d53146ec11f740bac24977b7df49d00c0c619f3ed6d
SHA512

4c70e2d00058b60095f573bd37f0e58344b75869d26ff7aae6f5894ffba76798807a1ab530d2827e50302873684a491b7faf9dfdc46e185a9c349fc9f1a67b0e

Score

10^/10

discovery persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 2 IoCs

Processes:

GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmpGBColorPicker.exe

pid process

2740 GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
3356 GBColorPicker.exe
Loads dropped DLL 4 IoCs

Processes:

GBColorPicker.exerundll32.exerundll32.exeDllHost.exe

pid process

3356 GBColorPicker.exe
1076 rundll32.exe
1928 rundll32.exe
1356 DllHost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2740	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
3356	GBColorPicker.exe

pid	process
3356	GBColorPicker.exe
1076	rundll32.exe
1928	rundll32.exe
1356	DllHost.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll	js
\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll	js
\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll	js

Drops file in Program Files directory 10 IoCs

Processes:

GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp

description	ioc	process
File created	C:\Program Files (x86)\GBColorPicker\is-3C997.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\is-DO6RQ.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\is-O4OO0.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\is-DVG14.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File opened for modification	C:\Program Files (x86)\GBColorPicker\unins000.dat	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\unins000.dat	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\is-7GD6O.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\unins000.msg	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\is-2L1S1.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
File created	C:\Program Files (x86)\GBColorPicker\is-E5M4P.tmp	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp

Modifies registry class 22 IoCs

Processes:

rundll32.exeDllHost.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}\InprocServer32\ThreadingModel = "Both"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}\InprocServer32	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GBColorPickerTask.dll	DllHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D43E25-4B5C-4781-ACF8-E53C59CCE643}\ = "GBColorPickerSystemMenu"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D43E25-4B5C-4781-ACF8-E53C59CCE643}\InprocServer32\ = "C:\\Program Files (x86)\\GBColorPicker\\GBColorPickerExt64.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\GBColorPickerSystemMenu\ = "{D2D43E25-4B5C-4781-ACF8-E53C59CCE643}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}\AppID = "{C9F25994-A189-42ad-9658-667C1DDFFA0A}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GBColorPickerTask.dll\AppID = "{C9F25994-A189-42ad-9658-667C1DDFFA0A}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GBColorPickerTask.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D43E25-4B5C-4781-ACF8-E53C59CCE643}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D43E25-4B5C-4781-ACF8-E53C59CCE643}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}\ = "{74AEE038-DB91-4ad2-92F8-BAB6009059A2}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C9F25994-A189-42ad-9658-667C1DDFFA0A}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C9F25994-A189-42ad-9658-667C1DDFFA0A}\DllSurrogate	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C9F25994-A189-42ad-9658-667C1DDFFA0A}	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D43E25-4B5C-4781-ACF8-E53C59CCE643}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\GBColorPickerSystemMenu	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74AEE038-DB91-4ad2-92F8-BAB6009059A2}\InprocServer32\ = "C:\\Program Files (x86)\\GBColorPicker\\GBColorPickerTask.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C9F25994-A189-42ad-9658-667C1DDFFA0A}\ = "GBCPTask"	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp

pid process

2740 GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp

pid	process
2740	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exeGBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmpGBColorPicker.exe

description	pid	process	target process
PID 3372 wrote to memory of 2740	3372	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
PID 3372 wrote to memory of 2740	3372	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
PID 3372 wrote to memory of 2740	3372	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
PID 2740 wrote to memory of 3356	2740	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp	GBColorPicker.exe
PID 2740 wrote to memory of 3356	2740	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp	GBColorPicker.exe
PID 2740 wrote to memory of 3356	2740	GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp	GBColorPicker.exe
PID 3356 wrote to memory of 1928	3356	GBColorPicker.exe	rundll32.exe
PID 3356 wrote to memory of 1928	3356	GBColorPicker.exe	rundll32.exe
PID 3356 wrote to memory of 1928	3356	GBColorPicker.exe	rundll32.exe
PID 3356 wrote to memory of 1076	3356	GBColorPicker.exe	rundll32.exe
PID 3356 wrote to memory of 1076	3356	GBColorPicker.exe	rundll32.exe
PID 3356 wrote to memory of 1076	3356	GBColorPicker.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe
"C:\Users\Admin\AppData\Local\Temp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\is-U6CN2.tmp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U6CN2.tmp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp" /SL5="$20134,2023452,663552,C:\Users\Admin\AppData\Local\Temp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files (x86)\GBColorPicker\GBColorPicker.exe
"C:\Program Files (x86)\GBColorPicker\GBColorPicker.exe" /install /SL5="$20134,2023452,663552,C:\Users\Admin\AppData\Local\Temp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files (x86)\GBColorPicker\GBColorPickerExt.dll",DllRegister
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1928

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll",DllRegister
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{C9F25994-A189-42AD-9658-667C1DDFFA0A}
1⤵
- Loads dropped DLL
- Modifies registry class
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GBColorPicker\GBColorPicker.exe
MD5
5972fb76046531a3d9a92bc51848d2f6

SHA1
130a3e77863f366dd7ad6c36d9a2c302da7f5d91

SHA256
1a0fc47116a057f2a51cb86d2dc6271d809c9408cb3f20d1dbbac42947547f1e

SHA512
79257bd38302d2f3de8cca425cd6fbf03a15befd47214302885bc4f09b4876a805dfd3bfc94ec0788d875984ceb745685777b548aa73e46f2a0137acc9384a88

Download Submit
C:\Program Files (x86)\GBColorPicker\GBColorPicker.exe
MD5
5972fb76046531a3d9a92bc51848d2f6

SHA1
130a3e77863f366dd7ad6c36d9a2c302da7f5d91

SHA256
1a0fc47116a057f2a51cb86d2dc6271d809c9408cb3f20d1dbbac42947547f1e

SHA512
79257bd38302d2f3de8cca425cd6fbf03a15befd47214302885bc4f09b4876a805dfd3bfc94ec0788d875984ceb745685777b548aa73e46f2a0137acc9384a88

Download Submit
C:\Program Files (x86)\GBColorPicker\GBColorPickerExt.dll
MD5
518bdebe9168b4cc7a0f605254a2a825

SHA1
5a6169e93d54ba3a5aca77c6c9a46e43177adf7b

SHA256
63933c57824d61f1c0f22690f103faa85716a0bc7c40f5f2eb8411b338d3a767

SHA512
c747fcc773c497d68f4b632732493e35b5104e868bd82049e0d59ace83ba7c179574e7d182fb616a936e0964035028cf8941b06fa1f517aa324e84aeca6ad05d

Download Submit
C:\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll
MD5
e598fdc5eac35445a2b2e09dd8fc63ad

SHA1
5b9ff066600c4488fb2b451c2dcf0e7c2e0e9159

SHA256
2ffd5f63216bc158679a94db12a927f051c92e9900cad7614d84b6e71fb9e947

SHA512
9565fee5adb5df5786026e08f2d3c29921e25d08e70436b69868a69544fd6b6b8290c494a532f254373061e622ae793ad63bc907f0b5e399cc74db35d6463969

Download Submit
C:\Program Files (x86)\GBColorPicker\GBColorPickerUI.dll
MD5
2180e3947fe913b7f5e589f44058e2e3

SHA1
bd566e32ba31a01390e5a940b14038240ac342c0

SHA256
751344d0154693cef5cb6eb7965e18acf0dbe1e2433252f5528b0f0a98736558

SHA512
1ce75ba065a373623f670b1caaac41927431d349555e954c29aea0a476080427e3c09f1cc15a0fe7c06879a75294ba64ebd049e31a350a6b098c3d976c5d639d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U6CN2.tmp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
MD5
2b60738912702741553b09be8b8e9d3a

SHA1
6e83dbbff9984dab89f7a2bcc0f0661b50f3be93

SHA256
46254ab29a12a202c66a51b037f5651349da7a727799c6360641f777311fc10a

SHA512
0711502e0936eed15454e3ba2e5b2368a1ce6a88ea077afe1b8e485c737bc4feff5e799f44f426a879305e4be2310ea8ee19229ec9e7668bcb7f6a4c3c6de89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U6CN2.tmp\GBColorPickerSetup_226_6ut9g9biPckZb0_blomb.tmp
MD5
2b60738912702741553b09be8b8e9d3a

SHA1
6e83dbbff9984dab89f7a2bcc0f0661b50f3be93

SHA256
46254ab29a12a202c66a51b037f5651349da7a727799c6360641f777311fc10a

SHA512
0711502e0936eed15454e3ba2e5b2368a1ce6a88ea077afe1b8e485c737bc4feff5e799f44f426a879305e4be2310ea8ee19229ec9e7668bcb7f6a4c3c6de89d

Download Submit
\Program Files (x86)\GBColorPicker\GBColorPickerExt.dll
MD5
518bdebe9168b4cc7a0f605254a2a825

SHA1
5a6169e93d54ba3a5aca77c6c9a46e43177adf7b

SHA256
63933c57824d61f1c0f22690f103faa85716a0bc7c40f5f2eb8411b338d3a767

SHA512
c747fcc773c497d68f4b632732493e35b5104e868bd82049e0d59ace83ba7c179574e7d182fb616a936e0964035028cf8941b06fa1f517aa324e84aeca6ad05d

Download Submit
\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll
MD5
e598fdc5eac35445a2b2e09dd8fc63ad

SHA1
5b9ff066600c4488fb2b451c2dcf0e7c2e0e9159

SHA256
2ffd5f63216bc158679a94db12a927f051c92e9900cad7614d84b6e71fb9e947

SHA512
9565fee5adb5df5786026e08f2d3c29921e25d08e70436b69868a69544fd6b6b8290c494a532f254373061e622ae793ad63bc907f0b5e399cc74db35d6463969

Download Submit
\Program Files (x86)\GBColorPicker\GBColorPickerTask.dll
MD5
e598fdc5eac35445a2b2e09dd8fc63ad

SHA1
5b9ff066600c4488fb2b451c2dcf0e7c2e0e9159

SHA256
2ffd5f63216bc158679a94db12a927f051c92e9900cad7614d84b6e71fb9e947

SHA512
9565fee5adb5df5786026e08f2d3c29921e25d08e70436b69868a69544fd6b6b8290c494a532f254373061e622ae793ad63bc907f0b5e399cc74db35d6463969

Download Submit
\Program Files (x86)\GBColorPicker\GBColorPickerUI.dll
MD5
2180e3947fe913b7f5e589f44058e2e3

SHA1
bd566e32ba31a01390e5a940b14038240ac342c0

SHA256
751344d0154693cef5cb6eb7965e18acf0dbe1e2433252f5528b0f0a98736558

SHA512
1ce75ba065a373623f670b1caaac41927431d349555e954c29aea0a476080427e3c09f1cc15a0fe7c06879a75294ba64ebd049e31a350a6b098c3d976c5d639d

Download Submit
memory/1076-9-0x0000000000000000-mapping.dmp

Download
memory/1928-8-0x0000000000000000-mapping.dmp

Download
memory/2740-0-0x0000000000000000-mapping.dmp

Download
memory/3356-3-0x0000000000000000-mapping.dmp

Download