Analysis
-
max time kernel
142s -
max time network
70s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
6b699598_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6b699598_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
6b699598_by_Libranalysis.exe
-
Size
231KB
-
MD5
6b699598d9b88107f16ea4977a39dd2c
-
SHA1
28ae2c9fe6ae8ca1e891d32094e159684363cef1
-
SHA256
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248
-
SHA512
668ca675242b843f7781df225c4156b2b7722b7f7a5afe9233e45ff587546ac5d35f282f43fc518228ae7591290f4bb0da5aada839bcfe1ee255f98c694d0050
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
6b699598_by_Libranalysis.exeDBIK.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\EBZL.EXE \"%1\" %*" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command DBIK.EXE -
Processes:
resource yara_rule \Program Files\DBIK.EXE aspack_v212_v242 \Program Files\DBIK.EXE aspack_v212_v242 C:\Program Files\DBIK.EXE aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
DBIK.EXEpid process 2020 DBIK.EXE -
Loads dropped DLL 2 IoCs
Processes:
6b699598_by_Libranalysis.exepid process 484 6b699598_by_Libranalysis.exe 484 6b699598_by_Libranalysis.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6b699598_by_Libranalysis.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RCEQ.EXE = "C:\\PerfLogs\\AKBW.EXE" 6b699598_by_Libranalysis.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6b699598_by_Libranalysis.exedescription ioc process File opened (read-only) \??\T: 6b699598_by_Libranalysis.exe File opened (read-only) \??\G: 6b699598_by_Libranalysis.exe File opened (read-only) \??\J: 6b699598_by_Libranalysis.exe File opened (read-only) \??\M: 6b699598_by_Libranalysis.exe File opened (read-only) \??\R: 6b699598_by_Libranalysis.exe File opened (read-only) \??\I: 6b699598_by_Libranalysis.exe File opened (read-only) \??\N: 6b699598_by_Libranalysis.exe File opened (read-only) \??\U: 6b699598_by_Libranalysis.exe File opened (read-only) \??\V: 6b699598_by_Libranalysis.exe File opened (read-only) \??\E: 6b699598_by_Libranalysis.exe File opened (read-only) \??\F: 6b699598_by_Libranalysis.exe File opened (read-only) \??\O: 6b699598_by_Libranalysis.exe File opened (read-only) \??\Q: 6b699598_by_Libranalysis.exe File opened (read-only) \??\S: 6b699598_by_Libranalysis.exe File opened (read-only) \??\H: 6b699598_by_Libranalysis.exe File opened (read-only) \??\K: 6b699598_by_Libranalysis.exe File opened (read-only) \??\L: 6b699598_by_Libranalysis.exe File opened (read-only) \??\P: 6b699598_by_Libranalysis.exe -
Drops file in Program Files directory 1 IoCs
Processes:
6b699598_by_Libranalysis.exedescription ioc process File created C:\Program Files\DBIK.EXE 6b699598_by_Libranalysis.exe -
Modifies registry class 15 IoCs
Processes:
6b699598_by_Libranalysis.exeDBIK.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\$Recycle.Bin\\SBT.EXE \"%1\"" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\EBZL.EXE \"%1\" %*" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\$Recycle.Bin\\JRM.EXE \"%1\"" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command DBIK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\NKV.EXE %1" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\BIFBGFJ.EXE %1" 6b699598_by_Libranalysis.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DBIK.EXEpid process 2020 DBIK.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6b699598_by_Libranalysis.exedescription pid process target process PID 484 wrote to memory of 2020 484 6b699598_by_Libranalysis.exe DBIK.EXE PID 484 wrote to memory of 2020 484 6b699598_by_Libranalysis.exe DBIK.EXE PID 484 wrote to memory of 2020 484 6b699598_by_Libranalysis.exe DBIK.EXE PID 484 wrote to memory of 2020 484 6b699598_by_Libranalysis.exe DBIK.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b699598_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\6b699598_by_Libranalysis.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\DBIK.EXE"C:\Program Files\DBIK.EXE"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\DBIK.EXEMD5
924c50d21f3242ee186d17b17a4e5ed3
SHA1b741dee648d1fe3814f1b6c72b2a7794fd83ebbd
SHA25678bc68c72d693724258e0ea77f7f37e4e048a84271c49385ccdac63ffa3423e0
SHA512a0cca171bdc2f8e046ed45e7426be4e849b29e167711fe722b50b0f857c6b0097428cd77e19ece03c186a98ac73388c83365618f7ef7ed0f0082540162bc9fbe
-
\Program Files\DBIK.EXEMD5
924c50d21f3242ee186d17b17a4e5ed3
SHA1b741dee648d1fe3814f1b6c72b2a7794fd83ebbd
SHA25678bc68c72d693724258e0ea77f7f37e4e048a84271c49385ccdac63ffa3423e0
SHA512a0cca171bdc2f8e046ed45e7426be4e849b29e167711fe722b50b0f857c6b0097428cd77e19ece03c186a98ac73388c83365618f7ef7ed0f0082540162bc9fbe
-
\Program Files\DBIK.EXEMD5
924c50d21f3242ee186d17b17a4e5ed3
SHA1b741dee648d1fe3814f1b6c72b2a7794fd83ebbd
SHA25678bc68c72d693724258e0ea77f7f37e4e048a84271c49385ccdac63ffa3423e0
SHA512a0cca171bdc2f8e046ed45e7426be4e849b29e167711fe722b50b0f857c6b0097428cd77e19ece03c186a98ac73388c83365618f7ef7ed0f0082540162bc9fbe
-
memory/484-63-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2020-61-0x0000000000000000-mapping.dmp
-
memory/2020-64-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB