27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
Size

31KB
MD5

6802deeeaa3945e6db07c9383ee591a2
SHA1

7acf0de23eb516310210f2b264612776d526ea78
SHA256

27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085
SHA512

9f963e4ff52542eb633c0e5babcfcc9d78d97d3c17b7394f5d4cd76dd41cd6d600b4e86b30b4c440931f7d0d8676d3fa106de8ffae1136da5004ea4a16d97001
SSDEEP

384:ATJanqKJjwRA6jBu8Rvwk854gGePuJJXy+mMU8GlXk1NKC4+6S5HvueaARYu:AgP5culk8vGjDXCNlyBo1m

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1652	gbvgbv00.exe
1628	gbvgbv00.exe

Loads dropped DLL 5 IoCs

pid	Process
704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
1652	gbvgbv00.exe
1628	gbvgbv00.exe
1628	gbvgbv00.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	gbvgbv00.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\comres.dll	gbvgbv00.exe
File opened for modification	C:\Windows\SysWOW64\comres.dll.ocx	gbvgbv00.exe
File created	C:\Windows\SysWOW64\comres.dll.ocx	gbvgbv00.exe
File created	C:\Windows\SysWOW64\gbvgbv00.exe	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
File opened for modification	C:\Windows\SysWOW64\gbvgbv00.exe	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\dbr00019.ttf	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
File opened for modification	C:\Windows\fonts\dbr00019.ttf	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1236	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	12
PID 704 wrote to memory of 1652	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	27
PID 704 wrote to memory of 1652	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	27
PID 704 wrote to memory of 1652	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	27
PID 704 wrote to memory of 1652	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	27
PID 704 wrote to memory of 1628	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	28
PID 704 wrote to memory of 1628	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	28
PID 704 wrote to memory of 1628	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	28
PID 704 wrote to memory of 1628	704	27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe	28
PID 1628 wrote to memory of 1304	1628	gbvgbv00.exe	29
PID 1628 wrote to memory of 1304	1628	gbvgbv00.exe	29
PID 1628 wrote to memory of 1304	1628	gbvgbv00.exe	29
PID 1628 wrote to memory of 1304	1628	gbvgbv00.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
  "C:\Users\Admin\AppData\Local\Temp\27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\gbvgbv00.exe
    C:\Windows\system32\gbvgbv00.exe C:\Windows\system32\dbr00019.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\27d0267b13ed087d3e58bea3b24677c1ac666afe9b4ac729ff89bce3b09a8085.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    PID:1652
- - C:\Windows\SysWOW64\gbvgbv00.exe
    C:\Windows\system32\gbvgbv00.exe C:\Windows\system32\dbr99005.ocx pfjieaoidjglkajd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbr00019.ocx

Filesize
39KB

MD5
c07d263dda540e58f389d3b353f57df3

SHA1
6d3037f92e2337f72d758f76f4d225ebd06804e5

SHA256
0dd2e1920460a5b54bb573a74266d070e2a2afe6345bda2cac1b209cd3da282f

SHA512
d36c2a6867646086013e9551c8a2c5051ea4e6827d2c55c7c1d8428f0e103805d0deb2ad3c39f053c125c6bbd0509ff628184cd9d64aad59acc2b20321054370

Download Submit
C:\Windows\SysWOW64\dbr99005.ocx

Filesize
8KB

MD5
76948da567806229012ad2a3d697e468

SHA1
027b9b69eda64b4872647d49f88236603c2433d3

SHA256
73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

SHA512
98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

Download Submit
C:\Windows\SysWOW64\gbvgbv00.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\gbvgbv00.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\gbvgbv00.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\fonts\dbr00019.ttf

Filesize
412B

MD5
7addeb48cb7d29465d516b154434c25f

SHA1
eb1d0588a67db44919d8bf9525354da30df79089

SHA256
919bdab1b46eaecbed671910871b9ae72f22208da6d397f950ed07545767c06a

SHA512
a2c2e37d13f697f569bd866c9b5af830cce01e843275ea4285699db436838ae51c5bb21752c0857529244ba9ab7858fb676a3b7d74d2d2a45722a9193831487d

Download Submit
\Windows\SysWOW64\dbr00019.ocx

Filesize
39KB

MD5
c07d263dda540e58f389d3b353f57df3

SHA1
6d3037f92e2337f72d758f76f4d225ebd06804e5

SHA256
0dd2e1920460a5b54bb573a74266d070e2a2afe6345bda2cac1b209cd3da282f

SHA512
d36c2a6867646086013e9551c8a2c5051ea4e6827d2c55c7c1d8428f0e103805d0deb2ad3c39f053c125c6bbd0509ff628184cd9d64aad59acc2b20321054370

Download Submit
\Windows\SysWOW64\dbr00019.ocx

Filesize
39KB

MD5
c07d263dda540e58f389d3b353f57df3

SHA1
6d3037f92e2337f72d758f76f4d225ebd06804e5

SHA256
0dd2e1920460a5b54bb573a74266d070e2a2afe6345bda2cac1b209cd3da282f

SHA512
d36c2a6867646086013e9551c8a2c5051ea4e6827d2c55c7c1d8428f0e103805d0deb2ad3c39f053c125c6bbd0509ff628184cd9d64aad59acc2b20321054370

Download Submit
\Windows\SysWOW64\dbr99005.ocx

Filesize
8KB

MD5
76948da567806229012ad2a3d697e468

SHA1
027b9b69eda64b4872647d49f88236603c2433d3

SHA256
73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

SHA512
98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

Download Submit
\Windows\SysWOW64\gbvgbv00.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\gbvgbv00.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/704-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1304-72-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1628-66-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1628-70-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1628-71-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/1652-73-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download