3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
Size

30KB
MD5

92d5c5075d1deb8123bad0308b060016
SHA1

98ed791d7089f553e429b82e3672ed90b23211c4
SHA256

3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d
SHA512

228206069ab1d73899064f7879a7dcb6c4adfc8e7b62c750a8e2249a41ac48d96b43a1dd110e0d003d5eeab2446dbd8f856d8b8a0698a80f8b81f670816250f9
SSDEEP

768:C9bT2RnDMP36bo2++LC0566eaHXIkWQEY0zsQPN:2T2Zeoo2rLJ9eo4kWQEYBKN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	gbvgbv22.exe
908	gbvgbv22.exe

Loads dropped DLL 5 IoCs

pid	Process
1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
2012	gbvgbv22.exe
908	gbvgbv22.exe
908	gbvgbv22.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	gbvgbv22.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gbvgbv22.exe	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
File opened for modification	C:\Windows\SysWOW64\gbvgbv22.exe	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
File opened for modification	C:\Windows\SysWOW64\comres.dll	gbvgbv22.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\dbr22010.ttf	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
File opened for modification	C:\Windows\fonts\dbr22010.ttf	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1256	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	21
PID 1800 wrote to memory of 2012	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	28
PID 1800 wrote to memory of 2012	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	28
PID 1800 wrote to memory of 2012	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	28
PID 1800 wrote to memory of 2012	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	28
PID 1800 wrote to memory of 908	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	29
PID 1800 wrote to memory of 908	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	29
PID 1800 wrote to memory of 908	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	29
PID 1800 wrote to memory of 908	1800	3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe	29
PID 908 wrote to memory of 1704	908	gbvgbv22.exe	30
PID 908 wrote to memory of 1704	908	gbvgbv22.exe	30
PID 908 wrote to memory of 1704	908	gbvgbv22.exe	30
PID 908 wrote to memory of 1704	908	gbvgbv22.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
  "C:\Users\Admin\AppData\Local\Temp\3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\gbvgbv22.exe
    C:\Windows\system32\gbvgbv22.exe C:\Windows\system32\dbr22010.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\3ac961d63d89d1f0c093b362cd6ca91ca3b1f7b26adb073f2cf063ac148c9a6d.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    PID:2012
- - C:\Windows\SysWOW64\gbvgbv22.exe
    C:\Windows\system32\gbvgbv22.exe C:\Windows\system32\dbr99005.ocx pfjieaoidjglkajd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbr22010.ocx

Filesize
38KB

MD5
0784415cc4fc75e94c04eec21dbc1398

SHA1
97e729d57b66dcfed52372d4a0f84e71c272b27f

SHA256
8b5204d0126f46373cace13bfc1190e7ee042355d3e20b57a1f579ca669fdf0b

SHA512
2078815ca7e0b60032eb237fd0e09a76984ba18cf7e30bcb8a74bf8fee0bb57bba8893a28c29c8ec9c8cdc01d4c2880bbb91924d5c8dda2698b80550ae63cf95

Download Submit
C:\Windows\SysWOW64\dbr99005.ocx

Filesize
8KB

MD5
76948da567806229012ad2a3d697e468

SHA1
027b9b69eda64b4872647d49f88236603c2433d3

SHA256
73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

SHA512
98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

Download Submit
C:\Windows\SysWOW64\gbvgbv22.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\gbvgbv22.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\gbvgbv22.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\fonts\dbr22010.ttf

Filesize
412B

MD5
2f3e2a8342cead4ff4c1bf76622aacd4

SHA1
b115a4248c812d27610658dc13a62770e9a49775

SHA256
6af20d8dc39f62505636312e20fdcb0378e0d53a6331d1e4709136d49dca8c9b

SHA512
a2f16ea866e41836f8799366b404acd643a0d17c0a84baba6dd77bd0e654bfd85b7fe150f42cda48d2259d0e367be961c7f5b90b6b400d9731e514d750e59855

Download Submit
\Windows\SysWOW64\dbr22010.ocx

Filesize
38KB

MD5
0784415cc4fc75e94c04eec21dbc1398

SHA1
97e729d57b66dcfed52372d4a0f84e71c272b27f

SHA256
8b5204d0126f46373cace13bfc1190e7ee042355d3e20b57a1f579ca669fdf0b

SHA512
2078815ca7e0b60032eb237fd0e09a76984ba18cf7e30bcb8a74bf8fee0bb57bba8893a28c29c8ec9c8cdc01d4c2880bbb91924d5c8dda2698b80550ae63cf95

Download Submit
\Windows\SysWOW64\dbr22010.ocx

Filesize
38KB

MD5
0784415cc4fc75e94c04eec21dbc1398

SHA1
97e729d57b66dcfed52372d4a0f84e71c272b27f

SHA256
8b5204d0126f46373cace13bfc1190e7ee042355d3e20b57a1f579ca669fdf0b

SHA512
2078815ca7e0b60032eb237fd0e09a76984ba18cf7e30bcb8a74bf8fee0bb57bba8893a28c29c8ec9c8cdc01d4c2880bbb91924d5c8dda2698b80550ae63cf95

Download Submit
\Windows\SysWOW64\dbr99005.ocx

Filesize
8KB

MD5
76948da567806229012ad2a3d697e468

SHA1
027b9b69eda64b4872647d49f88236603c2433d3

SHA256
73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

SHA512
98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

Download Submit
\Windows\SysWOW64\gbvgbv22.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\gbvgbv22.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/908-58-0x0000000000000000-mapping.dmp

Download
memory/908-66-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/908-71-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/908-70-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1704-69-0x0000000000000000-mapping.dmp

Download
memory/1704-72-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/1800-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download
memory/2012-73-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download