Overview

overview

7

Static

static

3

c59d9f8505...3a.exe

windows7-x64

7

c59d9f8505...3a.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 10:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c59d9f85050bcdcc944ba2692c585b3a.exe

  • Size

    31KB

  • MD5

    c59d9f85050bcdcc944ba2692c585b3a

  • SHA1

    d8ebd395c911108a16c1ca6c74cf8911fd6bb9e6

  • SHA256

    eb979de12c0e8c0c62db1c526e83e6972b4668ac5de00d60881da1a7a4a73c2d

  • SHA512

    a2aa96bb1bd3be42d6d22f23965015f6f64d2cda778d2afc0b3534547242120a5277f9edef58b3788d5852acbe67ff168f9de188f40bfca3e38d5bff8a0797ea

  • SSDEEP

    768:bdzXWdJ465HyTyMqL3aK6ffYxA/tHkQYD/sqZj/Ffs2ceuXNI:bE4CVZLDxAyCqZDFfs2VR

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1368
      • C:\Users\Admin\AppData\Local\Temp\c59d9f85050bcdcc944ba2692c585b3a.exe
        "C:\Users\Admin\AppData\Local\Temp\c59d9f85050bcdcc944ba2692c585b3a.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\gbvgbv14.exe
          C:\Windows\system32\gbvgbv14.exe C:\Windows\system32\dbr14016.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\c59d9f85050bcdcc944ba2692c585b3a.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies WinLogon
          • Drops file in System32 directory
          PID:2908
        • C:\Windows\SysWOW64\gbvgbv14.exe
          C:\Windows\system32\gbvgbv14.exe C:\Windows\system32\dbr99005.ocx pfjieaoidjglkajd
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:2152

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\fonts\dbr14016.ttf
              Filesize

              412B

              MD5

              7e6757cff068b735f7ac162ab9373e04

              SHA1

              877bf5d5fdb18256e1294ddad8e114df2727f22f

              SHA256

              e4d28f35d4356566456db60b8c6f5844252782238ca9ec0ec76957056719cc42

              SHA512

              a29e834845700ebb5b6c16626aad69153c8ee1de54565dda2bfeb1430a26aff2a8b961bdfd42426b3f168628d1252d78c38af15d70ba3da0625acbd2750b41fb

              Download Submit

            • \Windows\SysWOW64\dbr14016.ocx
              Filesize

              38KB

              MD5

              2711c015d978822146e8a440757fd573

              SHA1

              acdbee7fbc771c6851d719a1d78a8bb8d5a54f39

              SHA256

              2ffc237ca729dd25327b9a46dac92c8a7da318510bb2c22e4636d14f561f0c57

              SHA512

              460e5d81b13aa07a82011182eba324dc92548a122a582475370573737ac0b58c7d535d8f3ed849694e2873bbe784e93bafc99b9df3616788a0bf5f0813f48f8f

              Download Submit

            • \Windows\SysWOW64\dbr99005.ocx
              Filesize

              8KB

              MD5

              76948da567806229012ad2a3d697e468

              SHA1

              027b9b69eda64b4872647d49f88236603c2433d3

              SHA256

              73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

              SHA512

              98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

              Download Submit

            • \Windows\SysWOW64\gbvgbv14.exe
              Filesize

              43KB

              MD5

              51138beea3e2c21ec44d0932c71762a8

              SHA1

              8939cf35447b22dd2c6e6f443446acc1bf986d58

              SHA256

              5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

              SHA512

              794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

              Download Submit

            • memory/1368-9-0x0000000002200000-0x0000000002201000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2648-27-0x0000000000100000-0x000000000010E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2648-28-0x0000000010000000-0x0000000010006000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2660-0-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2660-18-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2908-22-0x0000000010000000-0x000000001000E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2908-33-0x0000000010000000-0x000000001000E000-memory.dmp

              Filesize

              56KB

              Download