83201c5abd8e975d45b3561040a96ef976e139f636a7a41bc7878772964f6cd0

General

Target

ce1e85598b8298ba2faf14398bd2fc77.exe
Size

25KB
MD5

ce1e85598b8298ba2faf14398bd2fc77
SHA1

c58602e23dcc78317c1b2b42cb8ed35eef7e2d88
SHA256

83201c5abd8e975d45b3561040a96ef976e139f636a7a41bc7878772964f6cd0
SHA512

967ca42a96b759626cbc3694943250ffe3f051ec28b8e13d9dc7cf192f256a20423fea0386cbf99f721d7f43bc83f50228d8a4bb2703c9f635e0521e4c3f786d
SSDEEP

384:NeeRn122osEtyO7yephqMvSdSTlWuCXG5ch//IFsEzteh+kZWZJMfvtu+yCER4:geRE2osC7yerTXdXFluh3tu+yM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	gbvgbv13.exe

Executes dropped EXE 2 IoCs

pid	Process
2600	gbvgbv13.exe
3032	gbvgbv13.exe

Loads dropped DLL 9 IoCs

pid	Process
1768	ce1e85598b8298ba2faf14398bd2fc77.exe
1768	ce1e85598b8298ba2faf14398bd2fc77.exe
2600	gbvgbv13.exe
3032	gbvgbv13.exe
3032	gbvgbv13.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1768-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1768-17-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gbvgbv13.exe	ce1e85598b8298ba2faf14398bd2fc77.exe
File opened for modification	C:\Windows\SysWOW64\gbvgbv13.exe	ce1e85598b8298ba2faf14398bd2fc77.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\dbr13025.ttf	ce1e85598b8298ba2faf14398bd2fc77.exe
File opened for modification	C:\Windows\fonts\dbr13025.ttf	ce1e85598b8298ba2faf14398bd2fc77.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1768	ce1e85598b8298ba2faf14398bd2fc77.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe
2600	gbvgbv13.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1268	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	21
PID 1768 wrote to memory of 2600	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	28
PID 1768 wrote to memory of 2600	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	28
PID 1768 wrote to memory of 2600	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	28
PID 1768 wrote to memory of 2600	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	28
PID 1768 wrote to memory of 3032	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	29
PID 1768 wrote to memory of 3032	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	29
PID 1768 wrote to memory of 3032	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	29
PID 1768 wrote to memory of 3032	1768	ce1e85598b8298ba2faf14398bd2fc77.exe	29
PID 3032 wrote to memory of 2544	3032	gbvgbv13.exe	30
PID 3032 wrote to memory of 2544	3032	gbvgbv13.exe	30
PID 3032 wrote to memory of 2544	3032	gbvgbv13.exe	30
PID 3032 wrote to memory of 2544	3032	gbvgbv13.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\ce1e85598b8298ba2faf14398bd2fc77.exe
  "C:\Users\Admin\AppData\Local\Temp\ce1e85598b8298ba2faf14398bd2fc77.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\gbvgbv13.exe
    C:\Windows\system32\gbvgbv13.exe C:\Windows\system32\dbr13025.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\ce1e85598b8298ba2faf14398bd2fc77.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2600
- - C:\Windows\SysWOW64\gbvgbv13.exe
    C:\Windows\system32\gbvgbv13.exe C:\Windows\system32\dbr99006.ocx pfjieaoidjglkajd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbr13025.ocx

Filesize
37KB

MD5
bb385289edfaa398c5eb77ded43dd029

SHA1
a88d9e8cc94ac916a472904d786f5ef9d2c60d38

SHA256
07e59931d2868bcc7b7eb571a73223e40a4058d5a24284f7315028ad9a343309

SHA512
0ab3b155328a48bbe19a6dd7669066ccb0f2bae4b09d6813f7681eb04de059709dd9aa3ee50f161c25c41c0ebc0501953d166b1b0cf4d5a1063eeb41e864c870

Download Submit
C:\Windows\SysWOW64\dbr99006.ocx

Filesize
8KB

MD5
4dbe3f485090d535cff13f8733c3b329

SHA1
94e15422a7089cef9bd34676662ccc2aa4b44822

SHA256
34f9334ba7f3b4b5b78beb34db88b5e49de3395a32e8bd57a19f0babf665f7e7

SHA512
a2cb3768ba463cc6519f362a831c061a0ce512fb16a71a2e58f0f9eb88966640169d336c679c35f9fad4fc1eca2d0d2210e351e8345e9a44a6f530a41827386b

Download Submit
C:\Windows\fonts\dbr13025.ttf

Filesize
412B

MD5
e4c64ea019479483f9b108d99f9b33d4

SHA1
2a9879c0e1b8ca3f09b617c64b5e787e1dc48dd5

SHA256
8e85db5b3c3230e6a7268a970263acbd11a2ed4b2a301c6584a0840dd8e90ea4

SHA512
9bb92cdb811e8dce46de6bf491499c972415544f9325f3b8261e1e404b5bdec84d0a57063bc9e1a545afe7e1485a32c4a663ea6da4aa536e453dd3103697e521

Download Submit
\Windows\SysWOW64\gbvgbv13.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1268-7-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1768-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1768-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2600-20-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2600-28-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2600-31-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2600-32-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/3032-23-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3032-24-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/3032-33-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing