Analysis
-
max time kernel
162s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
26-11-2021 09:26
Static task
static1
Behavioral task
behavioral1
Sample
114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll
Resource
win7-en-20211014
General
-
Target
114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll
-
Size
1.5MB
-
MD5
32f0105f83bb61e4fd688219dca080c0
-
SHA1
4de49a52dd511040dc5d36703966d6b0fe9075a7
-
SHA256
114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6
-
SHA512
28556df31e2299904d61ddb80b3ef334c23a40f16bca1f0cfb395c4fe472dfe9ea37d978e44c2d2443f75e77870a4d88ccc197bd1e54462e89c44de7e733e6ec
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3044-125-0x0000000000620000-0x0000000000621000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ApplySettingsTemplateCatalog.exemsconfig.exeInfDefaultInstall.exepid process 4484 ApplySettingsTemplateCatalog.exe 4456 msconfig.exe 900 InfDefaultInstall.exe -
Loads dropped DLL 3 IoCs
Processes:
ApplySettingsTemplateCatalog.exemsconfig.exeInfDefaultInstall.exepid process 4484 ApplySettingsTemplateCatalog.exe 4456 msconfig.exe 900 InfDefaultInstall.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\Zq\\msconfig.exe" -
Processes:
rundll32.exeApplySettingsTemplateCatalog.exemsconfig.exeInfDefaultInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplySettingsTemplateCatalog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InfDefaultInstall.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeApplySettingsTemplateCatalog.exepid process 4016 rundll32.exe 4016 rundll32.exe 4016 rundll32.exe 4016 rundll32.exe 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 4484 ApplySettingsTemplateCatalog.exe 4484 ApplySettingsTemplateCatalog.exe 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 3044 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3044 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3044 wrote to memory of 4424 3044 ApplySettingsTemplateCatalog.exe PID 3044 wrote to memory of 4424 3044 ApplySettingsTemplateCatalog.exe PID 3044 wrote to memory of 4484 3044 ApplySettingsTemplateCatalog.exe PID 3044 wrote to memory of 4484 3044 ApplySettingsTemplateCatalog.exe PID 3044 wrote to memory of 4308 3044 msconfig.exe PID 3044 wrote to memory of 4308 3044 msconfig.exe PID 3044 wrote to memory of 4456 3044 msconfig.exe PID 3044 wrote to memory of 4456 3044 msconfig.exe PID 3044 wrote to memory of 856 3044 InfDefaultInstall.exe PID 3044 wrote to memory of 856 3044 InfDefaultInstall.exe PID 3044 wrote to memory of 900 3044 InfDefaultInstall.exe PID 3044 wrote to memory of 900 3044 InfDefaultInstall.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
C:\Windows\system32\ApplySettingsTemplateCatalog.exeC:\Windows\system32\ApplySettingsTemplateCatalog.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Local\qJsNcyoy\ApplySettingsTemplateCatalog.exeC:\Users\Admin\AppData\Local\qJsNcyoy\ApplySettingsTemplateCatalog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4484
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:4308
-
C:\Users\Admin\AppData\Local\RB1\msconfig.exeC:\Users\Admin\AppData\Local\RB1\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4456
-
C:\Windows\system32\InfDefaultInstall.exeC:\Windows\system32\InfDefaultInstall.exe1⤵PID:856
-
C:\Users\Admin\AppData\Local\gzy1envO\InfDefaultInstall.exeC:\Users\Admin\AppData\Local\gzy1envO\InfDefaultInstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3edeaedda45f4edb354f5a5f3069729d
SHA15af30d60a8151bfbf16ddc1582cf9ad58c709c63
SHA25606782e60a2df4f0a701d06a2f425103a9995e1f2b78d16f82a09771baccf4ac0
SHA512717c632ca36c417ff7ab90ef9273ec1215ded696a2f2adacc1c63a0c1935e66aa436d02371a7057db973259744eee712c8d362e5bb74c753d61c4dcd7837b8a2
-
MD5
b869aef04af69e345561d01905942fef
SHA1e61b5522c3b8b5ada95846cc6306c9c2f29265d4
SHA2569cf1d82402469616b2b0a663e22f965395181abc91140139df226ab882a619cc
SHA51252ad0b6b5cc6053de42d06248c312180091c06ade8a54da32a946add93854e6dd0b1af2bf02957ddb77207fd3c53ef4def6dcda0591e28b457c0e361776498f2
-
MD5
f6ae349f1213aea7dfe83b1292e1bb7e
SHA112023a2d08978dba0c6a701197c249751ee30e1e
SHA256c374b081881eafe94338f12f9bc8288c5fe510a4fb3260cb0fd0135646dd768c
SHA5120a23f91c4f6e4780c4096fae817a6753daa72b5b290f6be0593ef055f4149fc2294e35661adf75f529c5b72801062e8fb46f4fccd83dbea7603f6e6a4aefee74
-
MD5
65f1a1674fc3973de4d118893bb01d81
SHA144c1686ccf692955866f07720f24c8aa863c3e9d
SHA256fdac92258e26fc1f487088f1c562ec109d223b14486eaab19eafbf5292799053
SHA512455dab727c0c6bced48d8efb90a60b87a34c945d0af284a8b8979f70c9bbf67717b77ad266c417d19630c051cda4ff2127d39282a2b5dbee8a52a12eb7317623
-
MD5
8d761a5623c2153df0e37be7dca387f7
SHA1b3e7967e94b2a492b126fc92888426ffb61a300a
SHA256f1548c821fb48f947b6a054ba5e5c88f9e0b2ad5610e47f30d6bfb87143535bb
SHA512029c71a31a20481a813b27125a514b3138cae08d368957df37bf3313ad9b5a715c2fd91f82557f9b7a6cae12ffc725395b1c115ba30b8bc0a531934c481f27e4
-
MD5
ce074a9724e9335539b4318df1dc8f6c
SHA1f04dff9c5ee02a26d5feec0ce21d07c35f4d0129
SHA2567b72517d06869deb6efb72e6220fbd903333378afacd011950b8b2a47bf38967
SHA5129502cf40bba8da267b9dd219abe5d7249fc3fd59d45e66120a49b8cb0609a09aa5ef18d925036141049fa985fe45444d3af9412650d1c15bce27001dfb6b072a
-
MD5
3edeaedda45f4edb354f5a5f3069729d
SHA15af30d60a8151bfbf16ddc1582cf9ad58c709c63
SHA25606782e60a2df4f0a701d06a2f425103a9995e1f2b78d16f82a09771baccf4ac0
SHA512717c632ca36c417ff7ab90ef9273ec1215ded696a2f2adacc1c63a0c1935e66aa436d02371a7057db973259744eee712c8d362e5bb74c753d61c4dcd7837b8a2
-
MD5
65f1a1674fc3973de4d118893bb01d81
SHA144c1686ccf692955866f07720f24c8aa863c3e9d
SHA256fdac92258e26fc1f487088f1c562ec109d223b14486eaab19eafbf5292799053
SHA512455dab727c0c6bced48d8efb90a60b87a34c945d0af284a8b8979f70c9bbf67717b77ad266c417d19630c051cda4ff2127d39282a2b5dbee8a52a12eb7317623
-
MD5
8d761a5623c2153df0e37be7dca387f7
SHA1b3e7967e94b2a492b126fc92888426ffb61a300a
SHA256f1548c821fb48f947b6a054ba5e5c88f9e0b2ad5610e47f30d6bfb87143535bb
SHA512029c71a31a20481a813b27125a514b3138cae08d368957df37bf3313ad9b5a715c2fd91f82557f9b7a6cae12ffc725395b1c115ba30b8bc0a531934c481f27e4