Analysis
-
max time kernel
155s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
26-11-2021 09:32
Static task
static1
Behavioral task
behavioral1
Sample
3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll
Resource
win7-en-20211014
General
-
Target
3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll
-
Size
1.2MB
-
MD5
93c7117d555fe4e4790b02958ddcee41
-
SHA1
d7eaacfdc572f9bcdb295eae11881fffe72b0a43
-
SHA256
3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180
-
SHA512
9cd85e1eebbed1adfd5f56a9b72dd719f506b7dfbba798581776b1a310d8bd140441c345006d4792467616cb7b4c94ada7689bf3e10de72dac9a1bac1047226c
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3024-125-0x0000000001340000-0x0000000001341000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
psr.exeMagnify.exeSystemPropertiesComputerName.exepid process 872 psr.exe 388 Magnify.exe 2396 SystemPropertiesComputerName.exe -
Loads dropped DLL 3 IoCs
Processes:
psr.exeMagnify.exeSystemPropertiesComputerName.exepid process 872 psr.exe 388 Magnify.exe 2396 SystemPropertiesComputerName.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\t2Qz\\Magnify.exe" -
Processes:
psr.exeMagnify.exeSystemPropertiesComputerName.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepsr.exepid process 3480 regsvr32.exe 3480 regsvr32.exe 3480 regsvr32.exe 3480 regsvr32.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 872 psr.exe 872 psr.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3024 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3024 wrote to memory of 376 3024 psr.exe PID 3024 wrote to memory of 376 3024 psr.exe PID 3024 wrote to memory of 872 3024 psr.exe PID 3024 wrote to memory of 872 3024 psr.exe PID 3024 wrote to memory of 3304 3024 Magnify.exe PID 3024 wrote to memory of 3304 3024 Magnify.exe PID 3024 wrote to memory of 388 3024 Magnify.exe PID 3024 wrote to memory of 388 3024 Magnify.exe PID 3024 wrote to memory of 3188 3024 SystemPropertiesComputerName.exe PID 3024 wrote to memory of 3188 3024 SystemPropertiesComputerName.exe PID 3024 wrote to memory of 2396 3024 SystemPropertiesComputerName.exe PID 3024 wrote to memory of 2396 3024 SystemPropertiesComputerName.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵
-
C:\Users\Admin\AppData\Local\G6zs3\psr.exeC:\Users\Admin\AppData\Local\G6zs3\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵
-
C:\Users\Admin\AppData\Local\SRqb\Magnify.exeC:\Users\Admin\AppData\Local\SRqb\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵
-
C:\Users\Admin\AppData\Local\nfyi\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\nfyi\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\G6zs3\XmlLite.dllMD5
7c998611b3befed5882bf18a7d83b89f
SHA12c16ae5e277c81bf1ed89db28d0c6595c152df84
SHA2561f448d0de6e46631a038bbe3d052878b428a49a0cedc803ba2478044e19c018b
SHA5129f38210bb55ceffe0bd8a5b9ce8e186fc2dc83c274cb869dcbfa6f3fffa38e21df4cd5ab2bae73fa7ec5afd741c664d7fa2d15e8e80fe2be677105866fd9e69e
-
C:\Users\Admin\AppData\Local\G6zs3\psr.exeMD5
264a61b365dd314f3c82d1efba60fe17
SHA19a778a13f5e85d7c5bf2e21ceb398ae0a4300ffa
SHA256880fafbd4087442964a7780331a0e8dd43b78e2106e9df545f0432d4aa15ce93
SHA5129b26021b49ed0f8cfb05d9c8f5e0cec7beaebe9ee14acfc3237cec1255bb9e6a4f5f7a6b902f3d561bbbac7489f64e5a39f498261eef7e93178be97f9cc15e3c
-
C:\Users\Admin\AppData\Local\SRqb\DUI70.dllMD5
ea382dbff2b82303573d3202aef27e6f
SHA1f037860f1295395ea6426581017d6524bd5348d4
SHA2560c31073f7770365c1a423311089e35b07a62bca14fe137c557c2c6aff2a0b34f
SHA5127a6d921a48a5652a6aa2d5012a2db349ad938414c7bfc155d6b3e920c03c92bf87a4bda3f5119a199177372487c885f91ba9e92fbac80b2bcb5f130ccc326b47
-
C:\Users\Admin\AppData\Local\SRqb\Magnify.exeMD5
0c3925b9a284f0dd02571d0d2bca19ee
SHA1a73451bb2ddd09397cb7737d36a75c0cdfdf9d51
SHA25641e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc
SHA512db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72
-
C:\Users\Admin\AppData\Local\SRqb\Magnify.exeMD5
0c3925b9a284f0dd02571d0d2bca19ee
SHA1a73451bb2ddd09397cb7737d36a75c0cdfdf9d51
SHA25641e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc
SHA512db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72
-
C:\Users\Admin\AppData\Local\nfyi\SYSDM.CPLMD5
1123f9cbd30301f28e5cf8ca8e7a8480
SHA1a6f8c9827e609762632f26b6243333c92104347b
SHA2564fb58d3f0bf1e09d8af8c81708bbbf2b4488c633276abc0e679c208c091e02e4
SHA51235abd3090f4e4941908b0bc991b62441e9ba9e0faf2f1eee6e540313752d8ff6aa750d7f1ebca2967682d40786dcda363ea3bb11c3bd7327f51bd11b60014070
-
C:\Users\Admin\AppData\Local\nfyi\SystemPropertiesComputerName.exeMD5
d2d62d055f517f71b0fd9a649727ff6c
SHA143f627215d57e0396ad74e9b0ed4bd29f60fca33
SHA256222d3d4f7c8f64beb0a0007120b4411c2040c50e1d376420228151bdd230fe7d
SHA512f46e02a465425a148fcd4be5fda0889c412eeab4c50abf9874b3ee02af83c96403167c99aa57961e1c631a5a7a5070e8a1c363688581ff83ed176b4206564cd0
-
\Users\Admin\AppData\Local\G6zs3\XmlLite.dllMD5
7c998611b3befed5882bf18a7d83b89f
SHA12c16ae5e277c81bf1ed89db28d0c6595c152df84
SHA2561f448d0de6e46631a038bbe3d052878b428a49a0cedc803ba2478044e19c018b
SHA5129f38210bb55ceffe0bd8a5b9ce8e186fc2dc83c274cb869dcbfa6f3fffa38e21df4cd5ab2bae73fa7ec5afd741c664d7fa2d15e8e80fe2be677105866fd9e69e
-
\Users\Admin\AppData\Local\SRqb\DUI70.dllMD5
ea382dbff2b82303573d3202aef27e6f
SHA1f037860f1295395ea6426581017d6524bd5348d4
SHA2560c31073f7770365c1a423311089e35b07a62bca14fe137c557c2c6aff2a0b34f
SHA5127a6d921a48a5652a6aa2d5012a2db349ad938414c7bfc155d6b3e920c03c92bf87a4bda3f5119a199177372487c885f91ba9e92fbac80b2bcb5f130ccc326b47
-
\Users\Admin\AppData\Local\nfyi\SYSDM.CPLMD5
1123f9cbd30301f28e5cf8ca8e7a8480
SHA1a6f8c9827e609762632f26b6243333c92104347b
SHA2564fb58d3f0bf1e09d8af8c81708bbbf2b4488c633276abc0e679c208c091e02e4
SHA51235abd3090f4e4941908b0bc991b62441e9ba9e0faf2f1eee6e540313752d8ff6aa750d7f1ebca2967682d40786dcda363ea3bb11c3bd7327f51bd11b60014070
-
memory/388-174-0x00007FF82B260000-0x00007FF82B3D0000-memory.dmpFilesize
1.4MB
-
memory/388-170-0x0000000000000000-mapping.dmp
-
memory/388-178-0x0000020E29280000-0x0000020E29282000-memory.dmpFilesize
8KB
-
memory/388-179-0x0000020E29280000-0x0000020E29282000-memory.dmpFilesize
8KB
-
memory/388-180-0x0000020E29280000-0x0000020E29282000-memory.dmpFilesize
8KB
-
memory/872-169-0x000001E456190000-0x000001E456192000-memory.dmpFilesize
8KB
-
memory/872-159-0x0000000000000000-mapping.dmp
-
memory/872-168-0x000001E456190000-0x000001E456192000-memory.dmpFilesize
8KB
-
memory/872-167-0x000001E456190000-0x000001E456192000-memory.dmpFilesize
8KB
-
memory/872-163-0x00007FF82C440000-0x00007FF82C56B000-memory.dmpFilesize
1.2MB
-
memory/2396-182-0x0000000000000000-mapping.dmp
-
memory/2396-190-0x000001BB83CB0000-0x000001BB83CB2000-memory.dmpFilesize
8KB
-
memory/2396-191-0x000001BB83CB0000-0x000001BB83CB2000-memory.dmpFilesize
8KB
-
memory/2396-192-0x000001BB83CB0000-0x000001BB83CB2000-memory.dmpFilesize
8KB
-
memory/3024-134-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-138-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-147-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-148-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-149-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-154-0x00000000012E0000-0x00000000012E2000-memory.dmpFilesize
8KB
-
memory/3024-155-0x00000000012E0000-0x00000000012E2000-memory.dmpFilesize
8KB
-
memory/3024-156-0x00007FF838C25000-0x00007FF838C26000-memory.dmpFilesize
4KB
-
memory/3024-157-0x00000000012E0000-0x00000000012E2000-memory.dmpFilesize
8KB
-
memory/3024-158-0x00007FF838D60000-0x00007FF838D62000-memory.dmpFilesize
8KB
-
memory/3024-145-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-144-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-143-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-142-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-141-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-140-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-139-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-146-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-137-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-136-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-193-0x00000000012E0000-0x00000000012E2000-memory.dmpFilesize
8KB
-
memory/3024-135-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-133-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-132-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-131-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-130-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-129-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-128-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-127-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-126-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3024-125-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/3480-124-0x00000000011B0000-0x00000000011B7000-memory.dmpFilesize
28KB
-
memory/3480-122-0x00000000011C0000-0x00000000011C2000-memory.dmpFilesize
8KB
-
memory/3480-123-0x00000000011C0000-0x00000000011C2000-memory.dmpFilesize
8KB
-
memory/3480-118-0x00007FF82C440000-0x00007FF82C56A000-memory.dmpFilesize
1.2MB