Analysis
-
max time kernel
150s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-03-2023 11:30
Static task
static1
Behavioral task
behavioral1
Sample
6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll
Resource
win7-20230220-en
General
-
Target
6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll
-
Size
1.0MB
-
MD5
369638ac700f3c41ebaba447d4048ff8
-
SHA1
6c50a1abf9dc992e74a73279d40fb1a09368cdfe
-
SHA256
6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f
-
SHA512
5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5
-
SSDEEP
12288:ClORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNxWOLPa:GORVEVNmaDznMlqVNE27dJ8J2inNxn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1372-59-0x0000000002690000-0x0000000002691000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 2 IoCs
Processes:
sigverif.exeSystemPropertiesAdvanced.exepid process 924 sigverif.exe 1092 SystemPropertiesAdvanced.exe -
Loads dropped DLL 4 IoCs
Processes:
sigverif.exeSystemPropertiesAdvanced.exepid process 1372 924 sigverif.exe 1372 1092 SystemPropertiesAdvanced.exe -
Processes:
rundll32.exesigverif.exeSystemPropertiesAdvanced.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exesigverif.exepid process 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 924 sigverif.exe 924 sigverif.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1372 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 1372 wrote to memory of 572 1372 sigverif.exe PID 1372 wrote to memory of 572 1372 sigverif.exe PID 1372 wrote to memory of 572 1372 sigverif.exe PID 1372 wrote to memory of 924 1372 sigverif.exe PID 1372 wrote to memory of 924 1372 sigverif.exe PID 1372 wrote to memory of 924 1372 sigverif.exe PID 1372 wrote to memory of 2028 1372 SystemPropertiesAdvanced.exe PID 1372 wrote to memory of 2028 1372 SystemPropertiesAdvanced.exe PID 1372 wrote to memory of 2028 1372 SystemPropertiesAdvanced.exe PID 1372 wrote to memory of 1092 1372 SystemPropertiesAdvanced.exe PID 1372 wrote to memory of 1092 1372 SystemPropertiesAdvanced.exe PID 1372 wrote to memory of 1092 1372 SystemPropertiesAdvanced.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exeC:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵
-
C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Ad6ASuN\VERSION.dllFilesize
1.0MB
MD5804d57c536f8e0301766a277c441ad89
SHA1002052a1b1f5a191a718d55e92d6ec3f697b4d14
SHA2569c102443609540fdb537cb7b15ce30a5c74c7270a3396eb16265bef71aa5681b
SHA5126c2b08bd7c5b8fd47b0b3d66c424bf9babd4d612024d72bb2e9115aa80b2754a93ebeb2fb5606f95512c28f1244ad72497ba963d9e5349d4e43adf885525f7b2
-
C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exeFilesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exeFilesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
C:\Users\Admin\AppData\Local\Yktf0\SYSDM.CPLFilesize
1.0MB
MD5a8d366cef8f860c0033bdc8290188dd3
SHA1dc19361ee49471c45d3a358904738d1f56c2f1b3
SHA256123b12985f928a65036a5b154928f222c790e9202580e120f6581f5c8ffaffa6
SHA512e851fd28e757a408c344f98c5352f7457403d9b465f3013a224f23ecab049d538ab0c1284fc7452e2701c68a4e1f9b84f5fffc25aa74573656459dbf9ab62ae4
-
C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exeFilesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exeFilesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
\Users\Admin\AppData\Local\Ad6ASuN\VERSION.dllFilesize
1.0MB
MD5804d57c536f8e0301766a277c441ad89
SHA1002052a1b1f5a191a718d55e92d6ec3f697b4d14
SHA2569c102443609540fdb537cb7b15ce30a5c74c7270a3396eb16265bef71aa5681b
SHA5126c2b08bd7c5b8fd47b0b3d66c424bf9babd4d612024d72bb2e9115aa80b2754a93ebeb2fb5606f95512c28f1244ad72497ba963d9e5349d4e43adf885525f7b2
-
\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exeFilesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
\Users\Admin\AppData\Local\Yktf0\SYSDM.CPLFilesize
1.0MB
MD5a8d366cef8f860c0033bdc8290188dd3
SHA1dc19361ee49471c45d3a358904738d1f56c2f1b3
SHA256123b12985f928a65036a5b154928f222c790e9202580e120f6581f5c8ffaffa6
SHA512e851fd28e757a408c344f98c5352f7457403d9b465f3013a224f23ecab049d538ab0c1284fc7452e2701c68a4e1f9b84f5fffc25aa74573656459dbf9ab62ae4
-
\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exeFilesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
memory/924-104-0x000007FEFB460000-0x000007FEFB565000-memory.dmpFilesize
1.0MB
-
memory/924-101-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/924-98-0x000007FEFB460000-0x000007FEFB565000-memory.dmpFilesize
1.0MB
-
memory/1092-116-0x000007FEF6C70000-0x000007FEF6D75000-memory.dmpFilesize
1.0MB
-
memory/1092-119-0x00000000001E0000-0x00000000001E7000-memory.dmpFilesize
28KB
-
memory/1092-122-0x000007FEF6C70000-0x000007FEF6D75000-memory.dmpFilesize
1.0MB
-
memory/1372-67-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-73-0x0000000002200000-0x0000000002207000-memory.dmpFilesize
28KB
-
memory/1372-86-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-80-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-79-0x0000000077950000-0x0000000077952000-memory.dmpFilesize
8KB
-
memory/1372-76-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-63-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-64-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-66-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-89-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-59-0x0000000002690000-0x0000000002691000-memory.dmpFilesize
4KB
-
memory/1372-69-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-68-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-65-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1372-61-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1.0MB
-
memory/1888-54-0x000007FEFB350000-0x000007FEFB455000-memory.dmpFilesize
1.0MB
-
memory/1888-58-0x000007FEFB350000-0x000007FEFB455000-memory.dmpFilesize
1.0MB
-
memory/1888-57-0x0000000000220000-0x0000000000227000-memory.dmpFilesize
28KB