Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:47
Static task
static1
Behavioral task
behavioral1
Sample
e06bc9c34016a67b0d3a56913db15515.dll
Resource
win7-20231129-en
General
-
Target
e06bc9c34016a67b0d3a56913db15515.dll
-
Size
2.1MB
-
MD5
e06bc9c34016a67b0d3a56913db15515
-
SHA1
b6b8a5ac1eb6952a7d92c37b4b9c38745796b1f5
-
SHA256
9defa598e8384355655dd2fcba9e94f1bfbb4fc1d14d4f43cef7ce3173cc8736
-
SHA512
79c4dcb7ff48c177ceba1d84946fde02ec9a122bccdff124fd2092d4b063837ba97f43ca49d4f43dc9c47e2ffba730a26bdca8cdfebedcfba03a5d7ab85bc313
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1352-5-0x0000000002D60000-0x0000000002D61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
shrpubw.exetcmsetup.exeperfmon.exepid Process 2532 shrpubw.exe 2520 tcmsetup.exe 1864 perfmon.exe -
Loads dropped DLL 7 IoCs
Processes:
shrpubw.exetcmsetup.exeperfmon.exepid Process 1352 2532 shrpubw.exe 1352 2520 tcmsetup.exe 1352 1864 perfmon.exe 1352 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\\yX\\tcmsetup.exe" -
Processes:
rundll32.exeshrpubw.exetcmsetup.exeperfmon.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2752 rundll32.exe 2752 rundll32.exe 2752 rundll32.exe 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1352 wrote to memory of 2492 1352 28 PID 1352 wrote to memory of 2492 1352 28 PID 1352 wrote to memory of 2492 1352 28 PID 1352 wrote to memory of 2532 1352 29 PID 1352 wrote to memory of 2532 1352 29 PID 1352 wrote to memory of 2532 1352 29 PID 1352 wrote to memory of 2772 1352 31 PID 1352 wrote to memory of 2772 1352 31 PID 1352 wrote to memory of 2772 1352 31 PID 1352 wrote to memory of 2520 1352 30 PID 1352 wrote to memory of 2520 1352 30 PID 1352 wrote to memory of 2520 1352 30 PID 1352 wrote to memory of 2172 1352 33 PID 1352 wrote to memory of 2172 1352 33 PID 1352 wrote to memory of 2172 1352 33 PID 1352 wrote to memory of 1864 1352 32 PID 1352 wrote to memory of 1864 1352 32 PID 1352 wrote to memory of 1864 1352 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exeC:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2532
-
C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exeC:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2520
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\QlG\perfmon.exeC:\Users\Admin\AppData\Local\QlG\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD59a8b33a16eece2090094f7f06c7f3def
SHA194a7c772e20a502c2a28ac4ca14c344ff5b1b404
SHA256f550b841b79dbda3025134baf8df84ee452c21527a44ef4e5b48ba07ae2c5b14
SHA512eb670ea68a5ce9d0ec94aa55e2bd81a8f56f5e79d6b904939d33b1e4aff1851d71befdc4c718194c5b0d7fb7a7cb3e93128a026f1033870bb644f0d50f38ecf3
-
Filesize
124KB
MD5de52fa31c439d86a2687b8254e816cbf
SHA16b0765a28aaf48ba54c80a68fa6c37043a847e6e
SHA256d6a7e8fe85e67697f65271e6c19f3b77df0d7555bc44b3ec9319672bd4dcf021
SHA5128a43704ef37a2a3018316531856101900abd40cbaaa36397a31ccefc34a02188d7b4ffbadc129a6739b05408ef236762af2845c88b81e60c0741f369176fde46
-
Filesize
11KB
MD54c31a16a7973693fb4e5873c36c77216
SHA15bbef481a1dda8817bd720a5c3727d0ed5894870
SHA2564066d341d072c4b11c2fea12fe4f828b375631223db790647794e84fe114ee6c
SHA5121acec6fde95eea48d2bb84f2de0cddb13fba5df69961257cff38233a5dc18cdd050381069e2a7e395b95a24d7fca87fd2794bcd9ab8a81be4f56811c8e3bd529