Analysis
-
max time kernel
139s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:33
Static task
static1
Behavioral task
behavioral1
Sample
f31c9ea6eaecfbc1d3581dd755a4944f.dll
Resource
win7-20231129-en
General
-
Target
f31c9ea6eaecfbc1d3581dd755a4944f.dll
-
Size
2.3MB
-
MD5
f31c9ea6eaecfbc1d3581dd755a4944f
-
SHA1
94d3949951aa11a15bb76f8186612568117086ea
-
SHA256
c52b166abcd2b1f2055342f5e28d79527a621c723f52a0a2b0ea9e55d3e46136
-
SHA512
3036a7c406a530486e7b26d1499103bca0fcd14769856b5bd0aa1a983e07004d4301d5e7b2b8b78936e67d5099dac66e4887dce3cec6ce4a89688f381f372c5a
-
SSDEEP
12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1cNeu:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1312-5-0x0000000002F10000-0x0000000002F11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
shrpubw.exesethc.exexpsrchvw.exepid Process 2468 shrpubw.exe 1880 sethc.exe 1664 xpsrchvw.exe -
Loads dropped DLL 7 IoCs
Processes:
shrpubw.exesethc.exexpsrchvw.exepid Process 1312 2468 shrpubw.exe 1312 1880 sethc.exe 1312 1664 xpsrchvw.exe 1312 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\Wq\\sethc.exe" -
Processes:
shrpubw.exesethc.exexpsrchvw.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 1044 regsvr32.exe 1044 regsvr32.exe 1044 regsvr32.exe 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1312 wrote to memory of 2688 1312 29 PID 1312 wrote to memory of 2688 1312 29 PID 1312 wrote to memory of 2688 1312 29 PID 1312 wrote to memory of 2468 1312 28 PID 1312 wrote to memory of 2468 1312 28 PID 1312 wrote to memory of 2468 1312 28 PID 1312 wrote to memory of 2996 1312 31 PID 1312 wrote to memory of 2996 1312 31 PID 1312 wrote to memory of 2996 1312 31 PID 1312 wrote to memory of 1880 1312 30 PID 1312 wrote to memory of 1880 1312 30 PID 1312 wrote to memory of 1880 1312 30 PID 1312 wrote to memory of 1656 1312 33 PID 1312 wrote to memory of 1656 1312 33 PID 1312 wrote to memory of 1656 1312 33 PID 1312 wrote to memory of 1664 1312 32 PID 1312 wrote to memory of 1664 1312 32 PID 1312 wrote to memory of 1664 1312 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f31c9ea6eaecfbc1d3581dd755a4944f.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exeC:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\OnV\sethc.exeC:\Users\Admin\AppData\Local\OnV\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1880
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:2996
-
C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exeC:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1664
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:1656