Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:11
Static task
static1
Behavioral task
behavioral1
Sample
eac2738515d0292a80e97bdd871ae3f8.dll
Resource
win7-20231129-en
General
-
Target
eac2738515d0292a80e97bdd871ae3f8.dll
-
Size
1.4MB
-
MD5
eac2738515d0292a80e97bdd871ae3f8
-
SHA1
bd8ef231bfeb6635d869210f39b36f77b691c9e6
-
SHA256
96761af2af2e82740682729fe36feb508fc90cdc60771957e4583f853a873709
-
SHA512
c7033b905fd46d55c0dac1629905196c5c09d933957ac5ec13f496397b5a55fdb07a0821d93c394cc0f4b58b8af092ee54388552a7f8c58eb36b91c6083c8711
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msinfo32.execalc.execmstp.exepid Process 2620 msinfo32.exe 2152 calc.exe 2756 cmstp.exe -
Loads dropped DLL 7 IoCs
Processes:
msinfo32.execalc.execmstp.exepid Process 1360 2620 msinfo32.exe 1360 2152 calc.exe 1360 2756 cmstp.exe 1360 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\8fjLlLS\\calc.exe" -
Processes:
rundll32.exemsinfo32.execalc.execmstp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1764 rundll32.exe 1764 rundll32.exe 1764 rundll32.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1360 wrote to memory of 2812 1360 28 PID 1360 wrote to memory of 2812 1360 28 PID 1360 wrote to memory of 2812 1360 28 PID 1360 wrote to memory of 2620 1360 29 PID 1360 wrote to memory of 2620 1360 29 PID 1360 wrote to memory of 2620 1360 29 PID 1360 wrote to memory of 2120 1360 31 PID 1360 wrote to memory of 2120 1360 31 PID 1360 wrote to memory of 2120 1360 31 PID 1360 wrote to memory of 2152 1360 30 PID 1360 wrote to memory of 2152 1360 30 PID 1360 wrote to memory of 2152 1360 30 PID 1360 wrote to memory of 1960 1360 33 PID 1360 wrote to memory of 1960 1360 33 PID 1360 wrote to memory of 1960 1360 33 PID 1360 wrote to memory of 2756 1360 32 PID 1360 wrote to memory of 2756 1360 32 PID 1360 wrote to memory of 2756 1360 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:2812
-
C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exeC:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620
-
C:\Users\Admin\AppData\Local\BoH\calc.exeC:\Users\Admin\AppData\Local\BoH\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2152
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exeC:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD53a5e21b46e1772eccc1be463ecef31ef
SHA14a4d196683a88cb966b9eb6a3e429a4849a5b2b2
SHA2569197b03a1d002005ba8fa73b05a0efdd46fdc0910eedc15c9b4fb1c8ed96a7b3
SHA512c96962b4401baed60ff48ded1588fe7f323c8cd508544261403e697a6bb9656acd56f98fb209262e75881d8072bd01721c0e51f8535d91b511ebc9ddc3cb6bc8
-
Filesize
1.4MB
MD51c7d843e641a9de9a7141569c55f5969
SHA143e5a3bea21e6dabb4617bf0276f2feb51282261
SHA2561147e8241f901954a6515e9304cd00b64c942244971c54caeddba9727ffb2129
SHA512d7977347b33cdef1bd93623281397c5c0be6d0b0e3ce70891e594d358ca38cef0179685048527bab54e7eef98ec4a634f21b4426d2334a33fa8722dffce87bcb