Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
efedcd108046b223d56049091b408298.dll
Resource
win7-20231215-en
General
-
Target
efedcd108046b223d56049091b408298.dll
-
Size
1.5MB
-
MD5
efedcd108046b223d56049091b408298
-
SHA1
b0c68d9918ab0bfc3b2a165eafb67a5dc5de9d35
-
SHA256
1f4c47d15d65d51f2b6dd680a7318d3639e0cfbcad702ba30e93a4a301d1ac06
-
SHA512
682aa16df911870f710d7468cd87af0885572a043209797d0d092316811644e194187fdcb523502f79d30d85fa959be955eb8072e2815130f5b596d96f540f10
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1264-5-0x0000000002B30000-0x0000000002B31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rrinstaller.exeStikyNot.exeDWWIN.EXEpid Process 1160 rrinstaller.exe 2992 StikyNot.exe 1764 DWWIN.EXE -
Loads dropped DLL 7 IoCs
Processes:
rrinstaller.exeStikyNot.exeDWWIN.EXEpid Process 1264 1160 rrinstaller.exe 1264 2992 StikyNot.exe 1264 1764 DWWIN.EXE 1264 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\bMv4n1\\StikyNot.exe" -
Processes:
DWWIN.EXErundll32.exerrinstaller.exeStikyNot.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rrinstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1264 wrote to memory of 2012 1264 28 PID 1264 wrote to memory of 2012 1264 28 PID 1264 wrote to memory of 2012 1264 28 PID 1264 wrote to memory of 1160 1264 29 PID 1264 wrote to memory of 1160 1264 29 PID 1264 wrote to memory of 1160 1264 29 PID 1264 wrote to memory of 2784 1264 30 PID 1264 wrote to memory of 2784 1264 30 PID 1264 wrote to memory of 2784 1264 30 PID 1264 wrote to memory of 2992 1264 31 PID 1264 wrote to memory of 2992 1264 31 PID 1264 wrote to memory of 2992 1264 31 PID 1264 wrote to memory of 2268 1264 32 PID 1264 wrote to memory of 2268 1264 32 PID 1264 wrote to memory of 2268 1264 32 PID 1264 wrote to memory of 1764 1264 33 PID 1264 wrote to memory of 1764 1264 33 PID 1264 wrote to memory of 1764 1264 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
C:\Windows\system32\rrinstaller.exeC:\Windows\system32\rrinstaller.exe1⤵PID:2012
-
C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exeC:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:2784
-
C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exeC:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2992
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:2268
-
C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXEC:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD596f5725b3f0abfa035459df34b31f995
SHA1b21d41b41c5b2541b7aae98227bbee8311f03028
SHA256c46e5139d8826c3b6a512d2e56c2d61c2bd9e63c932019b15f7cb5471b995a2f
SHA512ae4a9ab9026f33d66e6611485e84e1d3be77b4ed9cbce1eb094aed6fa5a052160950675b12f11b712473ea0fd9b37739d4caf8734445ab5f13ee54a8422ee844
-
Filesize
353KB
MD5f7069cdec41e5f744ebb82db29304fbd
SHA16ec6ca11d62a9a779e28df81ea8393f679917eda
SHA256eb498493eeb3cd763cff3d7fcfcecf9be76fff5db4e0a84c413864e86f61729f
SHA5124e8f29ee76fa59e507fe48fb916b538580c7260d8bc9aa58b4f9d94a2487f7dcf8e18e0967f115e1d9a5bcdbcd2f677b3fbd4bbf446385314d49922b5145f424
-
Filesize
371KB
MD5b9833dcb6190910b20fca10dc3fb3d00
SHA17e8844054d0f391bf28d65580ecc46e338c3f5bb
SHA256bd87e10ab8f3aeb14dfd07ce905a6bc4cba92804027362b75a1b5b1d77e40852
SHA5121b57d662c78beda945bf68e4f8340b6fad23ec2722679345f4717574da21c491255d919f4d70a62f83908b6f45df395ca4ba9ce68d27106cfe6928c00003cef4
-
Filesize
115KB
MD5b089ca67f9aea4f61912323a36c4f652
SHA16376236e715aff2f5ef6f352b7d5c103812ef07a
SHA256fae1fd9b58c102477bd133d9c5cd06c1e211426e10e72791f22539510189e4e3
SHA51214e22372395995c2e9790fd944c2ff9f69a6c0c3d00a19fced770d8ee62e2353a33ba2537cefda913f6e48a099aa71e68eb5c007234d84ee6f45d6b49517ef19
-
Filesize
76KB
MD5f2395d6ff3b0a9243a1aff7ed14fc837
SHA1a7aecf8d6bc354cad9519b071ffdb988650ddb73
SHA2564a100031b7afff96c533b23c26fe356ab117d48394ebecda8514e09ba635aff2
SHA5126e1d0da3b6ffe246bbc6d7b6126bcc2e04847baec482286e0b31955e69816d57d125e6acff5e3c63e255c616bc8c47a8be2c152e7a41e5d79803b6af794c930d
-
Filesize
249KB
MD55d7fdb9d935b6c84431f4a9e206f2d73
SHA14b85ef432716e35fc556a323b2837528daa54720
SHA25611f4a94bce0520fe17649fc7993730284a79ed4fa45f934d05cfe25a0ab0390a
SHA5122e45d78943048515a86d82784c3d54a8822c53d9ee68d0bd703fbff6cb956e4bf92180e0f02175a94cac25f41ca35db4fec2f05e7d450b847134ba358fc063f1
-
Filesize
593KB
MD53a6e988fa8c86c700b8f7b1dcc477e79
SHA113d7bac29d69c61c66aeb87d6de55df5327eceed
SHA256428745065ec5613706cc571e42552dbb6c9385cf37707ce8c0912cb39a1b3695
SHA512acff45c6eadc71c6c53422cc81e37d188297a1414cd21f3cf43b313893790f1f20b09f092efadb943b6ecbb6bc2c63a024d5d43b694c819e8472bb9c3bf57dc7
-
Filesize
1.7MB
MD517ba4c786c3d7c73ebbd8e576b124405
SHA18b8974edb0d7fb71e8d0baa59ad3201b5d1fc314
SHA256421804beb73bea937a3e56289c594746389101f4d7a779de898797fee6e8d97d
SHA51238e73dea39623843929a600c43df4985ab922e701c5809b03191ba75663405bb1910d27a0e54d74a5e7b13e7d077723d89c5e07d4620f34ab5b01438a1567cc3
-
Filesize
1KB
MD5f9e97c908859b30bd88896e1e9918dd2
SHA1d21494bab680dcb2d448b9fdc9e50f39ee6418fc
SHA256669e0420d8fada0282759fbdeb1b3bc7a69c0b2af29beee728c3a1ea26a2f636
SHA512179a9a2450eb874c4aad21bf0c64057d743bf3cb8216ccb6ed87fea0670a26b5c204ba20fb10289be0ed85e2ff2eb00678ff1e2f3d29c6e933a242a93f03325f
-
Filesize
1.5MB
MD5aa3ece9bec1c908f714833d1daabf793
SHA161c14204e59faae01e925c936a4837068462035a
SHA256f552160b7e3286f0d9c752744172ecbab5adb7ec93230d5e53b2e30b78473b80
SHA5124e5bbbf749520daca4c435c5485f5a3f32b8ed92bce38b39d94e798250698a05901d24cf8e740c7122434b6fc8b3d74214acb9fc6a7903ca2c320d185869997f
-
Filesize
1.5MB
MD578b8b474fada782935cff719f0abbf0a
SHA12b22aaae3a3a82c66160db655a484b4c42399e15
SHA256c8780523d763b99857c84704f47d12d312003379f0a15817573dbf247e1eb071
SHA512e8c9fee0a0458bfe1805d5699fcc45b85d6c3c235791e87ade7feec7bda104140a04acc7988bfe9d5e3dbbd4fbc1ac095b13a60f4ad24ac43c95a304b78cda8c
-
Filesize
522KB
MD54224abf5bd86e95e2915a69160f45d91
SHA1d19061902a086bc98a22d9a2e839d01c05586208
SHA256bc8432059efeef395c10e762663a92c36a3ffdc2eb2bf83c49fb2c9033aabca9
SHA512d9334a57c7e965b7b4ee1ce3b2734b9a2094eb9e284933582004dfc93e241736951210f495cde4e91f7614cf9b2735ad84dd417a237a4ca66bc6b84ae843c9f5
-
Filesize
417KB
MD5b22cb67919ebad88b0e8bb9cda446010
SHA1423a794d26d96d9f812d76d75fa89bffdc07d468
SHA2562f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5
-
Filesize
90KB
MD5c944803fb67e2456172f78363aeb2aaa
SHA16a286cb48b49cef6f75e6c62a79c3f7c1be4a9ab
SHA256ea00fd1f1c6c01f9bd9c97ce0aa59a22aa6b0bed4d5cedc180f4fbb4a046daac
SHA51221183c1cf2e09da972b47498da3a5593c5b5467db19c6ff10a3adcc5c23f3541f0913ad46f7fb307635b206bf47c25b4b405199fbb049d04bff23081ee1a4677
-
Filesize
111KB
MD56fe27e23025cb80c2406a1227624badb
SHA17649c7cd730f6114baec544ddd2e16b9ceb57452
SHA256f9fb0428bb413d555bbba473c5da92cf4269adc6b7603af5e69b92449276d9e8
SHA51213a54988f8e62be3b6f39589dbe271e711e75729812576d271f7d3083ac65a99865210a40027b9132cd032dd04caadb098d58c085c82337f09727c88a5e0edf7
-
Filesize
429KB
MD5688e308b194a8502cd52a647321c1af8
SHA13b053bd9e1f67e12677be1dfb6b8ee595ac9a698
SHA256d1ca10f09b35a9d11d6eb47e1a32687bd9235dd162c30848fcc335c0adabdde9
SHA512a6fa34a7b097fe30e260971a9eb19695cb526c7b21f8558df86552c9439ed9bf35467ddf4cb508602cd442d070362739e027766d74c14cca2375b77bccd0465a
-
Filesize
54KB
MD50d3a73b0b30252680b383532f1758649
SHA19f098d2037e4dd94eca6d04c37b3d4ad8b0cc931
SHA256fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc
SHA512a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4
-
Filesize
149KB
MD525247e3c4e7a7a73baeea6c0008952b1
SHA18087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b