Analysis
-
max time kernel
169s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 17:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
faff1cecdbec225f5f4a12f2afa66915.dll
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
faff1cecdbec225f5f4a12f2afa66915.dll
-
Size
1.4MB
-
MD5
faff1cecdbec225f5f4a12f2afa66915
-
SHA1
0bc116efeeab88744b461d8c7979c4bade196f55
-
SHA256
aa794827c5c65b5416d7f2454cb2376816a74c9e0d5d6ed83daadf07ad335ff1
-
SHA512
83a90171fcd5581fd0747b3d106674c8e2935613fe906cea4dd627f3f6c420810e576a42995dfa670e06dd35c84aca7217dfa14a89c131bedd25797be6ae72c4
-
SSDEEP
12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x00000000029B0000-0x00000000029B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
cttune.exeosk.exeEhStorAuthn.exepid Process 524 cttune.exe 1260 osk.exe 1044 EhStorAuthn.exe -
Loads dropped DLL 7 IoCs
Processes:
cttune.exeosk.exeEhStorAuthn.exepid Process 1204 524 cttune.exe 1204 1260 osk.exe 1204 1044 EhStorAuthn.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kwXEDb8vcR\\osk.exe" -
Processes:
rundll32.execttune.exeosk.exeEhStorAuthn.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2968 rundll32.exe 2968 rundll32.exe 2968 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1204 wrote to memory of 2304 1204 28 PID 1204 wrote to memory of 2304 1204 28 PID 1204 wrote to memory of 2304 1204 28 PID 1204 wrote to memory of 524 1204 30 PID 1204 wrote to memory of 524 1204 30 PID 1204 wrote to memory of 524 1204 30 PID 1204 wrote to memory of 1000 1204 31 PID 1204 wrote to memory of 1000 1204 31 PID 1204 wrote to memory of 1000 1204 31 PID 1204 wrote to memory of 1260 1204 32 PID 1204 wrote to memory of 1260 1204 32 PID 1204 wrote to memory of 1260 1204 32 PID 1204 wrote to memory of 2204 1204 33 PID 1204 wrote to memory of 2204 1204 33 PID 1204 wrote to memory of 2204 1204 33 PID 1204 wrote to memory of 1044 1204 34 PID 1204 wrote to memory of 1044 1204 34 PID 1204 wrote to memory of 1044 1204 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\faff1cecdbec225f5f4a12f2afa66915.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Local\NSJB\cttune.exeC:\Users\Admin\AppData\Local\NSJB\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:1000
-
C:\Users\Admin\AppData\Local\DfF\osk.exeC:\Users\Admin\AppData\Local\DfF\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1260
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:2204
-
C:\Users\Admin\AppData\Local\ZSKffg\EhStorAuthn.exeC:\Users\Admin\AppData\Local\ZSKffg\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1044