Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 20:15
Static task
static1
Behavioral task
behavioral1
Sample
103bce51e2fb20c197343aaf2d602bad.dll
Resource
win7-20231215-en
General
-
Target
103bce51e2fb20c197343aaf2d602bad.dll
-
Size
656KB
-
MD5
103bce51e2fb20c197343aaf2d602bad
-
SHA1
3df0dcccbce4abeb9639358e234e30055f569a7a
-
SHA256
b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463
-
SHA512
31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b
-
SSDEEP
12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1228-4-0x00000000029F0000-0x00000000029F1000-memory.dmp dridex_stager_shellcode -
Loads dropped DLL 1 IoCs
Processes:
pid Process 1228 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\i5vkk\\irftp.exe" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\ecr7WC\SystemPropertiesComputerName.exe cmd.exe File opened for modification C:\Windows\system32\ecr7WC\SystemPropertiesComputerName.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2552 rundll32.exe 2552 rundll32.exe 2552 rundll32.exe 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
description pid Process procid_target PID 1228 wrote to memory of 2892 1228 28 PID 1228 wrote to memory of 2892 1228 28 PID 1228 wrote to memory of 2892 1228 28 PID 1228 wrote to memory of 2572 1228 30 PID 1228 wrote to memory of 2572 1228 30 PID 1228 wrote to memory of 2572 1228 30 PID 1228 wrote to memory of 1780 1228 31 PID 1228 wrote to memory of 1780 1228 31 PID 1228 wrote to memory of 1780 1228 31 PID 1228 wrote to memory of 2948 1228 33 PID 1228 wrote to memory of 2948 1228 33 PID 1228 wrote to memory of 2948 1228 33 PID 1228 wrote to memory of 2988 1228 35 PID 1228 wrote to memory of 2988 1228 35 PID 1228 wrote to memory of 2988 1228 35 PID 1228 wrote to memory of 2876 1228 39 PID 1228 wrote to memory of 2876 1228 39 PID 1228 wrote to memory of 2876 1228 39 PID 1228 wrote to memory of 1472 1228 40 PID 1228 wrote to memory of 1472 1228 40 PID 1228 wrote to memory of 1472 1228 40 PID 1228 wrote to memory of 1680 1228 43 PID 1228 wrote to memory of 1680 1228 43 PID 1228 wrote to memory of 1680 1228 43 PID 1228 wrote to memory of 2244 1228 44 PID 1228 wrote to memory of 2244 1228 44 PID 1228 wrote to memory of 2244 1228 44 PID 1228 wrote to memory of 2452 1228 46 PID 1228 wrote to memory of 2452 1228 46 PID 1228 wrote to memory of 2452 1228 46 PID 1228 wrote to memory of 2052 1228 48 PID 1228 wrote to memory of 2052 1228 48 PID 1228 wrote to memory of 2052 1228 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2892
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\kf6DDxh.cmd1⤵PID:2572
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:1780
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\DaYQDk.cmd1⤵
- Drops file in System32 directory
PID:2948
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ojgiqrnnmvt" /TR "C:\Windows\system32\ecr7WC\SystemPropertiesComputerName.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"1⤵PID:2876
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"1⤵PID:1472
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"1⤵PID:1680
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"1⤵PID:2244
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"1⤵PID:2452
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"1⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD58f65102679a797e1d6cf1331df48cdb5
SHA1a2d86564d6a853c2f350c25ec613e67c836bd55a
SHA25605538498de3bb028dff952c8b7d0095b91316a221db7cc7e4f28ae77b1ad4a01
SHA51276fe0381251775d510fb55885a953e2ca5942f99c39b0436fefdd2409759822678407fcff4021dac1ceb5641b9fc785ad58f71065b6795c3de61a5ff86733bed
-
Filesize
252KB
MD58fc395aa31a9c420a791f9c4f298b3f3
SHA1d1f0bd62c3b94b4ec36de6114e6e12c262195800
SHA2568a0150b7265fe0aeb386cb646a81a0c3df3ba8c1e8489fcbb1f47f04770887de
SHA512d42712eac209edd664533f3d54f093db1f86bf93acb3ad3368b9855d116848efecf754e40f7363e02cabc7d005db21669d778b73e55ed1b88eb5f6c172930246
-
Filesize
660KB
MD53120d790c2bc14f86f79328a6f9ad7bf
SHA1b6e7c3b639d3e3adf321f195b36534368d48dc50
SHA25681a06da30f6926ffa8e5ba03b85ee4fbb380c64b3bc4f45bd63095950ba50de2
SHA51296a8e26a5a09e866f813fbcba9cb5736ea268d486ccd7c2992bf762b050de4b46e85f18fe8af27c48dcfb0c35e5ec0cf5c274d7bf6d4225deeb47ac314e8f19b
-
Filesize
226B
MD5cd3baf9942fe93ad163fd0df3781a26f
SHA1fcdcc345457638ff7033b4a401888bd656f85879
SHA256cd0fb084e88d02dc0636be4269d1649b2c8358849d85d3486d54fcaa885e1d27
SHA512289e9701db962fea25ff25536cfcfd1091c277a976c3681b0209e4f5b9a2e9d6ff6115aeeeba778a09b037887aedad8582a58528a48fc1453aa83f1e25b662fd
-
Filesize
774B
MD5c0fe02a7a110db9fbb4946e37666a96f
SHA1da91c7da5f809541e489b2d9dd79a6842e0a0878
SHA2560c469d02dee9d7bf65ace0c763cb0053ce55cdd619ae490ffc59a14ec1eb2e70
SHA51292c79e6845388cb9a1db225ee62188a04ae4d83c0a6c973c6c129078581ad94514e0a5f364b6f7107670efafb1968cef442ff7fcdc57f7fbf194a5675ca79442
-
Filesize
124KB
MD5b391898b1e6148ebed70b06d1d9c23c6
SHA1259fba7c9af61f10634d760d7cf016c8028af981
SHA256216f090a96cb080deffeca03acc3658745fef452b8997af2e375baae7c41aef4
SHA512e6996956f47ad03135db5f4cef0e921f6e492c2b815d12fafb50b2659f18b15921d0b046405c671a462803fe869b28118f541fff1bd5f31e26adc2a6c473ac81
-
Filesize
155KB
MD544401cb131a4a863e32b51d5ed9517d8
SHA1efa3b47571e6c8ec81f4661ce6287b1e2039c95b
SHA25635c1b56d28b799e11c8b6dfe6ab1be0c6ac2e430a889610b4bafe9cac9a6c87b
SHA512bf7ed126f48c1925bda0b631fc3284c20a08227215d829eca10649dc9d478ce2c2ae834b7e3cbb1f5f9a168913c67161d698f59e5fb6e915d4181002f26dd79f