Analysis
-
max time kernel
138s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 07:52
Static task
static1
Behavioral task
behavioral1
Sample
103bce51e2fb20c197343aaf2d602bad.dll
Resource
win7-20231215-en
General
-
Target
103bce51e2fb20c197343aaf2d602bad.dll
-
Size
656KB
-
MD5
103bce51e2fb20c197343aaf2d602bad
-
SHA1
3df0dcccbce4abeb9639358e234e30055f569a7a
-
SHA256
b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463
-
SHA512
31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b
-
SSDEEP
12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-4-0x00000000024F0000-0x00000000024F1000-memory.dmp dridex_stager_shellcode -
Loads dropped DLL 1 IoCs
Processes:
pid Process 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\NdvH5hF\\consent.exe" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\BAlLnB\SystemPropertiesHardware.exe cmd.exe File opened for modification C:\Windows\system32\BAlLnB\SystemPropertiesHardware.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1728 rundll32.exe 1728 rundll32.exe 1728 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
description pid Process procid_target PID 1200 wrote to memory of 2600 1200 28 PID 1200 wrote to memory of 2600 1200 28 PID 1200 wrote to memory of 2600 1200 28 PID 1200 wrote to memory of 2148 1200 29 PID 1200 wrote to memory of 2148 1200 29 PID 1200 wrote to memory of 2148 1200 29 PID 1200 wrote to memory of 2816 1200 31 PID 1200 wrote to memory of 2816 1200 31 PID 1200 wrote to memory of 2816 1200 31 PID 1200 wrote to memory of 2884 1200 32 PID 1200 wrote to memory of 2884 1200 32 PID 1200 wrote to memory of 2884 1200 32 PID 1200 wrote to memory of 2936 1200 34 PID 1200 wrote to memory of 2936 1200 34 PID 1200 wrote to memory of 2936 1200 34 PID 1200 wrote to memory of 1852 1200 36 PID 1200 wrote to memory of 1852 1200 36 PID 1200 wrote to memory of 1852 1200 36 PID 1200 wrote to memory of 1708 1200 40 PID 1200 wrote to memory of 1708 1200 40 PID 1200 wrote to memory of 1708 1200 40 PID 1200 wrote to memory of 2748 1200 42 PID 1200 wrote to memory of 2748 1200 42 PID 1200 wrote to memory of 2748 1200 42 PID 1200 wrote to memory of 1164 1200 44 PID 1200 wrote to memory of 1164 1200 44 PID 1200 wrote to memory of 1164 1200 44 PID 1200 wrote to memory of 2536 1200 47 PID 1200 wrote to memory of 2536 1200 47 PID 1200 wrote to memory of 2536 1200 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1728
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:2600
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\VfEQkn.cmd1⤵PID:2148
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:2816
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\abu.cmd1⤵
- Drops file in System32 directory
PID:2884
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ajfbjcebwom" /TR "C:\Windows\system32\BAlLnB\SystemPropertiesHardware.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:1852
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:1708
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:2748
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:1164
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:2536
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD5172640f7888fe44d8bb0601d72a06119
SHA1cb34531771e3b91bca9d3b16cc4d692b3d2dc9a7
SHA256efceacb585220dfe17d617218b28ddede99f21f2e6ee86e0cca68208a327742a
SHA51222a432ed462a45aac70b322bc603d2ea34552a31f9a536d8148598a08a38ccf0b75c484cf6850d8bed4407ca9482e801284790726247c05b518b45cfc00e5d34
-
Filesize
664KB
MD5db9b41311c937b2b6ff982bfebda0c5a
SHA132d3fb8ebf5148cf5eac6f9ff2c07cc1794b85de
SHA2560564da405563b6b5f0c217d351451c391dc6e7bcbdc223a62a705d2da73f0526
SHA512413c777bd2fd4dfdc1e06a70a91dd90f3650b9b86b0d33338695c2687c546b243191c8becd6ae3df943461f1a6ac2cd82c140780f9faaf8f4173aa4fbf082c87
-
Filesize
234B
MD557128ccfeed83e637d38163ff3be92a4
SHA14270ff1c25d1786ce0d91bd608af8e2cdf4e32a0
SHA2566b203be8a29335a9cead11e1387d4d863983baf35975a1e80463cb2bd11cef03
SHA512fddefcc94911b890a0df1dabeb58fcb0f2f09e1a12612bbd9271d9fe4522a864b8feb22ce4457b9dfc2436049be834473af931a62e19e0cff006302eae0442cb
-
Filesize
215B
MD572e1216c3e9ad375d4a89d780e90a6b4
SHA1127dcf53e4f2e8a5d82c5ee26834ade103b2d023
SHA256761bee2bef44a6e94777c583e0c938971396661e4729f3a07e8ccaf68267138d
SHA512cc3b1cd8a56b7984a92c1cc95a1e4e8e9df21e880f1d16618dba478af29de48460491f82b7c3671f0e73db1d0aa6bfab5a5d00fd2a534e41fc8137b4fb619a0f
-
Filesize
798B
MD5d6f72802e685797edf3b7781e00eb04b
SHA149ff7e5a7b2c231147044f0610a28be6729a1fb2
SHA256ff8646dc1bff42ed47093b60fc43252e4edbc7cc00a3bc8911e8d164f0156a3f
SHA512a4d3ca4ffa41c9e8ea5d717e341448b55906dcb668ca25ab10d04bdb17a197a7d09aac925c8c8203b10937805b27dd2c93e8bf1c53a0b3ec9c7f590b357a43ec
-
Filesize
109KB
MD50b5511674394666e9d221f8681b2c2e6
SHA16e4e720dfc424a12383f0b8194e4477e3bc346dc
SHA256ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b
SHA51200d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7