Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 18:39
Static task
static1
Behavioral task
behavioral1
Sample
3526a594f157e00abe6d9baf2c84e361.dll
Resource
win7-20231129-en
General
-
Target
3526a594f157e00abe6d9baf2c84e361.dll
-
Size
652KB
-
MD5
3526a594f157e00abe6d9baf2c84e361
-
SHA1
08c79f37fa9c70dcae933bb77d8711ce083ea91c
-
SHA256
8ee1f2fa3582a791cdfc6bae5a3282b82ac28ab60683d968041a4f39584e4d57
-
SHA512
76b4432bb65d66d1725d7901973afe973e7a5120686b2dce8d4482eb9b97ab829cede0faf1839de61901203e2fc8ec9cc7fbbc050c2d60f9504db94fa8963158
-
SSDEEP
12288:gKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:ZYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-4-0x0000000003E30000-0x0000000003E31000-memory.dmp dridex_stager_shellcode -
Loads dropped DLL 1 IoCs
Processes:
pid Process 1380 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\COiTo\\DXPSER~1.EXE" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\7QG8\lpksetup.exe cmd.exe File opened for modification C:\Windows\system32\7QG8\lpksetup.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
description pid Process procid_target PID 1380 wrote to memory of 1760 1380 30 PID 1380 wrote to memory of 1760 1380 30 PID 1380 wrote to memory of 1760 1380 30 PID 1380 wrote to memory of 1832 1380 29 PID 1380 wrote to memory of 1832 1380 29 PID 1380 wrote to memory of 1832 1380 29 PID 1380 wrote to memory of 2148 1380 35 PID 1380 wrote to memory of 2148 1380 35 PID 1380 wrote to memory of 2148 1380 35 PID 1380 wrote to memory of 2132 1380 32 PID 1380 wrote to memory of 2132 1380 32 PID 1380 wrote to memory of 2132 1380 32 PID 1380 wrote to memory of 2880 1380 34 PID 1380 wrote to memory of 2880 1380 34 PID 1380 wrote to memory of 2880 1380 34 PID 1380 wrote to memory of 2816 1380 37 PID 1380 wrote to memory of 2816 1380 37 PID 1380 wrote to memory of 2816 1380 37 PID 1380 wrote to memory of 1700 1380 41 PID 1380 wrote to memory of 1700 1380 41 PID 1380 wrote to memory of 1700 1380 41 PID 1380 wrote to memory of 2400 1380 42 PID 1380 wrote to memory of 2400 1380 42 PID 1380 wrote to memory of 2400 1380 42 PID 1380 wrote to memory of 328 1380 44 PID 1380 wrote to memory of 328 1380 44 PID 1380 wrote to memory of 328 1380 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3526a594f157e00abe6d9baf2c84e361.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:780
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\okXs.cmd1⤵PID:1832
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:1760
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qjdS.cmd1⤵
- Drops file in System32 directory
PID:2132
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Mppxofurfby" /TR "C:\Windows\system32\7QG8\lpksetup.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵PID:2148
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"1⤵PID:2816
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"1⤵PID:1700
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"1⤵PID:2400
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"1⤵PID:328
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"1⤵PID:1940
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"1⤵PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD5472f38b504a240d744ec16dc0c052ec9
SHA12144bd911591df1e53fcbe6f8611ac13b7b1baef
SHA2565845f910b51a62db0d9a073763c28558c868c348b841d7f460ca23755890dc2c
SHA5127ad69a33668dec93fc6a98daab4c69065d7dea83d9a1e6f56064ac93de1bffac39d91c12a314cf66e4ce3085db14f963aa0cf0cd428711c537dc40529fe2504a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
798B
MD5c5b20ee47f6ced44a54711c5723bfcf8
SHA12b444df11fa9b084a2c3a20ff2e89517614394e1
SHA2565e5da1a12b54afceaa6221be22df49ff084728fb9197ef794df54f2464caac07
SHA512725d88bee73fb2f9b94ae3ea5c5f07a1ec5eefd973caf50e63d56dbbf61c17e74b6b1d280257deea284ca9493f89eca3f213830a7bb5337136ab2921a9345bcf
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba