Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 00:29
Static task
static1
Behavioral task
behavioral1
Sample
4679898201806dc6de8e98d5fe539ed2.dll
Resource
win7-20231215-en
General
-
Target
4679898201806dc6de8e98d5fe539ed2.dll
-
Size
644KB
-
MD5
4679898201806dc6de8e98d5fe539ed2
-
SHA1
0b0a13522449f99f2e4eae9253700b542fca3461
-
SHA256
b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde
-
SHA512
62b61499c7f1c8acf7665d18941d4f3a9b0b34f7476921950f92040c251a9f00f4cf59d9859fa8c1960943d412230aa17eaa536f0883745b168101e148a29633
-
SSDEEP
12288:ZKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:AYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1184-4-0x00000000029F0000-0x00000000029F1000-memory.dmp dridex_stager_shellcode -
Loads dropped DLL 1 IoCs
Processes:
pid Process 1184 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\5O2Cgz\\dccw.exe" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\bKA9EJ\SystemPropertiesDataExecutionPrevention.exe cmd.exe File opened for modification C:\Windows\system32\bKA9EJ\SystemPropertiesDataExecutionPrevention.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
description pid Process procid_target PID 1184 wrote to memory of 2636 1184 28 PID 1184 wrote to memory of 2636 1184 28 PID 1184 wrote to memory of 2636 1184 28 PID 1184 wrote to memory of 2564 1184 29 PID 1184 wrote to memory of 2564 1184 29 PID 1184 wrote to memory of 2564 1184 29 PID 1184 wrote to memory of 2700 1184 31 PID 1184 wrote to memory of 2700 1184 31 PID 1184 wrote to memory of 2700 1184 31 PID 1184 wrote to memory of 2792 1184 32 PID 1184 wrote to memory of 2792 1184 32 PID 1184 wrote to memory of 2792 1184 32 PID 1184 wrote to memory of 2900 1184 34 PID 1184 wrote to memory of 2900 1184 34 PID 1184 wrote to memory of 2900 1184 34 PID 1184 wrote to memory of 1844 1184 38 PID 1184 wrote to memory of 1844 1184 38 PID 1184 wrote to memory of 1844 1184 38 PID 1184 wrote to memory of 2020 1184 40 PID 1184 wrote to memory of 2020 1184 40 PID 1184 wrote to memory of 2020 1184 40 PID 1184 wrote to memory of 1852 1184 42 PID 1184 wrote to memory of 1852 1184 42 PID 1184 wrote to memory of 1852 1184 42 PID 1184 wrote to memory of 1760 1184 45 PID 1184 wrote to memory of 1760 1184 45 PID 1184 wrote to memory of 1760 1184 45 PID 1184 wrote to memory of 396 1184 46 PID 1184 wrote to memory of 396 1184 46 PID 1184 wrote to memory of 396 1184 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵PID:2636
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0FgA1.cmd1⤵PID:2564
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:2700
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\luhNUw.cmd1⤵
- Drops file in System32 directory
PID:2792
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Taqnqntix" /TR "C:\Windows\system32\bKA9EJ\SystemPropertiesDataExecutionPrevention.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"1⤵PID:1844
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"1⤵PID:2020
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"1⤵PID:1852
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"1⤵PID:1760
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"1⤵PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD544ef23122f9c6882172880580c3a9bd2
SHA19c6724bd938055cbecebb960994a7306ac2e0823
SHA2561af4c5f60134c972014575aa65709648b21b67cd641908625122d04e2ab7a5a9
SHA51238f60c31b6509629a94d5cc29a90b40b7dd898c59ec9937ff7432a140a2e3918ec1e51e2929507e46fc7dcbc50185e40a311c77c3ac8a00a726bc120d058840c
-
Filesize
648KB
MD53ba00bb27baf3a06c49ed976d63a7e08
SHA1356efc33877ca7cdd85e0188f4a76f3b9cd01b0a
SHA256db299ecba0e57ddd72befafec1125bb7502232517cd60228aac4af8c6a33a494
SHA51247e86386f9183c0bc5cfecaa19df13f4cc848c6f658ac2a342befbbc47cf8f10d360ff870accb724dbeec04cc057430fa8391d5bb0199b3310405fd9613369ca
-
Filesize
648KB
MD5cda3d6b59074eed08ae89a3735c6a736
SHA10eaec007c3d670dd196029a6fd23245e0c4175e8
SHA25686692bb36b0f8ed48076625e114804106ee01635ab889ae1e7e62462eb735b77
SHA512050e09608eadde801217724082d83a23235cf2b5c2e6d06c19584e004ea0ea56548987608612f35f9ea7bed1436b53823b2aa7ca73927f0b930b23041a544b20
-
Filesize
229B
MD5f08ca0cadd065ffb3995794e4836930c
SHA1ef2e6971d53f6d0f701ae49a64bf8d754bcb4e1f
SHA256431c39141868840b9fd09bb6d56f6f1065e2f6b6def1bb9d6a426c4fd3deabc4
SHA512e37c9a68bee0a44ae2595ea9f81c700a0ac40c02a67a87500882a56cfa6fc9b8c85b442dcada5438ce64166918821eff3bb1fa8c5288c8534ef3d202db1f2dc2
-
Filesize
861KB
MD5a46cee731351eb4146db8e8a63a5c520
SHA18ea441e4a77642e12987ac842b36034230edd731
SHA256283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5
SHA5123573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc
-
Filesize
776B
MD53e3b29b4c915d23f0dc2907e6314c66c
SHA1c8425f92e910e329e85869cdba9cd32f5f206831
SHA256876a2117d85eb40da0dfd84e399acd22b22d3797f63123f0529fd5047ce6776e
SHA512cd5acb9340c46d875555b307eddc89f458c3994268a6a84ac24a89791745a8918233a65e14f25d51190ce11916ac742a3056049367991061134e233b7c018687