Analysis
-
max time kernel
171s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
772b68bf3048024e686be386fbfe5083.dll
Resource
win7-20231215-en
General
-
Target
772b68bf3048024e686be386fbfe5083.dll
-
Size
652KB
-
MD5
772b68bf3048024e686be386fbfe5083
-
SHA1
458a9a79779cf07157ec419d9511975e2f8aa2c8
-
SHA256
7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409
-
SHA512
18164714b6ced7284218c0dc8c4e0013b1b08084e07f89322564bdd0bf5d37c62edcb947965e1384e26fe36dd7d613a82697a4429fc935ee1557edf3c9290d62
-
SSDEEP
12288:8KYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:9YQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1244-4-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Loads dropped DLL 1 IoCs
Processes:
pid Process 1244 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\979G\\SPINST~1.EXE" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\7sKi\mspaint.exe cmd.exe File opened for modification C:\Windows\system32\7sKi\mspaint.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
description pid Process procid_target PID 1244 wrote to memory of 268 1244 30 PID 1244 wrote to memory of 268 1244 30 PID 1244 wrote to memory of 268 1244 30 PID 1244 wrote to memory of 776 1244 31 PID 1244 wrote to memory of 776 1244 31 PID 1244 wrote to memory of 776 1244 31 PID 1244 wrote to memory of 1980 1244 33 PID 1244 wrote to memory of 1980 1244 33 PID 1244 wrote to memory of 1980 1244 33 PID 1244 wrote to memory of 1940 1244 34 PID 1244 wrote to memory of 1940 1244 34 PID 1244 wrote to memory of 1940 1244 34 PID 1244 wrote to memory of 1336 1244 36 PID 1244 wrote to memory of 1336 1244 36 PID 1244 wrote to memory of 1336 1244 36 PID 1244 wrote to memory of 808 1244 38 PID 1244 wrote to memory of 808 1244 38 PID 1244 wrote to memory of 808 1244 38 PID 1244 wrote to memory of 2908 1244 40 PID 1244 wrote to memory of 2908 1244 40 PID 1244 wrote to memory of 2908 1244 40 PID 1244 wrote to memory of 2920 1244 42 PID 1244 wrote to memory of 2920 1244 42 PID 1244 wrote to memory of 2920 1244 42 PID 1244 wrote to memory of 436 1244 44 PID 1244 wrote to memory of 436 1244 44 PID 1244 wrote to memory of 436 1244 44 PID 1244 wrote to memory of 944 1244 46 PID 1244 wrote to memory of 944 1244 46 PID 1244 wrote to memory of 944 1244 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵PID:268
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dzDlhu.cmd1⤵PID:776
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:1980
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yZdxQJ.cmd1⤵
- Drops file in System32 directory
PID:1940
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Hkckipfn" /TR "C:\Windows\system32\7sKi\mspaint.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:1336
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"1⤵PID:808
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"1⤵PID:2908
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"1⤵PID:2920
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"1⤵PID:436
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"1⤵PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
656KB
MD5661348b0acdfaf708e3bd361a53833ca
SHA17dea4d2ce50fc42a40c55196fb34d7e7498c07ac
SHA256ba00572a4f9b40157ee9f43c165af8fb095239fe853163005e8ca482bc270f9d
SHA51278aa4eda2cce84d3de63f58651b9eeb95476372e6038f8647e326ad4acda817a75ee50930d0f2660dba8ad0622959ecb86e566d7aa5f96fdbb8dd0d12835126a
-
Filesize
230B
MD5a4688edaf2def2f9ecb7e8c220f3de2f
SHA1a14483444477d558a418bb8ece3de4403d4e69d2
SHA25603f61e9d00a48feba9cf0317fa7c8cebed5b3cb25d5dcf1bd87e1202bd06a178
SHA512850beecae69bce4273daf645827d9f9a386456e77429f49ab82c3adbb3b62446adf8edc90324f5463c8c34382d8e99edd38db33cc57bb849e2d20fcf8d115013
-
Filesize
656KB
MD57026c5c2deefd569ca62985fff08ae6f
SHA15b46af69711e1a93ca2053edaece28a37dec0594
SHA256efb120ed5a2cae5c0947fd03d160a178da26b20b36406c9b8909ae81ed2e13ee
SHA512092006716dc09d6883bc854cb0a310b8154ce8a1007213b8daefe1ce15a0897df28ad4ee171c92a1e8318bd7ac065966d51ea1e77eb5cdaf727a0604ad2135bc
-
Filesize
193B
MD519b062469fb937864622c1da5a2903c0
SHA1f5f7aba496c79045dc9c281e488a3de85bda0c30
SHA2565152d241b15f07a021080a63a8fb37008df05c5872e4a848b6b334a7a5a5dda8
SHA5127dc79b56593551012cdda3f9f7db61e8a7a174f418f8d5a5fba40916a4db079392d9fff6518d3ec5784cab0522246bfb72b1de955b5f3209f8641f7830c6d7ba
-
Filesize
793B
MD53225b1b3eaa5e1f4877abaf407b6e83e
SHA195ab5abe4ee59b878c2a51855076924621b1b8e3
SHA256c28086e72ff84db7d5a6bb0d8f78387cef37ec403d1e53b9ee8bbbf5f3da5555
SHA512beef4cfcc03a905fe467d255de5b015491802e3f1a9f19f8c986b98f0350fde88852a00fba90edcc2525b98b812b89d172910ca0081625a36a57cb991e2744d2
-
Filesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee