Analysis
-
max time kernel
188s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-12-2023 13:02
Static task
static1
Behavioral task
behavioral1
Sample
b122a91caaad5f9133a910107ab182f2.dll
Resource
win7-20231215-en
General
-
Target
b122a91caaad5f9133a910107ab182f2.dll
-
Size
728KB
-
MD5
b122a91caaad5f9133a910107ab182f2
-
SHA1
df8ac36b8382ec1a7cd5c52decdca2330fc57af1
-
SHA256
f2ded2615a9ec37198c3ae0042de5ddb999eda4d0d89b5469d20c4b047e8759f
-
SHA512
f9a9311958fbffcfbf5a6b71168add5e585a0d09daa4e748617aed1180eef1c0bbd997adda57561ed21106f4d4e62c64d99fa5dee4ce7dafcc3ba452a4b709f5
-
SSDEEP
12288:G6BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:G6BQBjlc728jo7S1bl6FbK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1188-5-0x0000000002220000-0x0000000002221000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesPerformance.exewusa.exetcmsetup.exepid Process 1676 SystemPropertiesPerformance.exe 1052 wusa.exe 768 tcmsetup.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesPerformance.exewusa.exetcmsetup.exepid Process 1188 1676 SystemPropertiesPerformance.exe 1188 1052 wusa.exe 1188 768 tcmsetup.exe 1188 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\YU\\wusa.exe" -
Processes:
rundll32.exeSystemPropertiesPerformance.exewusa.exetcmsetup.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2828 rundll32.exe 2828 rundll32.exe 2828 rundll32.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1188 wrote to memory of 1984 1188 29 PID 1188 wrote to memory of 1984 1188 29 PID 1188 wrote to memory of 1984 1188 29 PID 1188 wrote to memory of 1676 1188 30 PID 1188 wrote to memory of 1676 1188 30 PID 1188 wrote to memory of 1676 1188 30 PID 1188 wrote to memory of 1180 1188 31 PID 1188 wrote to memory of 1180 1188 31 PID 1188 wrote to memory of 1180 1188 31 PID 1188 wrote to memory of 1052 1188 32 PID 1188 wrote to memory of 1052 1188 32 PID 1188 wrote to memory of 1052 1188 32 PID 1188 wrote to memory of 1832 1188 33 PID 1188 wrote to memory of 1832 1188 33 PID 1188 wrote to memory of 1832 1188 33 PID 1188 wrote to memory of 768 1188 34 PID 1188 wrote to memory of 768 1188 34 PID 1188 wrote to memory of 768 1188 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:1180
-
C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exeC:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:1832
-
C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exeC:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD5a10dafdc447283f38823e97445bb0715
SHA17a8604b56d4d92f134e9f9f22b112589746b0613
SHA25642e8a2a36f1fe9f6948696d9907f0866e6823c666777f28fde29f4cba44a4f81
SHA5124ac57dbdd358157e2fc99b89e8bcb7703e9b5ec9452f1af3d489fcb70710b77b3dc9269d1607ba42b61a2a7976eb97c5a208c64b571d853022cacefc5834d3dd
-
Filesize
732KB
MD513caaa94ecd7fc7747b65ed2b12031b1
SHA1b649ea8b1cc9bd697f53a22f1a7c7b791c538949
SHA256b8793c85b611e20711edc20870845196ef0a2456abe6050a0ed8577e1302a4ce
SHA512599d2b86400b60b2a57362e897d24b5001b3ffb4bf68de64d1fa73820861d771d6aa21d89b45d16a55003faa94357361dd7ba0b9c51486fedd2831e590f83f0e
-
Filesize
732KB
MD5d410067acd1b165ba2c7bb13e4c87f7b
SHA172de35b155e505c9983626024a8c5e5830a0295e
SHA256e708a9ae513715b4f2a1dcac55a1eb0528bcdb5c228d4fbb3047147385338a05
SHA5127a43d973e93a82046370d3ee9e80f8a7ccdda6fba5e8bfeef7766b7d31aa745ea004ee2c0d6beb61f5aff1513e9fb9d781f973562ca72de37834a456765ca69d
-
Filesize
80KB
MD5870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72
-
Filesize
1KB
MD53a68295874964b48796955813ce9b7a6
SHA1955fa74ab3c5b577bdd9753fef90bb2df483db87
SHA2568efa420c7e4ccdddda0fdd646615df1768f17fd7c3356961381f5f00ba470980
SHA5122d2b6ea3ee78540fa20d29802df6c10ff570659132a0d5f9a0703f89a6eaf7345f377e90a64b9599e56e938da1975e76c08d389c8bc0229b7ea8cdc9b2b94918
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\yFHsBZI9b\TAPI32.dll
Filesize449KB
MD53e5044fa5597f21bd0bc9cb2a002bb64
SHA10609f90f33db3ed3139bdd0800b3612d0f79e1a8
SHA256c5191eb223716ea02c403b9d1eb276d2b98b7774ea99164edc141c34ba7be235
SHA51220f80f4bbc47df23777db8d0945a0f1dbafdcc80696ddfdbab54d0002ed2a29f57108d39ccacc717298c36d639ef32ff6267e8ecdccced93e269d068e6d5c9ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\9vd3NH4t\SYSDM.CPL
Filesize192KB
MD5ce3dd7dc00d7ebe3fe2b45d2a66b726d
SHA1bd2b67f99f97b8d376cfbcaaac8d0b321038816c
SHA25602515cef327a9647c59453b2c5b1686f1cd27eb065ea3106b78589961b850de0
SHA512dcf4a65804d84c7516c49edf367d2f7af2916e3817479a8bc9b8389af33cbef57eda7232f3e410f77a47664a731aca7850e6ee0a8b07ad038251e687e197bfa0
-
Filesize
472KB
MD5902fcc4fc8799c8f1f391d4f54ce6429
SHA18204c8e3e352a1968940d11b598c8218efb9afd3
SHA256e92b9c6c75b4ac8c6b81c6b8358a37615c9a51164918591a326c3b6301f6cb28
SHA512c96353ffe52a689f1352a5f22812b9192787ff41c116e2be9d4d4d2c6513d1d8f3b9441f5bcfa9bc0396a04c35907ff8648f4d39289118c7375dfb1106ceef99
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58
-
Filesize
300KB
MD5c15b3d813f4382ade98f1892350f21c7
SHA1a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA2568f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA5126d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c