Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0724ac274c2aa56ae735cccf77b3f98e.dll
Resource
win7-20231129-en
9 signatures
150 seconds
General
-
Target
0724ac274c2aa56ae735cccf77b3f98e.dll
-
Size
1.8MB
-
MD5
0724ac274c2aa56ae735cccf77b3f98e
-
SHA1
de36f531d90ea25637d0601ef4aa0695120baedb
-
SHA256
c1c4df943e9c4ec308cef81052e29707a94810f3c3a018a0be8072d4e2a59cd5
-
SHA512
f488a0c0cac2bd9f594933a663cdda07d54643da5b51eeab5709107d584c60728dc1279c114644310a4b39e7824a41e65d051b0bac56b0c5356e8c5f3963330f
-
SSDEEP
12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1372-5-0x0000000002980000-0x0000000002981000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
StikyNot.exeWFS.exemsinfo32.exepid Process 2572 StikyNot.exe 1616 WFS.exe 1864 msinfo32.exe -
Loads dropped DLL 7 IoCs
Processes:
StikyNot.exeWFS.exemsinfo32.exepid Process 1372 2572 StikyNot.exe 1372 1616 WFS.exe 1372 1864 msinfo32.exe 1372 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\dSHPu\\WFS.exe" -
Processes:
WFS.exemsinfo32.exerundll32.exeStikyNot.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1372 wrote to memory of 2508 1372 29 PID 1372 wrote to memory of 2508 1372 29 PID 1372 wrote to memory of 2508 1372 29 PID 1372 wrote to memory of 2572 1372 28 PID 1372 wrote to memory of 2572 1372 28 PID 1372 wrote to memory of 2572 1372 28 PID 1372 wrote to memory of 2692 1372 31 PID 1372 wrote to memory of 2692 1372 31 PID 1372 wrote to memory of 2692 1372 31 PID 1372 wrote to memory of 1616 1372 30 PID 1372 wrote to memory of 1616 1372 30 PID 1372 wrote to memory of 1616 1372 30 PID 1372 wrote to memory of 2436 1372 32 PID 1372 wrote to memory of 2436 1372 32 PID 1372 wrote to memory of 2436 1372 32 PID 1372 wrote to memory of 1864 1372 33 PID 1372 wrote to memory of 1864 1372 33 PID 1372 wrote to memory of 1864 1372 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
C:\Users\Admin\AppData\Local\rAiq\StikyNot.exeC:\Users\Admin\AppData\Local\rAiq\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2572
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:2508
-
C:\Users\Admin\AppData\Local\wAc7JV\WFS.exeC:\Users\Admin\AppData\Local\wAc7JV\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1616
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:2692
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exeC:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864