Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 20:39
Static task
static1
Behavioral task
behavioral1
Sample
0363154b6154c58e1968193a92704afc.dll
Resource
win7-20231215-en
General
-
Target
0363154b6154c58e1968193a92704afc.dll
-
Size
2.0MB
-
MD5
0363154b6154c58e1968193a92704afc
-
SHA1
cefe766c0f88c2ca05a0d84ad75a7c65cf51f484
-
SHA256
5828977b2ceed7da8ad59af7255116b6eacb7624a0106f0604bc3ce29e4470be
-
SHA512
772f23f5b47f9802caad4d0f693dc5cba562eb2028e3a20aa0120989b5c5e0a88c6ce037e6cf3dfada990bd936d05fe0d56403f101fcc6639ac11a5e2af56ab6
-
SSDEEP
12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1224-5-0x0000000002C50000-0x0000000002C51000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
cmstp.exeWindowsAnytimeUpgradeResults.execalc.exepid Process 3008 cmstp.exe 1504 WindowsAnytimeUpgradeResults.exe 2204 calc.exe -
Loads dropped DLL 7 IoCs
Processes:
cmstp.exeWindowsAnytimeUpgradeResults.execalc.exepid Process 1224 3008 cmstp.exe 1224 1504 WindowsAnytimeUpgradeResults.exe 1224 2204 calc.exe 1224 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Hgj0xJjyBk\\WindowsAnytimeUpgradeResults.exe" -
Processes:
rundll32.execmstp.exeWindowsAnytimeUpgradeResults.execalc.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsAnytimeUpgradeResults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1224 wrote to memory of 2604 1224 28 PID 1224 wrote to memory of 2604 1224 28 PID 1224 wrote to memory of 2604 1224 28 PID 1224 wrote to memory of 3008 1224 29 PID 1224 wrote to memory of 3008 1224 29 PID 1224 wrote to memory of 3008 1224 29 PID 1224 wrote to memory of 580 1224 31 PID 1224 wrote to memory of 580 1224 31 PID 1224 wrote to memory of 580 1224 31 PID 1224 wrote to memory of 1504 1224 33 PID 1224 wrote to memory of 1504 1224 33 PID 1224 wrote to memory of 1504 1224 33 PID 1224 wrote to memory of 2548 1224 34 PID 1224 wrote to memory of 2548 1224 34 PID 1224 wrote to memory of 2548 1224 34 PID 1224 wrote to memory of 2204 1224 35 PID 1224 wrote to memory of 2204 1224 35 PID 1224 wrote to memory of 2204 1224 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1936
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Sty7\cmstp.exeC:\Users\Admin\AppData\Local\Sty7\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3008
-
C:\Windows\system32\WindowsAnytimeUpgradeResults.exeC:\Windows\system32\WindowsAnytimeUpgradeResults.exe1⤵PID:580
-
C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exeC:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1504
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:2548
-
C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exeC:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534KB
MD54d9922b64ec28fe7f5407d029e258a14
SHA1dc9522de709d2f208f03570f474c462573e6ee0a
SHA256a30207d8c4afbaf64f618a04235e48983fec117c34da1ebfce38c9872e4f6b01
SHA5122f885c0b6f54b953b3ee0cd8764f7e2846a65257166e378bf3c2bbcb3e51c28e0bba3ab38d690332f0b3a8367c77484b139ce55768463f07074f0d8dcf39dbfd
-
Filesize
45KB
MD513387444219b21ee9e6f109ac7590db7
SHA17ac23cf68d83d5a2f70c3cf8a50352bad59037ef
SHA256e2d8514882b6306e81dba9476380050ace0d35fe9aac63fb7f9972b5066fe4ea
SHA512c183e5fe7b7e4acced92e49a29ba1c4b86fd1c8ba8a232a98b61db52fadb4ed73ce5a35643db56e6b005884d4bd5ddf7130175b812a93d3582582e97c0d1f8d6
-
Filesize
90KB
MD574c6da5522f420c394ae34b2d3d677e3
SHA1ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA25651d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a
-
Filesize
651KB
MD5761f682984b464d50dbeb95dc526234e
SHA14c52076ce1a248c81050415cd28ca05f1cbb8e88
SHA256bdf17e5462435eee34b4c16c09db0eb38fe2e91abd9d3f2e364b8e8128ec2b9d
SHA5126b977fec3e92a21bc628b00cedb448c9a9d877d90507ba14d204db4b6b27ca77f90f07ee7b657e98ed1e7ce07606f35c169ed7aea150c7cdd58b0251e5f2c2d0
-
Filesize
288KB
MD56f3f29905f0ec4ce22c1fd8acbf6c6de
SHA168bdfefe549dfa6262ad659f1578f3e87d862773
SHA256e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA51216a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e
-
Filesize
196KB
MD535467544c6adc6d1b10000ce905b562f
SHA13d0b8eeccf01183025b07f6f2e78122bbbf62c3d
SHA256782b87ae521b2b414ee354ffc9273deb97d7227c8ec28245924d7379cc6b27db
SHA512f82b4e807ff87cbf09992116c3dfa4eaa12416dead7d5febda9848b5961f9d9c583a454eb4333caf7845a4496183c57882ffaf31c18d98c905620ee8002af8bd
-
Filesize
246KB
MD535b387ec3ac1fb60ed5e4c5fa15a6caf
SHA1adda5a47ac43f08508537350f116fa82f2198030
SHA2561228dac5cf8a64348864671cb0b3ae69195a60fe306d66c63ec7d9ab5e59b7c6
SHA512d5bd9df9ef613f8877807d24108d3c8d28da30dce1d21f2c77411a046d89f5c64a11946d53c993a2486e498928f2a5bccd999dc4f896e0e8687d946e41887f11
-
Filesize
861KB
MD5c20ed8d016f30a6541e31a43953c50fb
SHA1add6547eb739886168ec2f066d6cafe6aebf4937
SHA256d04da6d5e0778742aa387062c5a47b496237b6a3337ffc4607965e1e0f3392f1
SHA5128df68eec9a2fe364f9aa598c52809336a263798a825e88e80442c788abadfd8ffefa17a8ce50a0869f203a77e2ace9b3b3041486477db43a6e070e82bd10daa1
-
Filesize
1KB
MD5e78096cd2d0b380a968f04ab539686e3
SHA15eeadaef2e3ae12dcfd7f2dc09c9f427a4b8c9f3
SHA256d6ca32341bdee0288b09cbf48442b56129b169090038d3a0cf26c683c1c39309
SHA51288c400b1a63b29cd6e0f941498b48ded6549e409f34e3cfc4813b1fb4e84f8be1e9452d73d790d967bd685d02bd4134d5ca5f73e98e129e374f7d03c289eaabc
-
Filesize
2.0MB
MD52f5df2fd962eb7390740ced51ab94edc
SHA17c1ac8c01bfc1c106ea41ee960b5054ec364a446
SHA256aca94156ac148cda6e6a2a9c8ed7beda4081bde7ce328903af6ec0da431cd30a
SHA512f88fd3ba81d499a0c01f298bf4e43ba45b9781ee5de068907f3fa44a6e5123beabc5f1dbf956f28a89d3069df116c8780a9d8aea9874d83f1198f62045628d6e
-
Filesize
2.0MB
MD5cafcbe227238b930e9d428f6499559d7
SHA1f285f9b70c26515bbcc2a5b7b164a5eb7b861050
SHA256c20ab471273f428b31ac6df55ffe591bc94f9254928f442863fdda277a43f4c0
SHA5127c0131ff191218c6c67a692ca8344274b26295a84ebb21a0f47d0b13c8a1e48717020917792303c4058eee74432a106173ead59133fa9b0188feef7014a8cf57
-
Filesize
2.2MB
MD5e7e7215c0e80334f37467cbc759f78c3
SHA1c8b5b7c077a6db3c2cbcba824d523c295d766590
SHA256946072bdca080cf8d7d271954e61e82323db06ef6c7b65607c9ff359ca736538
SHA512dfda1293565ef07eab5ab4311a8db187994233b39606c453fde80c1bd2ba6694e32a00af7aea51626b026ae3d676837c53f9b9917e333cc93edeedbbebb8f828
-
Filesize
438KB
MD55f2a3394213ea01e618e9d2d5908b4f7
SHA13f2a66bf8c16967dbf903ba7265a0f6c4a297dcb
SHA256833167991c2efb13c10232f493b2b0dfe7385b7f943f18258ff5ae2c0b419119
SHA512f4717bd4929db410ce55f7f0a6ae6f45a10daa3e7b52c635276e5be7a1b2b8508b266f1a4e5a7e59593bfe4117b50c428d9ac734ca8a3516f3669325f5665c04
-
Filesize
57KB
MD582ff66366bef7167fba789a283e2f0f7
SHA1822b52d941c3c01c3638862453e8706ff13d544f
SHA2562971873d9dbeac0e6a89a5481123ba98dc059721268e8e2da000af63d6a84ec9
SHA512709d8d5f8d7c6176fdb4327c18feedfcc4303eb0b468a3787cb88edc466a2ecf9f1e75d2ff107531d14272b940488c9174169a9648c6e7c74bd3ec095b6d9835
-
Filesize
1.1MB
MD56c8562b266a3fcf57236e20a19d12a82
SHA13c8239bfa7bcb0256489c5a4d4b2fbc75a93cce6
SHA256ce042790cabc50b32bef40915203056bb0d3ea990773ed501a88ea1754ded2e9
SHA5129bbbc4aad04887afe10a0e1ce9e9879318dbd65039ca3a5b39df97e763fa442bd2a7cd32a3b93380f0fabeda257ff51fec1ce84f5884176088ddb34eaa6ab2b1
-
Filesize
96KB
MD5d473ef3adf95e7841e118f142d2b5a31
SHA13302f62cb77f1666aef7e9c1999a08c181c066e6
SHA256618c1791d05e5027650885958af86d169db59e9bf409fc6c29c106d36925f91f
SHA5121fbfb817f5fc0334e514bb69be787c65e203d713c2ded014daefdc57b24ffd8dd529d45a9f9df970ba1fdf0ea74b7cc37e3021c5072866990b959122465da254
-
Filesize
213KB
MD5c4a066139b7fd09fcb67bf15f831c30b
SHA11669eee39602f14e6ede84372ba935f155a8d5e4
SHA25614f240b970fc1f24048db1c93d5e322a3a6d76af6990e373cc9bf1d38b727a82
SHA51246fa0d109581dc88a54b059c3fb0bcc603b532f382f0adbd2ce547d693166932f096e207b1dfc69b305628c800765fd4eb715e1a02c7d197f6e6988bc69edd4e
-
Filesize
580KB
MD54d34b1f99259fae461fc97d5507fc9e6
SHA15b183cf7efc6b9be19dadf51bd6b4c0846d83958
SHA256687ae704c56949c80eb5a340b6ed9e8c4f973a907915bd46c2b2db0d0f2eb36b
SHA51282e3627d89f0e264b5a728704d17250d1ba412f4e925cd979f7af49a6abda62a98ef79a9167e4cf6ded8edfeeeef71b48c305192921d509cbf9e8c5182c6bbc7