Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 12:26
Static task
static1
Behavioral task
behavioral1
Sample
679f5677802f338adc80c1c2058b5f66.dll
Resource
win7-20231215-en
General
-
Target
679f5677802f338adc80c1c2058b5f66.dll
-
Size
1.4MB
-
MD5
679f5677802f338adc80c1c2058b5f66
-
SHA1
de3198e8574810a74dea319fa5f3646b2ed05b64
-
SHA256
7c001fa46c93bc6147cf0e2fafbbf52213c1ec82788aa9bba51c89bb12cfe90f
-
SHA512
1720b8eb1a8c1f0d35519c30089acf516f79bb4071636862b53d47a97a79f650dff53f823a7209a6099b884b4f898eedd1a7747d5b00fc21d268e8cd5561e11d
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3440-5-0x0000000003EB0000-0x0000000003EB1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ApplySettingsTemplateCatalog.exetabcal.exesethc.exepid process 3412 ApplySettingsTemplateCatalog.exe 2632 tabcal.exe 2728 sethc.exe -
Loads dropped DLL 3 IoCs
Processes:
ApplySettingsTemplateCatalog.exetabcal.exesethc.exepid process 3412 ApplySettingsTemplateCatalog.exe 2632 tabcal.exe 2728 sethc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\aEo3fsR\\tabcal.exe" -
Processes:
sethc.exerundll32.exeApplySettingsTemplateCatalog.exetabcal.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplySettingsTemplateCatalog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3440 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3440 wrote to memory of 1676 3440 ApplySettingsTemplateCatalog.exe PID 3440 wrote to memory of 1676 3440 ApplySettingsTemplateCatalog.exe PID 3440 wrote to memory of 3412 3440 ApplySettingsTemplateCatalog.exe PID 3440 wrote to memory of 3412 3440 ApplySettingsTemplateCatalog.exe PID 3440 wrote to memory of 4736 3440 tabcal.exe PID 3440 wrote to memory of 4736 3440 tabcal.exe PID 3440 wrote to memory of 2632 3440 tabcal.exe PID 3440 wrote to memory of 2632 3440 tabcal.exe PID 3440 wrote to memory of 2436 3440 sethc.exe PID 3440 wrote to memory of 2436 3440 sethc.exe PID 3440 wrote to memory of 2728 3440 sethc.exe PID 3440 wrote to memory of 2728 3440 sethc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\679f5677802f338adc80c1c2058b5f66.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
C:\Windows\system32\ApplySettingsTemplateCatalog.exeC:\Windows\system32\ApplySettingsTemplateCatalog.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exeC:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3412
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\HTwag5\sethc.exeC:\Users\Admin\AppData\Local\HTwag5\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728
-
C:\Users\Admin\AppData\Local\en22fNB\tabcal.exeC:\Users\Admin\AppData\Local\en22fNB\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD51c1107814d82a3f3ba82ba95d9c60eca
SHA166bf60f13c3ded04fb23eb168e3a771419b74442
SHA256b5bec599c8da823e2af5c087c8699082e626517873a3dab44444d9fbf0373118
SHA512aea7e47beb949643dbbc25312a3b9c5af10749518d06a4fd1219ddde5a8824c2f6af67b518868da6565631a70d45d0a638242be107627eeaee0367527f39eaeb
-
Filesize
71KB
MD54c75ac5aa4a75031a82271edce2eef6c
SHA1e75379bfaf1f878db99fd4c82dddbe3df22788b5
SHA25659e9399a6b29085e52b49da9bfcf62281d7c60b8d92796099781f07542249ebe
SHA5125af000cbc9f3a437b91bb28c61f1220bff1f180e7d9a1deba5ab9c233486cc2da980a00942ee19b9d1f5fb6454024340a5ddba0681c9dec1c66208e35de1d5b5
-
Filesize
32KB
MD5aba93ed9e6da337d5caee9e9f80f29be
SHA1a335c586269150fd3d29e0cd171cd5691d705e15
SHA2568e4fbe4538ebd10c2c89086a402c47f06c4adfd4e7ddc0017e3ea7d510f905dd
SHA51205d65a609b44ecc911136c7dcb82e2268c4efbafaf7da82380c28c40321319598f09b403ea88a31e82f472fc430ffd3eb40a0ff38f75bb6675045fccd255b452
-
Filesize
104KB
MD58ba3a9702a3f1799431cad6a290223a6
SHA19c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746
-
Filesize
171KB
MD5325fa416133e1e14fe5441f075a35cc1
SHA154b24f13f59071c63d9fcc1d912606e4a7a21967
SHA256a9ac63f061321e3e413e91f77090ac7e87b031d1d77caef63c946b517fe8b367
SHA51258ebd959eaa0d5824e2f213787e7e3c308b1722286f44d0b062f924e22dcdc7d126d1bf425af81c4dfcfbc280b272c6ee5233e3c9a2d75128464d6ec8c40e3f3
-
Filesize
188KB
MD5da7d1f1dc3aaab1f000783953c8aa08f
SHA17ea8732f4ab4997c8c87a5142df97fe585db8bde
SHA2564289e1cc5f2531d603aad24d3027c3f777f8620eef5d4ea80ce532c1b76a32da
SHA51250826711bd164718f09bc0450560ef088d34347bd27a77d3fcf7513aeebd658c269e89e88be695b6159a44c965dca369d61b3c22b7945b1294a82524288d8cc6
-
Filesize
146KB
MD5316bbaa0117d44ce14e7cd4c000d2428
SHA1ef66833c7330c7729d368d110634d1f76c74b998
SHA2564128e5563e8b4ce9a6a30328d71d2a4f238a277daf45ae082d0d18752a9b69f4
SHA512eb1b1388f63a36e9ae2e424a5242bb4d0a6ac9de485f9043ebda761c20d12e5c941dc2dd57c09a237827a85e1b88fd81cd8875ad978d66d8c675ce7232d9d0d4
-
Filesize
162KB
MD53f27b721c7e7870cb40c1ec0f997224c
SHA1f8a78cf1938152c4df78454b8a1a389ce0411ca9
SHA256034f998ac524218d17b86bf81e892966447092244d7ed30cebd4848d42b2c899
SHA512c828a9c44fe3d869adcc23f46ea2d907333701f6e1c4233f2855ea5cad68790dc563b6cc8b143603f0eb5991e68ba078fddc3e9b2af1728691d67decdea6697b
-
Filesize
217KB
MD54322fcf6c9a23e0b889f976174f5c015
SHA19e02717c3832e9e9aba1626b439d0326ece7c4a6
SHA256eefa1811c620649000235ef56e13656b65a28e6f96b21e501f15b2775f0a3810
SHA512f7bab958d67685d7bb5f0b6b6066c02659184ae0c8c5b3639fc7df66c606c17e1e176d81c5c8e540e1153c7368424899e5ec4c810698877abae749f3d209abc8
-
Filesize
216KB
MD5f6017d0075d381999cf42698e11c002d
SHA1d9a9b6d72a860dfae96a2a7b16c28e39afef0a5d
SHA256d12f226e9ac69176db6d11832bfcb84dab8f9beb88c176bb96f04014433acffe
SHA512da07e0978435134a18b8a9fd4d13b40d41c7b97825ad16c45e52757a2e3d2b5f5646a809388930941314afd5bdf893ccb7cb5bb733bfb4f7f1f07e4c2134958b
-
Filesize
47KB
MD5e75adfa2851fbf03872b1a9a03a8b1d2
SHA19c034b78c38d5d427fddda86add013d42ee9a2a5
SHA256ab09bc72563a36c18530b352635d2fb5f9ed9fae441fae2beb6dd43094296d89
SHA512f699f0aa9330ef83f2c2a9ff58f8316cf9995cca5cf631dd4d34d0463872a84a34c37c66ebc00148a49038573c3a68ccf604fed0ccbcf02b3fcd7d182f36f8d4
-
Filesize
65KB
MD55ea1c4b6483e5aee6814b0c618d44198
SHA1d69cd6ca1f87b187c1086636ad973f9f2c2bf59b
SHA2560571d4f3c324c77001e5cadd0edeb67dac9b6e2e76df706dc5c56a8d3c8d0b42
SHA512b120ed6c8c4fcfacfb18c3d9db7d915b14eeb50330828af80e4d550b34dd9b9472f496cb0989bfc6920e562c8220efff1f986b4809738198071baf7749757bf2
-
Filesize
1KB
MD514b38ccacc7f0b5b4b3bb3bcd377c140
SHA1d6e5e0d4479be673fea4156bce156a6b0c5482d9
SHA25648d9850121b5fabf4e39e5475e2b2fbed8a104c4587ed5d2ede2536ba4add6c6
SHA512cec918f4a515c2c5d7ad53190fa1b18c2bff5e08576e1195c1c2689a8f9c538a4621367f0e0635297a2a4a9b14971b4a7fad7abe5420ef1eb9c50c8d2ea22e0c
-
Filesize
1.4MB
MD582917f9e379775da1e30fe09c399295e
SHA1cafa98ba66f58b7ae9260581e6c051449b60ad20
SHA2566bea71b8a2923305d1f9e51c73e368cd4d3bad173939807106b8579089dfb45d
SHA5123727ea0fbed3806ea9e890daf088c86cc51686c8fa589b0ac7d23f408c5f286254c516623fd31bd0976dc8e90295feef585c3b1a6fc8117a5bbab8f7fb96539e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\aEo3fsR\HID.DLL
Filesize1.4MB
MD556536a0576a6ab9e746b4c822289e737
SHA15118f82864fa704b10ac70665f18032a44896e2f
SHA256053006215532c7ab560c1dd64516627dcfa818c6da8161dcc4a66cbd680b4973
SHA512acbdf51de02ec85d98770ba479e14834a5dcab7e665cbc24039822a9cf90ef4228187e01e1157856ab2d1768659c111a57340f058ea4fc2204c49b2dc903b939
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\pAs2YrOylhZ\ACTIVEDS.dll
Filesize1.4MB
MD536c62a133f4e01088753797f2f22d2f6
SHA179ac7f6096a91f8a76b769dc36a584c804f7c418
SHA256dfdbd24d6dc6e3a6d4817bf268caf22862c72381fc2cb3a69d200bdadb713fef
SHA51270d69d1e2a0eb45a1dee73557064270a4c4893a01aa4e7fb9f5d8fda5ff06ebdfd337c2439186b66fb0bc2ef1770aa612929f36a52a347a72fb7fa305d50cd3f