Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
6913c976717f771261d42365e9ed8940.dll
Resource
win7-20231215-en
General
-
Target
6913c976717f771261d42365e9ed8940.dll
-
Size
2.5MB
-
MD5
6913c976717f771261d42365e9ed8940
-
SHA1
de6623f60ec96e264ee873aaf2ceeacf81313405
-
SHA256
f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a
-
SHA512
68ee9ec13b10596eb96f2fb0a0b66a93149c49ac922aff3830ff81234af5f6b8c4326aa188c3f26a43809d10f2cb40da40e7d01957459526b858ce5a21b3a934
-
SSDEEP
24576:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnbcs+:DDW/e+WG0Vo6CtSn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1272-5-0x00000000029D0000-0x00000000029D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
osk.exewbengine.exeSystemPropertiesPerformance.exepid process 2840 osk.exe 2632 wbengine.exe 364 SystemPropertiesPerformance.exe -
Loads dropped DLL 7 IoCs
Processes:
osk.exewbengine.exeSystemPropertiesPerformance.exepid process 1272 2840 osk.exe 1272 2632 wbengine.exe 1272 364 SystemPropertiesPerformance.exe 1272 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\KVQ7cn49HUu\\wbengine.exe" -
Processes:
rundll32.exeosk.exewbengine.exeSystemPropertiesPerformance.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1964 rundll32.exe 1964 rundll32.exe 1964 rundll32.exe 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1272 wrote to memory of 2732 1272 osk.exe PID 1272 wrote to memory of 2732 1272 osk.exe PID 1272 wrote to memory of 2732 1272 osk.exe PID 1272 wrote to memory of 2840 1272 osk.exe PID 1272 wrote to memory of 2840 1272 osk.exe PID 1272 wrote to memory of 2840 1272 osk.exe PID 1272 wrote to memory of 2540 1272 wbengine.exe PID 1272 wrote to memory of 2540 1272 wbengine.exe PID 1272 wrote to memory of 2540 1272 wbengine.exe PID 1272 wrote to memory of 2632 1272 wbengine.exe PID 1272 wrote to memory of 2632 1272 wbengine.exe PID 1272 wrote to memory of 2632 1272 wbengine.exe PID 1272 wrote to memory of 1712 1272 SystemPropertiesPerformance.exe PID 1272 wrote to memory of 1712 1272 SystemPropertiesPerformance.exe PID 1272 wrote to memory of 1712 1272 SystemPropertiesPerformance.exe PID 1272 wrote to memory of 364 1272 SystemPropertiesPerformance.exe PID 1272 wrote to memory of 364 1272 SystemPropertiesPerformance.exe PID 1272 wrote to memory of 364 1272 SystemPropertiesPerformance.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
C:\Users\Admin\AppData\Local\sqaZ7\osk.exeC:\Users\Admin\AppData\Local\sqaZ7\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2840
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:2732
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\xQu\wbengine.exeC:\Users\Admin\AppData\Local\xQu\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:1712
-
C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52bf62b235ab0a21be522f0ef6c8eda3e
SHA1de35da9db87d8f833f278a93ad18df5c006f0fcb
SHA256a2d7b9bc28b54f1a7be608232250d68848ebe1b595072f655ae816f26e3f163d
SHA51262fa4d5e55bbca88e5abc25949ac34a5f0185f2ae919118ad834fb6b4661674e2e38f382d83a2542703ac5ae3a8673fe6c76c7f698b7763bb5158edab9d68797
-
Filesize
68KB
MD574bd95429d5383e61874dad934730c21
SHA15000c16c2dd3f337d25315dc935db93a3bd51119
SHA256f984ac688b17d9fae0fc811ce9a3f0d10eefd9189b7efa7fbecfa3869b314e27
SHA512e4908a422586927b65d79366b554a20b24eadf835015929869de8ec09d11be96cf84abaabbe2b9f601c98ee032fabf71db0cc777b812471af558446534687c73
-
Filesize
40KB
MD5ad9722789e5ab34bd33286d1d7e2e9d6
SHA1c0106ac69144502be89179dd0f19e3476172eb9e
SHA2561b4c3a8c45d6af7541e81cef0877c18bda3e43681881563cdfddc6e1ff6e5735
SHA512d262ec76c0062bbbf347d26e065f9b8e2be03cd752b55e687247ecca5c5ac6ece7ba2001681b96ae51c156c7c1ef6c73d4375b523ab1e2b4af34b2d2d0814336
-
Filesize
110KB
MD594db4f643fdbceaed6936c7a0a074b79
SHA169998bb161ae3e65a7f8fc569d4975e8d9858174
SHA256580db80103977869c05569b0b74a36b18822d4eb641a76b10e3aa4d94deab4b1
SHA5123130fe329f4062dc5c00feac1fe075c1210793683d6ecd8fe46aa3455e63807510f34946681a27c6f2475c579f4b465c4dfe70faf1a7cc137a4b3b1a734c4b32
-
Filesize
65KB
MD582612ccff43b4bebd91d9be898bb905c
SHA108d8fccd8cd426736c0dbf8557390c95b03d1b0a
SHA256ba6b30151a1b797b0057ff50b368dbfc0074038efdf61171d6dc1055abcf18a3
SHA51218b72581f4dc265d4c3966023508a1aac6bb76c4ae51d68a52ab29d18c7510b565765df6f1a7c1474191a1a768139dcb172d8b8eebf4c8fb860b8e0eae153c60
-
Filesize
136KB
MD5265b903c98fcaff6ed48b82e9b2627d9
SHA1496b54a8e23731c1ec3fbe89cde134d9196df133
SHA256e1fec0c9177b0aee052c7017a87cc73a36740617831fb6bd126b21030dddd9cf
SHA51233dbf14321a4a8363b01412ad26c719cb144aab88fd3b3178a3ab9166a7fc5818be94398f78d8cc38a4d42c1c56ce6ce56ce8160e7e0095414b06307272bf9a9
-
Filesize
1KB
MD5966f7a7d8a2a143c2af2c974c8b6ef19
SHA19c56fc1d48f5c24be522e8f2cc19a77ac97388c7
SHA2563f80d06d08f23d2eb6da4bcb62cf1d5f5af62c3774c83c4079b5483b193b3c00
SHA5128b9195f8b26f55803741186f1b0a17f6704dff24b8caa6c86f47015514a0268143d85eea53c1a25cc661257f0f67bd3f0f25f446c8a3465d929ffb8a245d9d2d
-
Filesize
92KB
MD50e0bacce676a25aadcf28e49650761c2
SHA1cd8e77787fdff7f3af285ee4a2fe826b205994d2
SHA256dbfb61dbbce53afa43499ffa833ba1deaa141ad3d4551344b74dfa6a7f85d7ba
SHA5123f505d7d6ba42bf7fd6cbe225b27089eed91565f8523c625568ab483399b4e2f0ffca59e86778b179ff68b3143eb1078756ab347a49877990040ccbb9f1c75f4
-
Filesize
99KB
MD5a76c3ac80448aadf2c712820e5bd3788
SHA1d23bfb2be8b63eefa70f2f0da3a70f1946a7f5df
SHA256bc0b7c0c6054854c5d81972ddd19467589e13d987612490afcb2305673faca5f
SHA512aeabf290f8ba234c88fdfb4862372f70e1f56ec378df4542a887ba65506cc414dd66cf23bd024cda04f053c220f6a25622fda6aff10d3eb9de329579dc9ab019
-
Filesize
1KB
MD577a4b3f3109d2eeddb0970ed422aa097
SHA14a005d623b99e448809b3828f3c37b3c91f8c7c5
SHA256948bf86a8c4a53a80b161eff70f0024a9a9b28a94ce7348dd28fba94f3149a0c
SHA5127b4e9de20ec264ecf4756108b9fc2719cf006b26f8481a4121cdd0c99457a6bc8066f2a38b7252fbe53c4c126a40af1e7c7198850cc05bac15c1546c70e02434
-
Filesize
2.5MB
MD533dc3f101a3dd47cd9d27487ed4f0c89
SHA1f3337514e88b278750e800bc6913b130ad82d74c
SHA2560dc27192b4b5b64fa48e2af7de154d164e787d05d64b90add64d010ae504c6d7
SHA51273178ec64ff165ac5ca39834ce0035b254fa72bd85e7bed3b8bb0add969d91ecf1709716afaee0af6405f8cc11097b0bcccb45f4fc364dcccb787ae765d1a937
-
Filesize
2.5MB
MD5294380421a493ab1a2fbee72b2d34308
SHA1b2571b067328f5cd842585bba832d5a4ebd498e5
SHA256ed7384fd815236dbe2884caad341932453a7d0207fa5a7839f32032cfac7ed01
SHA5125ba1340fca5534d09de2fa98226c957b21738e655ad859590668b540a0658fd2f9a1bd5c2481c0a1da7a542c23c58a4c55d9b31982f9f0cdbd38c21bc4512ed1
-
Filesize
2.5MB
MD5ff94c2777d864da474251275a67a6a21
SHA127cf58296d4d74217588073018aaf596d04b3324
SHA2562998641fc3542ad418739e98697718594f28dc8eea0d9bd8adb8b9545082260d
SHA512982dd91511c6d4d1a01acaf139600b7a81fe8f2756bc99963cdc038d7b619492a9115ead099480bc4f528888a4d133cd1c37453872f8662dc46ce78e69d5fb9f
-
Filesize
45KB
MD5d858aa91301e807f3d361ff0f9cc184f
SHA1451c4b6353b780e7c4bde3f94c3710cf94008ed7
SHA256d9a24787844f5d387b336f9cb390f1743acb9e9247cdeb1fa55b6ac7222e0507
SHA5127cf63a2b5dd39cecca5e2d419ff0975d0747c872f1fb8b92263e36a45d7bb5032ce719b5a89d9cfcda9e2a961bc300013fe972d4c0271466e82ce946e2511ab5
-
Filesize
44KB
MD52c78be1298c249d6c50a3105c5ab0d91
SHA1f51bf8e2b7f395e38ea34476d3f2adab69a2efc2
SHA25655a4b6983566e2d444068127b9226a3431144506b609723a29bee8f23321446f
SHA5121ce3d2b7119ff0bdb498178e84d7ea07729199dbe04681df591af77ccf9c4309e0e30a3dacb223d85a24db4f206e42efcfa905599c875cfe831227f3c6f49acd
-
Filesize
53KB
MD5d39c9934e9c3afc06b325055bf1c1467
SHA1b39c6e547f200b77b7336a45eda6067cafe16b8b
SHA25632392eb6f8e0d41e363f943191f00e2b952bad593c935188047f0feb03fd2237
SHA51226e71c6b236151b8a93ff36e4d1cd792ae8f4a188c40f1e2cf87ee737aa82aaa4630641cc7a92f15aa9d9c6afcf60e78583cd70df388845e97fcfe1218e1574f
-
Filesize
1KB
MD5cbbaf202fbf1b2933fe2e757e4999acb
SHA1e8bf1f6ee44a5e344e3707b48001b7583f5b0e75
SHA25689bf6ace53974e3a014dac5105d88c0723e7ccab24acf7bd148cd182fc73a97b
SHA512b30b1c5849f60f9d17e1e4ed7c341ba4b7a83ddca8720bd7cc7baa1fa6daf77d09ed68c938eac070170cd1b57d95f3813c5a374d4f66d647c7e54415609ac125
-
Filesize
45KB
MD583f261e4ff09b931b2ad336102616cb1
SHA18b3877159d4e72c79f8d204500b015eb34c84c60
SHA25667a944af02e0dc98d6bd47c9bb5b69b55e738947fa5894f25cce201001f32d4d
SHA5126f2e09def7f60c676ec1364fdfba5f7d124aa06e9e3d819391d0a653afb418e606b5c38523b98a37a9afa40a73254b29aa723def80e336e36ba1d67c8636254f
-
Filesize
114KB
MD54b687288782ed067b8385b1ae0ba1040
SHA1dbb9e216f72f5f8fbb5c36b0ddaf43622532bb66
SHA256669a123f8ba35da35caaa9a830c2b28e5158cb834b36f39b4e8984e6bbe56ad2
SHA512bee16120a3207a572031e3c4e324fc5ea1ed971f0161d0044011344887ed23078d0bfe9a355d3e9bce8ee0cd0d1ff768f5a879a7e0bea4b7e5d8e2068693ea76
-
Filesize
80KB
MD5870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72