Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
69602855143bf25085262765aa2cd991.dll
Resource
win7-20231215-en
General
-
Target
69602855143bf25085262765aa2cd991.dll
-
Size
1.7MB
-
MD5
69602855143bf25085262765aa2cd991
-
SHA1
0d84b772f3bb26d79fb722330554563a667b4c04
-
SHA256
14c81cca53cfefe7eaaad66283b38b081c7e31c5bda2f3f0e0386f68f1d6c216
-
SHA512
b4801df13a886b77038eae6b4472dc8e4665c3cd2a3ada39e9bd25c921d0832ba76fcb68ede443c9cce5199225d09bcd173341629b1bb6ed810c708b22f8a912
-
SSDEEP
12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1144-5-0x0000000002E10000-0x0000000002E11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wbengine.execonsent.exePresentationSettings.exepid process 2604 wbengine.exe 2008 consent.exe 2140 PresentationSettings.exe -
Loads dropped DLL 7 IoCs
Processes:
wbengine.execonsent.exePresentationSettings.exepid process 1144 2604 wbengine.exe 1144 2008 consent.exe 1144 2140 PresentationSettings.exe 1144 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\re5Aa\\consent.exe" -
Processes:
rundll32.exewbengine.execonsent.exePresentationSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA consent.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1144 wrote to memory of 2292 1144 wbengine.exe PID 1144 wrote to memory of 2292 1144 wbengine.exe PID 1144 wrote to memory of 2292 1144 wbengine.exe PID 1144 wrote to memory of 2604 1144 wbengine.exe PID 1144 wrote to memory of 2604 1144 wbengine.exe PID 1144 wrote to memory of 2604 1144 wbengine.exe PID 1144 wrote to memory of 2752 1144 consent.exe PID 1144 wrote to memory of 2752 1144 consent.exe PID 1144 wrote to memory of 2752 1144 consent.exe PID 1144 wrote to memory of 2008 1144 consent.exe PID 1144 wrote to memory of 2008 1144 consent.exe PID 1144 wrote to memory of 2008 1144 consent.exe PID 1144 wrote to memory of 2136 1144 PresentationSettings.exe PID 1144 wrote to memory of 2136 1144 PresentationSettings.exe PID 1144 wrote to memory of 2136 1144 PresentationSettings.exe PID 1144 wrote to memory of 2140 1144 PresentationSettings.exe PID 1144 wrote to memory of 2140 1144 PresentationSettings.exe PID 1144 wrote to memory of 2140 1144 PresentationSettings.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1940
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2292
-
C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exeC:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604
-
C:\Users\Admin\AppData\Local\Pft\consent.exeC:\Users\Admin\AppData\Local\Pft\consent.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2008
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:2752
-
C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exeC:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2140
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD5de793ecfebf3134cb30854751f14049d
SHA10a994e261d8f2f1919f4849c63a6bd68baa3bb11
SHA2569cda479bb5867caeaceac15ec22dc6c1afc57fae7ec9dce0ef69b3733440a226
SHA5129e6c27a81b155f0c40237c4915e2ea6b25ccbd8ce9efa06761de7c68c09e2933d30ee1895e1bf18919ef589bedb2084e95bc5889180e116a8364ee33b9f96b82
-
Filesize
109KB
MD50b5511674394666e9d221f8681b2c2e6
SHA16e4e720dfc424a12383f0b8194e4477e3bc346dc
SHA256ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b
SHA51200d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7
-
Filesize
149KB
MD5c222dfca16df96d9dbd2b37c2f090eec
SHA113a18827d0dadb644d5052450a6e284b6222253b
SHA2563081ad0b27ed1c87c548436842134d641077d0bb57358f75a05a1b2711b3a309
SHA512e6c9dd7eb4ff41bd967802e8dc1caf04f74a11c40ebf2afaf94e0f2f858ae98e82d0deb5e87b40c9eb8df1d4c1a26cb29ce728796274dc5a6c976ffd65952b0f
-
Filesize
285KB
MD590b0b571ed73aec49271dca4bb9fddec
SHA159322db363f47b2369c6d6315018ff2e8a4535a3
SHA256d818199ff812108644d9fe7adec3e65dbd028dd00a48a3d16fd247ac0fba3fd9
SHA512bcdf3aca7693cc71a1298ca683e71edd71b2418306f948f3a13995854d03296e28b0278b03988fb92df64f517b79a38e830d10f6f153fe02434bcfd4b4e20469
-
Filesize
118KB
MD5c14e2e2a14c31d16b728b1e74fd670e1
SHA10cf65ad861cf96b2c92182f418fe2dabecfacb85
SHA256224bcf9315bdc7e5b0c0da13b485692aec21ae17d68bd7f3e5c3692d272eac93
SHA5120a4eb749e13a0a6ac49889b337136da949e2b6a00452fe45b90167ce60998907b8525634a3004c6f792a05494a790ee127a2ca13cbb53a888feb5264ffd36184
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69
-
Filesize
29KB
MD53f683d4d5672f3faba37eca24845d161
SHA1b7b38cd750a253b2a9faa15251107b99c1c972c4
SHA256f5d4919e83f63f7c0f3580e93b99088800a01b960d8ddc799aea70105a3edaea
SHA5125dbb651b8511ffb6f3ea98faf60d6cd43c82d826d6f08126823828034cc45a5bb2e8d0a83ac44c27aeec0a57fed373f8cff895b7aae86f675181a5bafbfd115c
-
Filesize
119KB
MD5ccfd429ca3005cf9cd36dd624041e723
SHA1d2bbf8d30bac51715f1abb8febe88d45505993aa
SHA256eef34e76813816c6e943a7dbb5d1d2e88c09d7c2264ffee1cfb13f6b74eb1519
SHA5127eea10c0ad6b45cdff2ba8409d13d99565383cce6790a7b2b11e6e59bed4c66a2554452dff0e757b670ef3a2617cbe75be5acd24d3005cc21965c10f70a900ad
-
Filesize
1KB
MD551d79a6710733ea51904f935a9c1c806
SHA14894210655499ae9b1bb96e0a88427ff8b4be195
SHA256b7ec7eecf8072770def8cbae00e6cacaf67cf1ee13a225412733f0ef11df2484
SHA512ac1384c1e430aa923d20a92d51169da015c4e65e9cd7e0e30658f71bac8891d39205d1b3558ea3c875f940b6ef1be8d595d58e2581a2cd07f42cc2ab9cf89bb1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\02csxhV5MJI\WINMM.dll
Filesize1.7MB
MD5e3ada2a571cae3ea7051aad7a760fb1b
SHA128024a3bef8a167a5d1d071de7d4115da1e85976
SHA25634f5f22c44efb87d79f6bec8ab1fe2911f2dcc8930262c7b0f52490a63d1ce7b
SHA5123b6aca4fadf0aaa55f947290237a8d53f6faa54b708d605f5288f26f6d66cf4461b858f1d11efb68a99b21b26f5cadd53f3e14aa00a9e8676428f68a56339a9a
-
Filesize
1.7MB
MD57718b3192329489add3592629d195bd5
SHA1e35c92cf96a71c39a8fc5f6902746baa3854f890
SHA256cdc6e61aceedbbbd9b36f62ae851bc921c37b93e992a1fd2d27afa9c107d3c6f
SHA512120fbc64f181a693e564b768bd22fce163c4b8834e2c86a1848091e33b1b375a41f1660470ebded8c2d665246d2a03d450d51e11b4c98e0cff013b5e5f80fa06
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SmlmOHTivqg\XmlLite.dll
Filesize1.7MB
MD5faefe20267490a71cb73415e32b71da7
SHA184fb53c7c106677a72bf52323e4f70e57166f505
SHA256edf2c2648783c2060e249cd6c4497c3604c1afa2c3865e3b08cbb1e94762a708
SHA512adf8e4f6e617c16b2f0bdbdc0e1b5cda8c5b2904e25c8fa7aa4b5eff3c23d606aa22680d542a6ed3bf72f353cdf9056b626f6d6f676ad7e4b554ee789c16dd5b
-
Filesize
297KB
MD5fe140709d168f6df98547e1d31946b1d
SHA199297cf10d813dfd3f7c066dc6bfc5ccbe76c1c3
SHA256779a50583ea637da2cf4b485cc4ce6304a0067909b9dca1c5b5ffea6d3cf4012
SHA5127fb0e313be8b2050d28be7c59714ea0ecb1a065d19c1529335a4e1eca4d87f722365d031f0bed580f492ae49ab0d8066c026e76761f7c4e4435835b09bc5986c
-
Filesize
195KB
MD52766d208c99ff5f47554c773c6668c05
SHA1db4febeb9e254f1e1c8f464454e6b2f8a69d80f3
SHA256c846f8df7a804faef01fb1f61f98859c0b9867cf43a6af3a6730659a596cebec
SHA51204054780b52dbce46f3dfab10abe701efa0659972212502cf718f414ae774cd5fd5d003ee088d5c95affc114a90cc3a93998ec4bf984eb516a1cc633c8d47ab2
-
Filesize
199KB
MD5a826e27365f3b8d4fd3c380b4b38fc9a
SHA19919d60c56f21247cdef3965646e068e55a19de1
SHA2569f9fd60693cb31d1c68f7e5f6ba48a56034e309465216e21fd98b9334760cf8f
SHA5128d1018cbda66c7c81a7c2fe12e7e0d1f378872e55c70522933f608b3a535604b8c034811a2ea75eb4704c443e153d04d5c186f78d87f0a056ca2c209e2e0b459
-
Filesize
147KB
MD526d28fdf51c9e067e818a7951b02e386
SHA14746575fffe1acabcd5e4af9219c425ba83c6ad5
SHA2569f17625d96c538bed5cb4242eb06866b3af5827a979ff91a4de476eac1515309
SHA5123adf7c5b37715a18a1a1a9ec67a99fb2c13daa9b538f117edf19a6119ac6b3ca762bb38ff71f4242183281a4fb4bb93f03c67546d4f56de9bc3f243f26ef6ec3