Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
6a2f78fd728fdf56e1674632e7f5a5ed.dll
Resource
win7-20231215-en
General
-
Target
6a2f78fd728fdf56e1674632e7f5a5ed.dll
-
Size
1.5MB
-
MD5
6a2f78fd728fdf56e1674632e7f5a5ed
-
SHA1
ff8ef932fc913e7f6affbaf71c85ef9e39651c7b
-
SHA256
7cdb42626487138e394194e7d97f06affc9a4cba685fca6d1a496bd1765140f9
-
SHA512
355a81750538976caaac04368d5bcfe05f31f8e22cf993a45e8ba54e113770c16a4ee36cf57f1b7b625bbd5d02b8c8c7d5e70f330e7861907844496ed23a9a44
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1220-5-0x0000000003950000-0x0000000003951000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
UI0Detect.exemsra.exewisptis.exepid process 340 UI0Detect.exe 2576 msra.exe 2428 wisptis.exe -
Loads dropped DLL 7 IoCs
Processes:
UI0Detect.exemsra.exewisptis.exepid process 1220 340 UI0Detect.exe 1220 2576 msra.exe 1220 2428 wisptis.exe 1220 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\f28\\msra.exe" -
Processes:
rundll32.exeUI0Detect.exemsra.exewisptis.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UI0Detect.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wisptis.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1220 wrote to memory of 2492 1220 UI0Detect.exe PID 1220 wrote to memory of 2492 1220 UI0Detect.exe PID 1220 wrote to memory of 2492 1220 UI0Detect.exe PID 1220 wrote to memory of 340 1220 UI0Detect.exe PID 1220 wrote to memory of 340 1220 UI0Detect.exe PID 1220 wrote to memory of 340 1220 UI0Detect.exe PID 1220 wrote to memory of 1288 1220 msra.exe PID 1220 wrote to memory of 1288 1220 msra.exe PID 1220 wrote to memory of 1288 1220 msra.exe PID 1220 wrote to memory of 2576 1220 msra.exe PID 1220 wrote to memory of 2576 1220 msra.exe PID 1220 wrote to memory of 2576 1220 msra.exe PID 1220 wrote to memory of 1692 1220 wisptis.exe PID 1220 wrote to memory of 1692 1220 wisptis.exe PID 1220 wrote to memory of 1692 1220 wisptis.exe PID 1220 wrote to memory of 2428 1220 wisptis.exe PID 1220 wrote to memory of 2428 1220 wisptis.exe PID 1220 wrote to memory of 2428 1220 wisptis.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1260
-
C:\Windows\system32\UI0Detect.exeC:\Windows\system32\UI0Detect.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exeC:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:340
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:1288
-
C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exeC:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2576
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:1692
-
C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exeC:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD52336c0f56dccd8f96a169900ae2bbfe6
SHA126b3db6fa0ebd0acbeee6dbac4cdef028604f442
SHA2560b8940037dee65f28228ea43500198900696ad3c8d4ab5d958c5e105af2f7192
SHA5124d0b541f07e01df1126f346b1a77ca52fafd0145fb59af6c308cfd45b0cd20123105c98b1f5e52155b3f00f2de4c07dd72a03deab7cfc8f0f305ad16c76f6dad
-
Filesize
165KB
MD509ebfd500a4a587f863c4f0f277feb5c
SHA1b4a18906e52b2d4181e9ced75bf7d2e3a4ba40ad
SHA2562cba12b737d65ee62ce2ac0855dd5025b152f250d0b6d8160c8fd700be2b1748
SHA512ab6ef415580a0b323ffe53b0f475b8a086fda0540b7401bed1c35306b9ad16368897b1a0b2ebd60f3d0d661ebbc4432618a1f56ec6a64de1894458dc0bc14ba9
-
Filesize
129KB
MD518c67e5ce2ae53072e87f4261fb19573
SHA1dfd22545efaa88860c80e69e5730c469bcf0f1d0
SHA2563abd7437170d934aad976566c9831a1c175cfac5b3354d98d194c4d3915fb188
SHA512b975f9877282cc4df77043735d1f8a9f877e0f15a054dc7b5a172b0b4cbf7fa49630709dd0ec19c81f22ee4acc5b9735225391a41cc1d479690b6ae7c3e8a03c
-
Filesize
13KB
MD5ce41b25e0d70084d084ab2803c48c121
SHA118d76fbdbf05880e5a0da38f95440e017342605f
SHA256e44c80281cad960f66e836c074b239d0bcf083dc20b9fb095f3bf06ba79eb56d
SHA512142794c1165eacb88dd305083b621519b488c7a4926233cda6d77ccf4b429ea12627db025291d9bd40b63531ee1d7134cf4a447b24b3263a1df1d6876224ea4b
-
Filesize
168KB
MD56928e6457abcd76fb59d12f5295b5b02
SHA1dadb6bf2266af54bd810c8fa4fcad12ffad6bdad
SHA2563725e6b589937bfd87beda11cf8dbe5c76fecc795067009c2f6a828eded43e22
SHA512d6ef34e6ea4852c599039bbaf4f61f379c759e6bb9c0605b6d273f3dde1a5185a6ca9a876e99e5d0294b67a93020ff348b9f3010d30f927d8fbb226be68cf797
-
Filesize
58KB
MD5cba485ea0586f7152462c665887898f9
SHA18618aacf0c603887a0ead7c77a67d477b564faa2
SHA2567bcbfa72e4aae0d23af59ae95c1164b179d7fdeab911ccddb6930eae457efaab
SHA512741fb9a4052c0902118a3a7b01fb99c27eeac3cb2844755c56713875ccc724da4f3f445367c5749322d7ac6a3525525cf21aabd30facb49cee4d5f1d493f5a38
-
Filesize
40KB
MD53cbdec8d06b9968aba702eba076364a1
SHA16e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d
-
Filesize
93KB
MD55df72b7ff775d0cdeacb4d3f742af984
SHA1a2bc7a78018bb92ab577a88bbe94687a07904785
SHA256d6e30e2758dc0214a3fd28b28a6209552da1750f02edcdd3b7acf9397ef05c09
SHA512e404d1115673a025ae3b51afa4f69dde9c83c72303f78221a4e2cc1ad35b42e4f73ed39b9564272bd23c2c114b580a3354afc3e6dc43cf7bb8e47ee1ad842941
-
Filesize
1005B
MD5cc63ed61c9e8122e94eb479e78baf4db
SHA1cfbcca37e00de91fda9e1ebcd92c04263ebb9ca4
SHA256ae131e06d3438359d96db167b7dbe932cb0509e043548839e397e8252a257342
SHA5120ba9ae7ea72246ccba1f977e2f00021d7addadca4c5ba69dd0df37addac11e622e894e3ecc0f51d900b284a3d0957d8ee57df22507fa82131d4558faf4d5df6b
-
Filesize
1.5MB
MD57b3e290c5511b499ddd97233232277b0
SHA1d0982391e8c36394427ce3c8530e2230422aff16
SHA256061180e622f68bc66381ba6c19815964a781354cd5b150e6203dffcce9fc458b
SHA5121fce864fd6d3a4a056e134a6b34afeb4bd3936750ca0dad93251a009468c034cd5c56722b93c250989ff8d145c053e344989c9f2a5b7b5a6a7baeb051d348e1e
-
Filesize
1.5MB
MD54d9851868a2bb15d5503102710d02203
SHA12cb280b371ea9e4d36544dc306a601707b43de77
SHA2560c56e8722a7e37db166cd384492213cf0612da08c331cba71fadb62d9d8ccf50
SHA512e33d0bc07df029aa880506b8566d6df1bb53bc5f7e7d247bc1d1b049c64ae031cf242e3c36885e8bb3e24f16c270c6c87769963dc39423f207b83ef982f22055
-
Filesize
1.5MB
MD53c4c8150e692cbd172f35e16233936ee
SHA1605834abc5a34cf930fbb7fc79e922f7dec0e14a
SHA25672f29a00214da27b8138cb9b953acc95ddae4a1d9c9c84c4509769540a4dc526
SHA5129af063f7f5ce8f0fa6561bbc94be59f5d8777e82eea8a4e04c667dd032537ef52519d2b839e430718866f041253a7fc274c2744f634aa57e992f669dc3244b3e
-
Filesize
113KB
MD566f08c70c26a0f130615adcbfd1bf690
SHA1b440f55a7d25a5bb208494bbd81d27585e6c07d7
SHA256a224b076db149507e9dc78f29ec72e5bb266266e1718470a239ca3ab8c5547df
SHA512e5c45200460adf8db3dce4aa0ea5909bc2187683102254066505dec5fbfd35fa94eff8ef72dba52a55e72e11e9b7002c79843cb99d510f0026a587013e24ba3a
-
Filesize
73KB
MD5da180031f453d94500826072e3b33e8f
SHA1c881623ab607873fb7923d138ca15fe495b52656
SHA256c61b662f6c6a23c64e4e79c9aab29e0e72698907cbdddf188015cf035c8d956f
SHA512b2bc81c0b000ac949180c207fa860559cc5e6cdfd286bd8396444cadbd4412cd67320ce2e5f0f691e4d55826cc4fea9be3d3f8d5fc481169c782d3d8861faa72
-
Filesize
75KB
MD51b0b2bdd0c652c9be7c5d4315916b8d5
SHA104ca92977b3a9c1feb1bbe06bbc0d87ecc809c71
SHA256f0ff30c8802f95df51dcbd4a6c627d79b421e103d81b4ad69144b51ecb4d9bad
SHA5128f15194724cba39fb41172bdf9c06f1fb2f2134a4b268bfa4ef179dfc0b899fc4d2a2db1519879fd08fc2729e9ea4bd650a073ba68b13bfb7afd688a3d2bf55f
-
Filesize
37KB
MD5d2731d1a4bc7d28ffba1b828ff48a484
SHA1049f5c1caae03863e69de87e89cdf94e1bdf318c
SHA256a2ef5aa53f6e633b37525db713fd9edb2c3d9ccad5375e81a92327897a26875c
SHA512497c75930dfeac346ceb0c5a86b1fc2ce841a5ac76969209563e2ea3dd49d276fbb05028d6996722e36a6f3fdc31d59a344cc7e90762d4d1da618f0e706da222
-
Filesize
182KB
MD5eed85e8ef4905811a325c7e8d7d91e3c
SHA1aa5fff61d50412d037e133d1bd01474595735593
SHA256a5a8e8ab8f34ddf1876f9be68df8884a40c984eecafd7ecd24566bcb3f5277c6
SHA51264e35b1dfd82071aa92a6865ff030271940491849b51ea0eb331fbfc955d656e1cfc0c3cfcb324499bc61c4bb70273444a2940b24c4add3305317fa97cfd2a77
-
Filesize
204KB
MD51cf2fdc1839baa5c4f3bd029f906a541
SHA1ccfc8b72fd5b73f0d624056410979b8638ef649c
SHA25616a0bb8ae6b3befa92ccf7155b67ff60b2525ae0e1233342c73030925b03422f
SHA512e2433c7cb364e624e6d4568ea27dc9de99ff6d7eb7afb25923b126c7cfb9fa26a9c44a3bce6470186b5d8c46adfeeb2b43843bb6abf9aaceba79b8d84b500f95