Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
6a6b1b2cfc389798b42fa591a501875a.dll
Resource
win7-20231129-en
General
-
Target
6a6b1b2cfc389798b42fa591a501875a.dll
-
Size
4.0MB
-
MD5
6a6b1b2cfc389798b42fa591a501875a
-
SHA1
a0139d22265f40b8571722655d128c58f500d50b
-
SHA256
0aecdf55017f43fa0c4a2c407c639d854fb2fddd9400e047d573b163596ef7f5
-
SHA512
652b3db7e0e0f19e7362f08ce418290fbec37c7e66a2ee6a5b8abd644caa056d6c5c4372a35eb607d40f0f3b60847130e29dc42a945d34c5147a3a2375b11813
-
SSDEEP
24576:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnbxXM0:qDW/e+WG0Vo6CtSn6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1376-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BdeUISrv.exePresentationSettings.exeTpmInit.exepid process 2880 BdeUISrv.exe 2932 PresentationSettings.exe 1612 TpmInit.exe -
Loads dropped DLL 7 IoCs
Processes:
BdeUISrv.exePresentationSettings.exeTpmInit.exepid process 1376 2880 BdeUISrv.exe 1376 2932 PresentationSettings.exe 1376 1612 TpmInit.exe 1376 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\6qzS02ZGQEk\\PresentationSettings.exe" -
Processes:
TpmInit.exerundll32.exeBdeUISrv.exePresentationSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 1376 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1376 wrote to memory of 2748 1376 BdeUISrv.exe PID 1376 wrote to memory of 2748 1376 BdeUISrv.exe PID 1376 wrote to memory of 2748 1376 BdeUISrv.exe PID 1376 wrote to memory of 2880 1376 BdeUISrv.exe PID 1376 wrote to memory of 2880 1376 BdeUISrv.exe PID 1376 wrote to memory of 2880 1376 BdeUISrv.exe PID 1376 wrote to memory of 2856 1376 PresentationSettings.exe PID 1376 wrote to memory of 2856 1376 PresentationSettings.exe PID 1376 wrote to memory of 2856 1376 PresentationSettings.exe PID 1376 wrote to memory of 2932 1376 PresentationSettings.exe PID 1376 wrote to memory of 2932 1376 PresentationSettings.exe PID 1376 wrote to memory of 2932 1376 PresentationSettings.exe PID 1376 wrote to memory of 1904 1376 TpmInit.exe PID 1376 wrote to memory of 1904 1376 TpmInit.exe PID 1376 wrote to memory of 1904 1376 TpmInit.exe PID 1376 wrote to memory of 1612 1376 TpmInit.exe PID 1376 wrote to memory of 1612 1376 TpmInit.exe PID 1376 wrote to memory of 1612 1376 TpmInit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:2748
-
C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exeC:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2880
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2856
-
C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exeC:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\S1xY\TpmInit.exeC:\Users\Admin\AppData\Local\S1xY\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD51da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
Filesize
150KB
MD5d0938eafa3aa38ec4042d798cf02009a
SHA12386635f38732b139df7f5f1644425b17740f5c7
SHA256f95401c58cdd855647715d6028f7d20906b733db4509ea8e0178407f5be3ced9
SHA512f091166901ac32d7a2db5b1fd6d558fefcd9dfeb1ecb8ca81e7f19a34de81223aaf5bc35460ba06c09955fce53a1a531fa8bdd2a621bc127384bf5a365a6f010
-
Filesize
54KB
MD58dfe271a2eee0e62cbd6265b7e6e0eaa
SHA16475b3db24a6bd213615102e74d84a80b30943ce
SHA256c7eee6438f1e09bf57f2883c5f04f23c6d43911d2e218eabd75d2d3a1f4c7907
SHA5126617f4a7926de203751d703caca5581536ba22502f9d051b05dc2b19e308721ab87db1b464d1add3e33e73cf9cbea025f0c77bd49287dd165116f57f0d38c8bc
-
Filesize
92KB
MD5f84bc948f77db38303ecfe1f92e39d73
SHA166492270dbce27b7ac06239cfbaf042ce9280bdb
SHA256dff9f2bc2d3bc7444d7952566a0b7e3d73d69ab56387336860c1fff13f4ac72d
SHA512155d65559f7d7431629a2b6355957d15c9e82f529cb93aeab2652df28abe88ff8b6495967c4ef26c3fe9157acfe966c647037fa6368e83f2af38a460d8b6b418
-
Filesize
1KB
MD59881ef3b0061047d87a3c953cada7ba5
SHA1636b68dd77eb9f60ad317f09efc5ca25ef9d33d7
SHA2562b35c8ef24690e7452cc443d4c5efac92ea831eec1240ec171c1f329279f26a2
SHA512c28c31a2bad27bd02930156c8b31810bfc362b42eaf39ad007eea5fb1e6a4898d6a50507279d2ca39faf4aaaa849b5333983c6cce378fddfc2e762699ce8d67b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
104KB
MD5468d2c71bbfd85067a5dfe0b0e51f391
SHA15042fa756c67a0ab7bc3cb4a7233735de611264b
SHA25607a6f7e5849f70f8b4515aecfa399ca3fce6811c7a4202f9d46d676cb15a99ff
SHA5120a843d455510fb573c0d40b8c280024cb123fa0ea3303bf55d80690c4e0ad63c20f75f52d656d51374055cae75174d192494619e5d993b74ab33311122c33377
-
Filesize
1KB
MD56af3e4b186d76a6e4394b00e7479f4a3
SHA1ea018f48d27fc13335767ff4784ce8da81bf0143
SHA2563d7e3012b04da7ca139f0b5786f50a679d69975916638f6ef05a56667f7ad218
SHA51236ba2a0b13f320e5ebd84ff8941f6e25b8cba471012cb487edd131305a00aac6b86f032d883b63cc84f58499f22983cb333961778b81257c5e76449dfb356728
-
Filesize
28KB
MD579a1353d496f07f627cb487c588ea6da
SHA1e8e0c725b1b01f3984d3d12d8b202dda554998cc
SHA2564a96af6c8dceff06d888ad3d73edba02bdf41452301708bee4906adaf936f308
SHA512a1e8201e9d528f7eac80371342ad0a8924e75e397f8086899e0d657c831b3ed1d45f61a746f2f171266ca6d5a80411d89ee186d1a7b32d362896606109d1ac85
-
Filesize
19KB
MD540837885276d2e7ee109a8e5fb3c810e
SHA10d69bb43bceddf249e9d23c04f6d63070d89651b
SHA256adecd79c7125dec9f4f34aba7d81a2158c4f1bfb1ce4ac3c937ebce332c0eff9
SHA512d928080c65cec0e3c99631393694cd01d45561ec398019596b14920a76e7bf4b732ae36d808292264acc546d1c22b80b540750c168d28e32e5c44cf46a5780d5
-
Filesize
259KB
MD5a9ec62a845004ec7d3448e8d5411575c
SHA1a20790b48be83a45ceb349416a78b5d9e34983a3
SHA256deddcc236ffe1dbfc556355073792dcda5f82796009226feef43d26c13188b09
SHA5128855d120f418bfba4aaba8ee88e062a41ffce7ec3b76c1e346e2cd3df19938c4fde6b58c2752fc65af80af23e6264cb639345a146cd3eddc2a424293436eb397
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\7PV2N4\WTSAPI32.dll
Filesize76KB
MD50652b3de3cf062d5383811c999ea413c
SHA1808094b5ea7891d91522b729693ea034f1c1c565
SHA25666a0d7df9ab3152078526d178dd4672c71d061919b0e95b1bc939f62f9dc443e
SHA5124e49bb1ad3587daa3bcc3d51aaa21c7e54532c0e31259586ef192435adf81e71ddcea71deb76edd79a567a114b84c18821b71deac5ecbf33e14a00a11100da5e
-
Filesize
116KB
MD50ed044f01d09402b5d18e434a4f80f27
SHA10eba20f35ee69cf7fec1cc11aac8a2850007c455
SHA25698cb94003307f35c2a627afc90754bea7343266a2fd5b36983ac3936d1f4aaaf
SHA5129c8c47dbfc4bf8af3bf7fee277204f454e51707725f44623c2e3e6698d4b5a03fff21bc3b8895e75ae0e21ade7043b19737591f366ea7ac8f0fdcaa3c595dda4
-
Filesize
119KB
MD533dc2ce41ff9f725adebbbc23c0689e8
SHA184aea24a4d475e74cda12952c8f58cbda9406502
SHA256dabe8f9d76546415ddbe9de7f7e37212955d264ae59fb22e1ce0382d07ed3c05
SHA512dcffda46aa6540588319ae6ac85da90c18f87bba77738e62bf1d3ed12526047fc0a6425b5add07b15cd98610576ed9bf21b92a8c34f68fcd73db2550a762e74f
-
Filesize
85KB
MD560998f8a5e6a44be228dd1e9252008a4
SHA162e67c590cdfbf95310b00f0c1cdb2cfa815de10
SHA25654a6767aef6e416039eb69fdd1477f6506df2ea4fe4a1c4186a283036c5a032f
SHA5120e206622b2a0bf47b681d243141967973be0f60958896eb96a4b03a4560097ff4d2acc1f6c57ad87da30a8ab98969ad14e9dec2f8f52538c8f7a2015cd9dc70e
-
Filesize
88KB
MD5f43111e470dc3ff167058422c7058255
SHA1b9078991697074f2d0c15585e4a205ceaa2a563b
SHA256a2ebeb1eb46d03e7cf29f0255db9ec4857917af2905f52421a2fea72797576ee
SHA5124696d8eb1485b16eb6d0f6d94b9444f3344b83eecb11b9cd2066c2c5a2534325abee3769cc0c77f114096cd23fc70a88356af25561235aa27995222ef41c3f1b
-
Filesize
70KB
MD5b78e5ed769649523be9cd7e66dbae9eb
SHA1a6fbae94665dd0cbdf72130f954a5b42644dda68
SHA2567ef3160c3a03e77f12df97e1733696c84060ba9b43ff0d6e299ec8c98f4d1d43
SHA512493815eb4d185b948c108d7c4fb23eee2304a59f3cd124145e64093cd16add028f291a66cc1247656ccebc10e5a460224ef0cc5890d8513311f5dfc7e03baae1
-
Filesize
13KB
MD5823c5c9c82be14e0f57c116d633a25ad
SHA1cfb9785cbf9cb784d18a3e0a09d24d99d19c73b9
SHA256229fe92cb27bc94b3492ed294ef1117a77ede1310baf58f86b5bf9762b13d51f
SHA512e441563aabf6470e7d4687ca61b5ce7aa8fdce73fa56d1ff8629c25801d0ab1d396760c5a085cb7197c04eb645c71a89bb8e777919d7e68083af25bde51e565b