Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
6ae01647123bf97071130c123fe77e97.dll
Resource
win7-20231129-en
General
-
Target
6ae01647123bf97071130c123fe77e97.dll
-
Size
1.6MB
-
MD5
6ae01647123bf97071130c123fe77e97
-
SHA1
b60d8943baf640b7bbc58e9f3639db832e430d2f
-
SHA256
2432a727b7612212c6c75b5114e832254e05720df6fd9d38b7993973e74efd9f
-
SHA512
79c82da530496865a77cd0bce988fe1e9e6b85ea71a951b478fbac3ff45ff86fe30c7aac23c5bcb33932e8ac9ff94899f33a40233fdaaf32b45ec66efdacc9c2
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1368-5-0x0000000002550000-0x0000000002551000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
TpmInit.exedpnsvr.exeBdeUISrv.exepid process 2516 TpmInit.exe 1904 dpnsvr.exe 1988 BdeUISrv.exe -
Loads dropped DLL 7 IoCs
Processes:
TpmInit.exedpnsvr.exeBdeUISrv.exepid process 1368 2516 TpmInit.exe 1368 1904 dpnsvr.exe 1368 1988 BdeUISrv.exe 1368 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\1gPy\\dpnsvr.exe" -
Processes:
rundll32.exeTpmInit.exedpnsvr.exeBdeUISrv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1420 rundll32.exe 1420 rundll32.exe 1420 rundll32.exe 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1368 wrote to memory of 2628 1368 TpmInit.exe PID 1368 wrote to memory of 2628 1368 TpmInit.exe PID 1368 wrote to memory of 2628 1368 TpmInit.exe PID 1368 wrote to memory of 2516 1368 TpmInit.exe PID 1368 wrote to memory of 2516 1368 TpmInit.exe PID 1368 wrote to memory of 2516 1368 TpmInit.exe PID 1368 wrote to memory of 1656 1368 dpnsvr.exe PID 1368 wrote to memory of 1656 1368 dpnsvr.exe PID 1368 wrote to memory of 1656 1368 dpnsvr.exe PID 1368 wrote to memory of 1904 1368 dpnsvr.exe PID 1368 wrote to memory of 1904 1368 dpnsvr.exe PID 1368 wrote to memory of 1904 1368 dpnsvr.exe PID 1368 wrote to memory of 2824 1368 BdeUISrv.exe PID 1368 wrote to memory of 2824 1368 BdeUISrv.exe PID 1368 wrote to memory of 2824 1368 BdeUISrv.exe PID 1368 wrote to memory of 1988 1368 BdeUISrv.exe PID 1368 wrote to memory of 1988 1368 BdeUISrv.exe PID 1368 wrote to memory of 1988 1368 BdeUISrv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Cw0\TpmInit.exeC:\Users\Admin\AppData\Local\Cw0\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2516
-
C:\Users\Admin\AppData\Local\jY3\dpnsvr.exeC:\Users\Admin\AppData\Local\jY3\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1904
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:1656
-
C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exeC:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
465KB
MD5dccc4ca5ea32372436872bd40463a8e5
SHA119fadba5723e77096e4ab1c580a1299524fc01ec
SHA256083919c8ad03c137b966c6bec7ba22857514765f50731d53413bd7196e48fdbd
SHA5125a2531e3a6bd71b75c9041e44e6baae609c9fe443dee8155122ce0e751ccd24c2666cc13d5cfd620cfbcdc49da22b5b6dafc409be4d2c18789ebba5a0b39c8bc
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
47KB
MD51da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
Filesize
195KB
MD5a79a3e86930c6026eae93a4342c73b1b
SHA1f76744988a076e89e01962c7acb869393bcf3d00
SHA256b122443a6a845b1ea7c293743c365e4fee9a4a761589de7f4921eb592dc3cbdc
SHA512efdebdc873372b7c219aabda35c5cc9827a326c2ca1db613199238646e0680cc5616eb61721afd5be111182b66ed176354e80b9033d9b66a3e26d2a7031b6f86
-
Filesize
277KB
MD5f0463bc7a559dc0abca68cdd7987b25f
SHA1ef5876158de7cd2efba8aa30ef87b3593aa9248f
SHA256172bc5c0b189261c4c031cd1578ecd25115f30b7bb23ab34f6e2fb139f23dd6b
SHA51298507190aece9081d44c470c2d4c53e90dc75f3b38ed6d194553374ee9d868e943850db0faebe9dd9ce8cabb6673204e624e3598442ed6a09ef5d0ace0934511
-
Filesize
1KB
MD57cb62f51179ae60df59468f7e1edac53
SHA1780a16a7d029520365dc92108060e29fd857d21c
SHA256a7cd31e621d7e81a36a885a734c721634cb20d3b10d57f8c7e65b948237e1beb
SHA512d58ce1b22af6d9f38586e8430b000208a797e708285e1abf492a2443c70784ba88e923114634d8fd2295b639deab7196d3b878394de6c16185f8a97858c17c34
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\thuZCOJ9jta\Secur32.dll
Filesize1.6MB
MD5bf189627646280052add855725891120
SHA11a824b1ba042cdccb78e57ef328125c9546a4d02
SHA2565f3d38f5b66ba1e80b3c7340cb5b779854a17d20a4440d9acddccce628e629d4
SHA512718523caa7e08c59e7220eeeddee91479a727a795f089cb156313d14b7e1b01a1a2d63aa4aad3b41ce5bdc2842ee38a486ce00319fe7d81426d2d9d1b23230ed
-
Filesize
1.6MB
MD5a0a809302f24c4c09ec411342183132c
SHA1c8021fc93fc6a336cfe45b4a71adc23a8740435e
SHA256b6ef55a3f9f0b148fbc12be1609da8b39907bb4a2b95801d220fb93746076266
SHA5121f7b7955b50515b335f498359de08b17a340e127145f817d3d719cf2e9d0a4084da3091da781313f6cd2f79cfcd76d65eb06ffe761d5b0f2e57d73e6e40d0f4c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\MX\WTSAPI32.dll
Filesize1.6MB
MD53c9b51f9b30a3d678ec7963a71f9eddb
SHA144d5a4bcadc8821f77ae38726423ff84af4f5589
SHA2566c1e735470113cffc72b268c9227c0954473534540aae56d6b759cfd80dd916c
SHA51219484fbde74b60e3fd76f8313457f449f3f5ccc907724aade986e335e07d87a55815bee533e838f19f489e9ab5b8b75ee3948c29035df5d23bb85dd838edb04d
-
Filesize
40KB
MD52ea1934c7b1f3b431cd48dd0b5b99fcc
SHA182d5301c5fef81097cf9b7c951890f8af0242d2c
SHA256f9c325fa1d38e247be6a16c5ee455f13526b5598beba2ab15dd43644e7a7356c
SHA512f1adff3181b7ce7b63cacdc85cbbe9c209d06f108638db7796c9ed35c6c8fec372b5c4a1de2f1aecc847ae9286e59166c63e52c6b9046b5f4af0d17119eb1ba0
-
Filesize
277KB
MD5e2c81c91a813cf58492e42505565382e
SHA1fddac3b24fbc5f82b3d30b276e4fd5dd84f89c56
SHA2564f81dee6f412a6b2949ee1e69f8ff834596e1c13e57070bc459bdf28fd2a5890
SHA51223996a8fa6254b5840e237f73a198cbeb746d928ef900a1b29cb549f9588e86152913960c55ffe57f2201d6dfe807046d552eecd6aaf2dd2fa88ef156ec4cc33
-
Filesize
133KB
MD59d349ebc4a163d3ce66171036541719f
SHA1e2faf709171933e9e6bd99433338db228f36070f
SHA256f284333a59194ce4128683a9e39586fae8ef9b4fec2311856e4748e9a83e1f02
SHA512908cf7665f27e8eeebea242895cdfcc406593972d0bd3c819079e2724089ba003f24ed73c72d5f9357a0db474fc7726a02c569e05c28f3c526bb20e97b9567ef
-
Filesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b