Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 17:41
Static task
static1
Behavioral task
behavioral1
Sample
6b0a5e806359b4b92fc00861e1bf8bff.dll
Resource
win7-20231215-en
General
-
Target
6b0a5e806359b4b92fc00861e1bf8bff.dll
-
Size
3.2MB
-
MD5
6b0a5e806359b4b92fc00861e1bf8bff
-
SHA1
a4fccec989a80717b2561e7ee9e049406e6d8449
-
SHA256
7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb
-
SHA512
491512bfc8cf2ceabe5d36137820711af46091bbbf64751eb93f0a90361ee8a347959b6227a77285ebf8528d9e12ff9f1d2175df9039c99f3586070859bfae66
-
SSDEEP
12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesComputerName.exeAdapterTroubleshooter.exedpnsvr.exepid process 2868 SystemPropertiesComputerName.exe 1616 AdapterTroubleshooter.exe 2508 dpnsvr.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesComputerName.exeAdapterTroubleshooter.exedpnsvr.exepid process 1196 2868 SystemPropertiesComputerName.exe 1196 1616 AdapterTroubleshooter.exe 1196 2508 dpnsvr.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\DGtvy\\AdapterTroubleshooter.exe" -
Processes:
rundll32.exeSystemPropertiesComputerName.exeAdapterTroubleshooter.exedpnsvr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdapterTroubleshooter.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2284 rundll32.exe 2284 rundll32.exe 2284 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2844 1196 SystemPropertiesComputerName.exe PID 1196 wrote to memory of 2844 1196 SystemPropertiesComputerName.exe PID 1196 wrote to memory of 2844 1196 SystemPropertiesComputerName.exe PID 1196 wrote to memory of 2868 1196 SystemPropertiesComputerName.exe PID 1196 wrote to memory of 2868 1196 SystemPropertiesComputerName.exe PID 1196 wrote to memory of 2868 1196 SystemPropertiesComputerName.exe PID 1196 wrote to memory of 1572 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 1572 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 1572 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 1616 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 1616 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 1616 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2968 1196 dpnsvr.exe PID 1196 wrote to memory of 2968 1196 dpnsvr.exe PID 1196 wrote to memory of 2968 1196 dpnsvr.exe PID 1196 wrote to memory of 2508 1196 dpnsvr.exe PID 1196 wrote to memory of 2508 1196 dpnsvr.exe PID 1196 wrote to memory of 2508 1196 dpnsvr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2868
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:2844
-
C:\Windows\system32\AdapterTroubleshooter.exeC:\Windows\system32\AdapterTroubleshooter.exe1⤵PID:1572
-
C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exeC:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1616
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:2968
-
C:\Users\Admin\AppData\Local\stU\dpnsvr.exeC:\Users\Admin\AppData\Local\stU\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5d4170c9ff5b2f85b0ce0246033d26919
SHA1a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA5129c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608
-
Filesize
32KB
MD53b48c060089db96efa0fad2c5308a248
SHA1b97b715cb72a6525143e0ffb2f8a13abb5ee3fdd
SHA2563c9070561d2510f624f812c93959f8794f4f52c12b74358749833eeb051c544a
SHA512b638d1148f151f7416da2e898ec5a602bd13b4e35d87b5fc80776e290e925460fcb13364cc77ef0f840095d71772b29fec1439bd34771417c1a05f07fa4a22bf
-
Filesize
90KB
MD558e9a380a2f917a71cd6718882149d2d
SHA1dca0dd8e13c1673cfb38f306e5325bd9f5b028c8
SHA256fb32fa5dea1a60a2220d5ecda1852d17f0a5f3f1c1a77f61afbd9188f1b0c017
SHA5127256608ab354917f477506ef30c0b165994fddfb4bb22fb8085086a4422eff37868d38c85586894b0c7af85987b5fae316e34b535baafd5fe83c05fcc79c7e33
-
Filesize
44KB
MD5db6e76817f6b921100213fcc6171ced1
SHA1c3954c7c73ba7cd6307ecfd87722da007ae2643c
SHA25676fee30ee84579b11b51ea9e9a145955eb1ae55528eb36a5da2893fdc25a3c87
SHA512673cefc9147f34f32484696e7f2ec11385c235138d9bdf8fbb3386d1a940bed644638bd9f00e36c0a77d4bda22afa41ff929d1d52993b8dc9622246f4615c0d2
-
Filesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
Filesize
142KB
MD5e8068ffce7078cacf0dc983764c9d662
SHA1ec7c9ae56f903f272678545270007d3d67d41917
SHA256a03b44754e3d439af4036fa5ccfa145f5621c07e4457e9a4690ab142a61318d2
SHA512995b9ea2289d7549c4f592f6b09fff8357bc281208708114642a82b19ffda22dea6816831fc665062af9bae6e4cc3cd9b658774532fc346c1eec9cd5ef25e16e
-
Filesize
1KB
MD502f20a0d2ffd3d30776460e3d8114d36
SHA19e0bcdc06cabe007c1b3a1196081be84c06b36f2
SHA256df99daf6b19e24272171186bf9c7ec9e3dbbbd2653bf78d68564d274e364bd4d
SHA51271d9e2367de0794294d2937ea1802d74b307b32cb990290daea0a113326dedc0888c65c3bf222aa6822f7dc98fe1e80fc3da058d1593231f178b63b54b227f9a
-
Filesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b
-
Filesize
1KB
MD5cb7dbbb252bed6fd3dc2c97d85b3a758
SHA106d0604ab488fdc29c0988451881c010e3fd9092
SHA256c8bfae9d1a56ad145a0622a361eb97ac03459ae92a07f86dd98d77ad8cbb5681
SHA512c6d0786492145c266ddf2a100a071238f88e1ff7f846ad3972a51ff7d328040d6efc7777dd54dd3a15b43057f0f830bf5ebb471dbfed5e37092a939774b2f02e
-
Filesize
3.2MB
MD5f6867104198a685b2c187b047871b7a1
SHA15c50224f9fa1b3408095a046454985256e321935
SHA256e6d525f7b9f95731299af758c4d3e97b9eafcc7bec8f2f3b2241e30b23d32da2
SHA5128581781f015a9dc393a41f8bdde2bf4d0daa2aeacc96de5a11ee3769703be87231b6d97d4ea57b0d00ff22eb86f88c3d35bfa51bd0ae59c7c60d750e8e3d87d1
-
Filesize
3.2MB
MD5c19d5ba1d09b3f6416974e9705ddba57
SHA1e5104acab769c1f5f64a83d564f713a430cbf7fb
SHA256e076b25bc81949aa563be6a0a6052c6945b448f23041fa2de68dc16da5c148f2
SHA512e4489dff5cb4502169e7c3b6272675ba696d08628f9df534cc9dc6228b3158b5edf0867faf6b629eebf1206b55ed749b7a9a786cca5a3afaa3a723fee8135e57
-
Filesize
3.2MB
MD557598b8effd9ee00bb9de1de4d698579
SHA14682b4932c529c6b78e539658f28c2149b70069f
SHA25674a48260144c9372547f173309c8cdda7c8df0316f8948697bc76fe4b3b2f839
SHA512a06bba19bc24855c7992155a1a5cbcd6cca4ddc3d3d87768b4440256fe2cfa21e22f2aa71924be0a2aa32e52cbc7b08178ee33155dfe433c666cfae21fcc43ff
-
Filesize
33KB
MD5a1591bc662091ead517847a064f14cf6
SHA1a5d10698602c9767b3176492a272d43f3de6baa1
SHA256e1981dae2bd02e643cff6d1f6a5d7ee3198e75a5fc1b4c48921854c7aaf1a19f
SHA5129ab1c02e141819c81379958cd0a7a21d368682bde24612bae103feb1695762a2c43b8b2d6ba4f8dec2669e806603f4c01c2e2599677f99c4a2404a539822572a
-
Filesize
133KB
MD515135e1f03dab43c3f9a0321548de50f
SHA13b6f4854ef23d845801330a557edec239d22d42a
SHA2560bff4aef44e56fd5f6b3a25720e4090e389f3e76f83bd5175a019f41dfc3b99a
SHA5120bf537006ba79c68d4b429d01b8dcdf448ba463fee93529c22d885b2e9592940401fc6b4457baa2fbb3b3112a2535f56cf281e3e8015114c5db8e222dc727314
-
Filesize
40KB
MD54703e6f90b33c7508108d97a7692a978
SHA1b331de0af673898bdb661c73a19b7399e7d5a583
SHA256044aa37ae09ed70843d7d1093cb07ac8a62cde0ad9c8fc3a091d867486d84d6e
SHA5127577d6c1a20a127abd300e3207b8e1f1dde6d6b206f8b7d1cc44876785837eb7eb60a2a08da8b526e0478206af9d0c1334857b02c13f676c19dacee3726c5b14
-
Filesize
5KB
MD5863c35161b01888e38e8a356f3010119
SHA159559dee41fd93429304de9ea883c5b237a31190
SHA256cd039241e8e09ce9f4b440ccef19124bf34e22f165b76c786378a8d939aa17cf
SHA512b410e2e1af216c85b49ddff713b5bde0bab1805bf361c5d9233687761c12bc10a716cd3f45a402c45edb4066631673489cf51b74c4d2784ed64c958a2e40eec1