Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 20:24
Static task
static1
Behavioral task
behavioral1
Sample
6b6301393edd106e77d45cc57b552b52.dll
Resource
win7-20231129-en
General
-
Target
6b6301393edd106e77d45cc57b552b52.dll
-
Size
3.5MB
-
MD5
6b6301393edd106e77d45cc57b552b52
-
SHA1
a993d5a789eb5e9e94bb02b74b1211a0192384af
-
SHA256
c4ad1b4e81e031ce20042ad7d4ef8f0d5febbcd3e3816a628dd03269fc5140bd
-
SHA512
37e9f45c16dd6c2978bc455f67b1212b5698ada38999a06094aef672c15c35d3c2a2a65249b60d402ca13eedd9d2c662a354aa6c4ca1fe64b305fb59ddfecb7d
-
SSDEEP
12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1u:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1368-5-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
wusa.exeSnippingTool.exeMpSigStub.exeUI0Detect.exepid process 320 wusa.exe 1952 SnippingTool.exe 2532 MpSigStub.exe 1224 UI0Detect.exe -
Loads dropped DLL 9 IoCs
Processes:
wusa.exeSnippingTool.exeMpSigStub.exeUI0Detect.exepid process 1368 320 wusa.exe 1368 1952 SnippingTool.exe 1368 2532 MpSigStub.exe 1368 1224 UI0Detect.exe 1368 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\\sTEH\\MpSigStub.exe" -
Processes:
SnippingTool.exeMpSigStub.exeUI0Detect.exewusa.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UI0Detect.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2024 regsvr32.exe 2024 regsvr32.exe 2024 regsvr32.exe 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid process target process PID 1368 wrote to memory of 2932 1368 wusa.exe PID 1368 wrote to memory of 2932 1368 wusa.exe PID 1368 wrote to memory of 2932 1368 wusa.exe PID 1368 wrote to memory of 320 1368 wusa.exe PID 1368 wrote to memory of 320 1368 wusa.exe PID 1368 wrote to memory of 320 1368 wusa.exe PID 1368 wrote to memory of 2324 1368 SnippingTool.exe PID 1368 wrote to memory of 2324 1368 SnippingTool.exe PID 1368 wrote to memory of 2324 1368 SnippingTool.exe PID 1368 wrote to memory of 1952 1368 SnippingTool.exe PID 1368 wrote to memory of 1952 1368 SnippingTool.exe PID 1368 wrote to memory of 1952 1368 SnippingTool.exe PID 1368 wrote to memory of 956 1368 MpSigStub.exe PID 1368 wrote to memory of 956 1368 MpSigStub.exe PID 1368 wrote to memory of 956 1368 MpSigStub.exe PID 1368 wrote to memory of 2532 1368 MpSigStub.exe PID 1368 wrote to memory of 2532 1368 MpSigStub.exe PID 1368 wrote to memory of 2532 1368 MpSigStub.exe PID 1368 wrote to memory of 1456 1368 UI0Detect.exe PID 1368 wrote to memory of 1456 1368 UI0Detect.exe PID 1368 wrote to memory of 1456 1368 UI0Detect.exe PID 1368 wrote to memory of 1224 1368 UI0Detect.exe PID 1368 wrote to memory of 1224 1368 UI0Detect.exe PID 1368 wrote to memory of 1224 1368 UI0Detect.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b6301393edd106e77d45cc57b552b52.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:2932
-
C:\Users\Admin\AppData\Local\MT6\wusa.exeC:\Users\Admin\AppData\Local\MT6\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:320
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\sK9\SnippingTool.exeC:\Users\Admin\AppData\Local\sK9\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1952
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:956
-
C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exeC:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2532
-
C:\Windows\system32\UI0Detect.exeC:\Windows\system32\UI0Detect.exe1⤵PID:1456
-
C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exeC:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5a754006b08779a8345f218a3f5d0f3cb
SHA158b8341bd7ae62e296cb9a44277d31b1e94df09c
SHA256c18200a4cbb25714b76f92ce98504cb24eff6ad40529ead509b2a5846ae4f340
SHA5121be4621f57d196e1b0a746aa430f3818f44ec85c73d15350aae7a5ec8d65c957d74523da8aa6d5cf5564a298c9280787333e60dab017d5446e67cea70f753715
-
Filesize
131KB
MD51b7a87e3cbaf069ae472b7a36adbcb75
SHA163f15d030800c4e037409a9519043d5c37cf3a5a
SHA256bfd991e8a6d59eb7f76fd965a4c5ab0c00de66371685e000b7417e7e9ceeee9b
SHA512572e716c0dcf1c522c8dd041b78d71bd691f1bfee100c30025a441c68edc83fcaa4f8290eb78dbf43079ed70365645fdf04f048a665228fbaf9c7adfb0c80a98
-
Filesize
136KB
MD5a71af61761cafef90065fbb4e751e052
SHA18ce540f0308944fcc9ccce2312f44d0b8770cfae
SHA2568e991322f5f82bb3b0c642a2262d4b85241b45407a52162898f273c693464905
SHA512eb109c67fd042a0f60df71920169820558c7badabe0e612338c87915419394938cf8990332e97a2b18c4871a6aa5cd476313d0cca9f4fa888c5b10a04e720cc5
-
Filesize
84KB
MD5d7ad90d64c0ed9534879babb139f2515
SHA1b92d422971f8e5a5cffa15860c7f9954461af1f0
SHA256714171270f656ffebaad3f14c71c72459bb3dbccee45e577c14d76c79af53c4f
SHA512583abac0d3b7537faa79760d913c37c0e80aaa1df78029a98214a99a535c3e205f1a936d4fc504ba1165b8fd486293006c926b1b9d0548ddb4bb1d4e02246285
-
Filesize
23KB
MD5339423bed1aaae3aa9a9be6068902550
SHA1a5f9ccf6920d873db211194d6125c117862e4f26
SHA256e092f931b525452492eee08c95c04a521a7903cc4c48e346d582466e6d78411f
SHA5122261bfafb198a323b51d8ae478bfaaf974910885bfd70824e785b0b96dabe21a945e38038f0586a8660120e2b2048f3284a56ddaa4705eef6746947b4a39a1da
-
Filesize
45KB
MD5e3726ef38987827934cb65f14be55702
SHA1a40874429e3f5f9e9568210f83bce35a671c0142
SHA256ce4f24884f0ae79abb8c40e7f104bf24d4fa0e1cd0c0dccdc35ebea262bfa145
SHA51263a675612073b44e39742b41d241b311c3cc1f3e9f777c39d384fc9c85a4e0ba9f159ea5fc1382c9a1e2dfab31e1b0765f81930b837fc2b0fbc9441cd7301502
-
Filesize
16KB
MD534404824d545bf2d79b151d330d1a592
SHA1034bad4cae23b29381d566aae43805b7aafa3933
SHA25697d481273d7dd3858b3599c7f626c0ae162471d0795d18b91e4deac00f19840b
SHA512255af96347c968288c3bb662847a4f9b07bcb89df588866b8fd6289c999810d77c1b77253913acf9bfa278bf91486705681191ec38d015d3135eb999eeb2bd01
-
Filesize
68KB
MD5069023d5e3cca5f3442585fef49e4529
SHA1d8b66d40c986b5a9daa3948974a0a461c971a356
SHA256c3daf7eb69dcd128d65d5d5912663e7b1a5a93f8fb0d88091dbe864abae982c4
SHA51286eddde3d96a0308af7a945baaf3c0c20fbc94b53a45c965b4a7f0737e8f8d703599e4dfac0ec4c9e9745adb617cc057f5f52d0185e99d3ce1ff6c4e521f9762
-
Filesize
40KB
MD53cbdec8d06b9968aba702eba076364a1
SHA16e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d
-
Filesize
79KB
MD578009f13a6e26e8d29114b609782ae40
SHA194dff1701765d361540fb86ef6b4fbc7bc5fc0b3
SHA256f95901e25e94c3de7a741abde64d886eff773c831dd490bbd2d31e0dc7b23be6
SHA5125dd7684bfa49b94e223b526dc91d8f39332a4735ea241729b0a1b87cc2be04056e7d42827ee42e1940d758f7d7bf131aa4504ecceaa1fe21b78c25ac0508610d
-
Filesize
65KB
MD51e2e883cf8883415d99a13ffb5169e4e
SHA1a2b5ad8151a90df9338f526dacb53881cbbaedbc
SHA2565a289b11e0ad477a48c594c3442f8648fd90db4a393a6e7853099ae8a711e130
SHA5120b0591b3adee90c039b137dc8927eb0ab23b6667cde1828493521023fa3cef36627c7e617c5eb6f1987fa0fd87f1754967cb71df8d596b5330f8367d36a577d8
-
Filesize
1KB
MD594346b2896811291fc9ca79de350e886
SHA18a3bfb41ad10d8b5caaee915faec66974efba535
SHA256bd65bbab80166cb56c269707fe29f259e8e36d7865e0efb3acd011054f26ad01
SHA51248d9c2d202c5ae17736ff8239abbe29a3f83d6d93a3ba23d3007fb0551e0865e9bd0c316a1f69684561d83d7837d00e59faead9b7d7bb350a88d8a59c0124c40
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\csvJH\WTSAPI32.dll
Filesize178KB
MD565d1902756e9b692ba1ab2be17d44dc8
SHA1bd3cd6161b57fa88b163aadbf9d5925a3596a49b
SHA25638238e68aebc81aea339d2c9ae9adac839bcdd363fc1f2e663d28017fb4d9f4c
SHA512564038dd57cf49ec319544958733da68aec68a1ca6cf2e1af3aed572138674fb26618556a29496907ce3294771946459812b397242a8425df4096df2d9f5ec40
-
Filesize
117KB
MD57a7cfd7a07909127edd5686c8490adcf
SHA1ab10ba8ee73538886dda5b848e9c130b93678091
SHA256dd330a8574efd98a18b49cd426faac2c1c8a5368c55d2d21ec39c416739da25c
SHA512c5561b988cf53397d41b7be4fe6763d1a0760accc7ae56e8f2757641363bf65e2d546d17d16c8a92522b6d0aa82a99b952a7e7f9e74e0fa5ea5447c757d27f32
-
Filesize
139KB
MD5d098d5640e7ff8ad7e15f715c7ed59ed
SHA1e9f2af1288bc628a4aca3391a7895d233b6aee3a
SHA2560a73d1b103aa58896afbbc771f6585a3bc33d1694077654952a3197fd245a789
SHA512a65b8886c7402b3de60c3be8d7ad6db7ad7a18c0a928f22f0c85e46459ce34aedcf819e576df158514f7594e37c147dc97b7cb402c33a840fff140003762a5f4
-
Filesize
151KB
MD5844c05c85667101c9c28075337287cf8
SHA1d47c5dc2ba4c58cd8a7e9353c1b854eb6143c90c
SHA25686b539a380e752c24bc554a94692782b355aebcd74a92c99a6a51f164779d2c2
SHA51292c5aeeeefb8578f0a2284c159ef62afbcebdd85147fd663a6339786988e2216f071a94e13ecbd902cbcad931532fa4b35ce6cced6dea40b0a7ae27bbcd0791b
-
Filesize
140KB
MD5bb4b4219756841cd6a1afc5b92161a75
SHA136744f282242257ac6d1730614347c8784922555
SHA256a0374af98ea926253d3fd97accbf0ca1f37cba76bd6a0cd42c06195801523515
SHA512c234d39706ed8b6e61cdb524b5f1bb575ee3d8d84e38742f61e2ea3c992456d4eb0284d473f1c5c13e1942b69627d076451e0abce4093f91386026e777f410c3
-
Filesize
22KB
MD589bfbca83c5421d68c00ab77f07cb001
SHA18cc88a4c73314ec9d026195de5ebcbf7a95dff65
SHA256b259983c73b41b659fa3dc92e8c14eaa087ffd15f87efdf27f12f7723f353b95
SHA512127fa9a9b16151d07b0e1b1d1868351b79b0745c39ff6a3a5d8b8e093d65fa6b5aace2648eadad22434c4561a35fd02ae35524ef4604330a0b06e136d2b29b05
-
Filesize
31KB
MD50d0dc88f3afd709d108a7c3718d279e6
SHA1694a7c0adac0c51b49f0db9aaa903d1a05834819
SHA2562d5848dc96a95d04fdda11b77b5614eb25a60552148cdd69064f40c81199fc3d
SHA512eba4dcbeba46a64b8cea6a9ad850ea72ccb224140b8aac59adbc1ab60bf354002275868830132f37c2177f69868afb410fb61a54625ab4c41f6ad862b1d46889
-
Filesize
155KB
MD549d84b7d15e1b7c28e3dd3dab069bab6
SHA10978913241effcd15f4028d4844091badb5db77a
SHA256b3c81fdfe2feef27cf85726b6d03e9d301b8abe061b358859f34faf45024d5cb
SHA51228ff61f9fb977e6c5e8fd5056e3e1267959104673d6d7b8e3f7692123b45fb253dd03756fac19cf5f57ee41b0408b9bca7835ca777c2893e93eddcc33b2a7d43
-
Filesize
83KB
MD5cd77cc8e2f60150a5afef7e815e0778c
SHA1484da717f57ddda9dba79a27231a79d8a17f9c06
SHA2562eb2b06ae6cfdeadbb00344c76d903f0dcb11bf2535ed3b58493cfe0b5d7b516
SHA512ec7a6574e2348d9d2d0c2591326c04d7f7786f2baac079bebd8fa96c0810a3715a94f74139595a83de4e389ace50fa904d0a1f164d96755e9ba2ae11609359b8
-
Filesize
99KB
MD52be1320ab4ddc7e8c8ae591cd7ada641
SHA1ee997d0c55363146eb281b087663380bbf579362
SHA256b5eff006c15e0bc6f6043a051fa61a0e3667f4c8c69bc962f7d0031aa4c71a54
SHA512cfca56072fada363e8cb2eb7deb02e0cca1b6eab5f874dfced70f6dc3c96dd3d72bd20f405a0303634dec2e546f39507cdbc54885723c86478ffc6cc99c141ff