Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
6ce094e7633ddc304e6c7b56a7e56e86.dll
Resource
win7-20231215-en
General
-
Target
6ce094e7633ddc304e6c7b56a7e56e86.dll
-
Size
1.7MB
-
MD5
6ce094e7633ddc304e6c7b56a7e56e86
-
SHA1
693a8ad317cc0ece3f05edc77e1fd28d452483dd
-
SHA256
dcb4e6dfc9dea7413fcd611f3f06c684dc85f48b698fe86c13fe9884756f81da
-
SHA512
8f28d13f798af1fc4adef5339271054e165f0f18852c1482c8e685566a1cb77df217511fd3a01150ef7a27ed91d1ef58bbb9c160f0b0f925eace7c0d40f4c42b
-
SSDEEP
12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x0000000002D40000-0x0000000002D41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
TpmInit.exeunregmp2.exemsinfo32.exepid process 2864 TpmInit.exe 2664 unregmp2.exe 2888 msinfo32.exe -
Loads dropped DLL 7 IoCs
Processes:
TpmInit.exeunregmp2.exemsinfo32.exepid process 1208 2864 TpmInit.exe 1208 2664 unregmp2.exe 1208 2888 msinfo32.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\M3CyXJ\\unregmp2.exe" -
Processes:
msinfo32.exerundll32.exeTpmInit.exeunregmp2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 2752 1208 TpmInit.exe PID 1208 wrote to memory of 2752 1208 TpmInit.exe PID 1208 wrote to memory of 2752 1208 TpmInit.exe PID 1208 wrote to memory of 2864 1208 TpmInit.exe PID 1208 wrote to memory of 2864 1208 TpmInit.exe PID 1208 wrote to memory of 2864 1208 TpmInit.exe PID 1208 wrote to memory of 2612 1208 unregmp2.exe PID 1208 wrote to memory of 2612 1208 unregmp2.exe PID 1208 wrote to memory of 2612 1208 unregmp2.exe PID 1208 wrote to memory of 2664 1208 unregmp2.exe PID 1208 wrote to memory of 2664 1208 unregmp2.exe PID 1208 wrote to memory of 2664 1208 unregmp2.exe PID 1208 wrote to memory of 1984 1208 msinfo32.exe PID 1208 wrote to memory of 1984 1208 msinfo32.exe PID 1208 wrote to memory of 1984 1208 msinfo32.exe PID 1208 wrote to memory of 2888 1208 msinfo32.exe PID 1208 wrote to memory of 2888 1208 msinfo32.exe PID 1208 wrote to memory of 2888 1208 msinfo32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exeC:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:2752
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exeC:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\YAi75\msinfo32.exeC:\Users\Admin\AppData\Local\YAi75\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5afebc581cf19402bdb835bb1f8a16bd5
SHA11ae3c4282abb14f3d4ca47d9816c4b9b15a19abd
SHA25675e1a6557292300eacad5912515444d1250f8dae2b7f968f6a9084b7ec993a7d
SHA5125bb0319df0ebc65dd61f59152da0cdf31b3b0e0b999c142b9b0e57411df23a8730bb645617c1b2c711ed66b62ce0093bbb9caf7f26e1783570b4b8c07a04d6ed
-
Filesize
1KB
MD5fc25e5af88252293ccefbc61e065ba5f
SHA1e598ec93f597d2337c53d3d8a712f48cd4d9d291
SHA2561c88b47094b366e8597f5776fb59a9820ee853c596071616b855835b5b47f31c
SHA512a1c6543ebe3c0bf4c5ab9c1d177a5dab2903372ce5bb191bddde57a099bcd96afbe3aaee47cb522fa38221222a2e642e02f9d922ca441d791ea3f639196469d0
-
Filesize
212KB
MD5c9615633a77670762da82aa30b726ac9
SHA12ad4a23c8193c03ae971b96f51f4f3d6918ae10d
SHA256615f5497fd774a734d1d5df0d4b163c5538fad60c079570074a50a2270727211
SHA512bd18d75e8d82387d4e7ef88d19b750f9f7147a445431b7635878fe801115dcf055e5739db397bcafd2908acd8608b0122d219d540f81884b36cdb5a8f962c76d
-
Filesize
411KB
MD500e01b38231bed66de5c95fe7acc110f
SHA1f25d792b6e1f700cc5128121f91f3ece3207cfbe
SHA256bdf05171fe6239b30262d7ac2315208f5187a79f14f69de9918c79d53cb02bfa
SHA51210223c5af05e7ccdc3c68071cf6167162337aebc778fa6cca403f83b146a5d57c6659c3865bd0af1fa37c9e4cd7b18e2b1663399cdd84ff0d02b85086c8b9182
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
83KB
MD52581517c201fa6f7ab9fd5c3e2ce8738
SHA1187228ae91f866b70f8ecf0b0eb638c0b74b102e
SHA256ec65cdcc97fb8aaf786dc021abf119b5184a7e3e1fd40d3a8177d7e4ac54a288
SHA512238284ed2893235a536dbb30ff51764f7206ba88687e401a7e07e3ca51501b96f8e5d640cee4e86006e96d78eba11bb722a1db80085f81b54ca8fc1ae67be7b9
-
Filesize
93KB
MD5ada57928e757c164cf3c1b4eb0f3b8b8
SHA1e65211865c96a026b7cecddfdfa7d63ab655c0b0
SHA2563efbfc7392529f70aa5c25fb92182ecc8c861be8546cae018caa163075569187
SHA51231b9674f387b578de7b3cf3e9881d2e6aa3393faa4b31cd908b31ed2ae5756939f199855d05ff43068627d548cf0db6bebef3957647354297c08d30ae64548e4
-
Filesize
5KB
MD59174227d74c673e6486312640a80aa63
SHA14e46a053ded6f3b952a7ad7c4a8b7b10247c6385
SHA256eeeed330460844aad5216bd66dec3e0a6ac5bb300041e995b21e7b3d29f95380
SHA512c5de6e34c771020cd249222a1ad1b6ab9aee884f4dbd239c3352fe6847512d9d0b3881b33d9ccee7c2d35a2ec1684497f8b0b092d675251e61127835fb1f3141
-
Filesize
1.7MB
MD5b3c89196e161b4f793aee1eba04089d1
SHA1f81da082da9aa095b0a5e8f97fcad94119dbdd74
SHA256429fcf869391e5e1aad004404f6c9b50f6dda7feb8f6422241d56ee8ddcea485
SHA512fb946868e701e1c9d8d9c6aba542d8855acb6bb39b3bf44b480b1b64d768ac8b24198bf44543ae3a318d5655d4d8770cc30c44bb9195306ae6d8a4a4f2d72ec8
-
Filesize
1KB
MD5cc442d178c24a3f2780b1b2170163a68
SHA17f6c7a10827a6dae674d1477cfce688ebe9c6176
SHA256c69a6625685b397d59975b9a9d963d8dd1be6dfb7764673e340533e26e9b1912
SHA51252222f7933d801de02eaf2329cb4b1878221534531f25e49fa8ee48c754852326f076cb2911341973f998e0beded5a9ced29b47f9edfccac69c1985237a7e442
-
Filesize
1.7MB
MD519056485ca943ece677f81bba2f1e4c5
SHA17c007ff03a9b0a972c5cbeff711ab326628ea280
SHA256fa57ae9b61b89443cd48954d0e4024b943e14abe91be8bd1ec0026d9675c1b6d
SHA5127ab26e5338bf1e6b793ec555e37c74450f78a3c111e881416c939f0cab20991413eedb509af7fa8be9937b50465e86afcfca7145b4efbdc471703178b2197bc3
-
Filesize
1.7MB
MD59ce521f467f2f7e60445bd3d19305b98
SHA18226150bfc517ca56b014b7c8bb3d7404b640780
SHA2562c4845c5be438b8b095afc0fce8dc7986348f5535295ee3a61abe976dc27e4f9
SHA512b86670d8aae6dff84eef95fef58b89719a9e1f3a260a98343c2227f3d0ec210efb619923022e83f4875008a8da25f9f74e17bec84fa29400dc8132b4e004ccbd
-
Filesize
64KB
MD5cb661681711ea898dbcb4e2c1d2bed15
SHA18c292d24e45dcfb4c600be237afb48dd7e4eb692
SHA25630d7058651694f3d1ffa8970213fc4d47a4f761c62d6ae4e8a55cc639d976d6e
SHA512ce8fa00f93c347d62595c14de78deca2311ede41e64775c63db4565cd2311b69379d008ad5e6482478fee9348c4eac2dcff248991ddab666c82b55074cb2173f
-
Filesize
26KB
MD5e062276aaf615d105b92946b855446e3
SHA194340f21567d9fcd445ed2dd81bcb2ab9a4940ac
SHA256a7a85e3a935105040f3dc50f20364faf2aae5be952f5e8174a454dbc37dfabef
SHA51279fcb5e7428a64bcdcd12a891092b22a567a5f37b619531c1ecc68521b8c1a4a770d9d313da4f494dbda3a8189b0795f6ff029cd45e3e26a76fb3d7e1a737b57
-
Filesize
145KB
MD5bd0f1822dd39b3ca55c9298204b9536b
SHA12bde816582dea428cba88829127d3986f6947d2e
SHA2568f4f4fc6805bd315a2312f0e2dd673f9d4f896a45ef0166a8b3acb1bf310e33c
SHA5120930630659b6edb84c833a3495c6f5e953e7ed901ad7e7751da84578cbc84d72bd35429f15421c3bdc53ac8c6dfb8404dadbbebfa5d2b73bfb4651696f9036a8
-
Filesize
189KB
MD56618e8ab0096b8d6141684ed364e59df
SHA155c34e3de75ce3933578190fde85a2b7a25d5dd5
SHA2567c168c1146ebcb2d1f385d51678fb88345cee87c5759e0b2a78f883cab8b088b
SHA512b18b3cc9ca32cbf721e3279a035718b323f123f5d33e2c8b4e17b159d056da503cdf5f8db26d9ff93e8b13e276a8156b130d307d33892abf8226e2239d56bd6c
-
Filesize
54KB
MD55e824247b1c8ca0d72749c0bb383430d
SHA1caebaccebaba4ce99d8874e8f209905970d07ab8
SHA256d57daa881f013540532ba9cf6755e76a21dea69cb596bd8f240123a5a3c1de64
SHA51229ae78cba5498dcaa45252c1963aa3e174f133dc7e99e0eb88a803d953dd5f495c273bfea1552a7d22aa220e4d7a74daf8df67fd80bf92ab01a35794356d6084
-
Filesize
74KB
MD5b8580c902fdd73ca9ba81047609c49b3
SHA1f53fbc2f4c4946ee7680ebf3cd2026a192752787
SHA2560a2e1b2da02240139ef3a606d70a1335205d9e8ecb39c7d08f528132b8e7736c
SHA512a3f8ed5a14795d4b29e7b49a1c7d13a852bc09af9e29213978c7dc59155900f5e23091ab3aef81749a3e4f5419da5259968943c4708359b3dcd8612f13ebc55b
-
Filesize
336KB
MD5803cdd34d755785f1a4c14d600694b51
SHA1687e81231f63b402c00237ee4d6cdd4f0bd61809
SHA256fd465e202417142bb7bff6d45d761af3821f62203be17e3cb3ed40c4a5ecb8bb
SHA512475a4ff175d5389a6f29c3d4d6378232f2fb7cd6260886ce4211ab0936a37555ea5ac693ed61f0ff44c7d24096bd1a93095aacec9aa3c3c6b14ec160bfbfadae