Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 10:09
Static task
static1
Behavioral task
behavioral1
Sample
6d08db5aa8c6eec9c991d6a14bd58a5f.dll
Resource
win7-20231215-en
General
-
Target
6d08db5aa8c6eec9c991d6a14bd58a5f.dll
-
Size
1.5MB
-
MD5
6d08db5aa8c6eec9c991d6a14bd58a5f
-
SHA1
e2a82cb1cffee35083b1a7ff9461a7eb5fa6046c
-
SHA256
b183bd1e5a5f6a08cdb529a91cb1a1049d1b0f9700f6a10bf3716e17acb79d43
-
SHA512
7d01b699b05e93f4cc671652dbf9c263dde5a16804d653fad4bca51c900cf58c72d58c58c0074377f5e9c7c647a1770bf9476e4f9393a5f099cc6613d7b9f3dd
-
SSDEEP
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1188-5-0x0000000002D50000-0x0000000002D51000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msinfo32.exexpsrchvw.exeTpmInit.exepid process 1624 msinfo32.exe 2788 xpsrchvw.exe 2456 TpmInit.exe -
Loads dropped DLL 7 IoCs
Processes:
msinfo32.exexpsrchvw.exeTpmInit.exepid process 1188 1624 msinfo32.exe 1188 2788 xpsrchvw.exe 1188 2456 TpmInit.exe 1188 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\NTPvJN\\xpsrchvw.exe" -
Processes:
rundll32.exemsinfo32.exexpsrchvw.exeTpmInit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1188 wrote to memory of 2576 1188 msinfo32.exe PID 1188 wrote to memory of 2576 1188 msinfo32.exe PID 1188 wrote to memory of 2576 1188 msinfo32.exe PID 1188 wrote to memory of 1624 1188 msinfo32.exe PID 1188 wrote to memory of 1624 1188 msinfo32.exe PID 1188 wrote to memory of 1624 1188 msinfo32.exe PID 1188 wrote to memory of 2736 1188 xpsrchvw.exe PID 1188 wrote to memory of 2736 1188 xpsrchvw.exe PID 1188 wrote to memory of 2736 1188 xpsrchvw.exe PID 1188 wrote to memory of 2788 1188 xpsrchvw.exe PID 1188 wrote to memory of 2788 1188 xpsrchvw.exe PID 1188 wrote to memory of 2788 1188 xpsrchvw.exe PID 1188 wrote to memory of 320 1188 TpmInit.exe PID 1188 wrote to memory of 320 1188 TpmInit.exe PID 1188 wrote to memory of 320 1188 TpmInit.exe PID 1188 wrote to memory of 2456 1188 TpmInit.exe PID 1188 wrote to memory of 2456 1188 TpmInit.exe PID 1188 wrote to memory of 2456 1188 TpmInit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\868\msinfo32.exeC:\Users\Admin\AppData\Local\868\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1624
-
C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exeC:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2736
-
C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exeC:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5b67ff48c55c945c9b7247e5b071fb7c3
SHA12e1f14451fda10972f47457f167d65212fadaeea
SHA2564d3337a166d81eff02952ed134d58c92c9c2c87d563fa84e0d8cc76f264bbbf1
SHA51232187972cfa0328b4d6768d5e2c60ab14e2122dc40e73a9b3a901e1fe688069d9802f96f5ddc0c73c7960b9a361ed5d2ae22bbee585836782bd79291dfe99070
-
Filesize
45KB
MD5bd3ed549fbe90b5bf53b9ff14a4587a3
SHA1e573e14e8d7d383118f8b86fd9af4ce4995c55c4
SHA2567d9e2c06a9d29e08e4877064375360cdc8d7eb681ba5d0a7e7c1804f6f1d47cf
SHA5121dc56e0226a8ad5798d0973e911af0c48e28d3a66d54f1979945e38a24ca7e1e9b2469ad69c0b5e52d94f9b9c2d434ec7bce3ddeae616e68d4197b85e259b98a
-
Filesize
160KB
MD5559be0ae9c969221036690d0af24def1
SHA1d78f92fe2b9af474cc3da69a760272def2f154c8
SHA2566f0814a1c8890dff9fbbdd31544974611a83c5f5551e19076e973f36b4509041
SHA512ade53016a9156c464251d701b8e8b53597f6eec3a8e58e436fc76da9725d02911374f0d68a9fb74bb847f9e16abf2562864893a80746ad8a337b9a6ba3ffae54
-
Filesize
177KB
MD5cfcaae66df2588ac6682a159425fc137
SHA131d8a335bfec2adbe700706c8a2e5c230b663329
SHA256c0c360cf0e4cba8780e1ad7d5478e700fc7cfa052e62ade387608b03b52b3d22
SHA5120df8ce3c10aeb399202294baf97fccf493bc8c8ba9630aea37b90e130b64e9ae1fc9f7ee0641357ea7a16b22190e2be033b6bcd28842a22dfb7c7f1d8ffbb2a9
-
Filesize
112KB
MD56085258e9a717632c5229247f6b3d789
SHA1803c2a0f417b1c44a3a0ca09c72e84c143d393c3
SHA256d60484932618d925889b051d281ba1f9955ff00d1304d8d5e730b08f199402ad
SHA51236e70f6912b3f8f9e2932d02a30e304a9d9ba857fdc667dcfd8bfe3bfcaa39fd051a4643e4446f874c04b40f7cb2cb3f03628b0329c148c2a2cf3c7457301b67
-
Filesize
64KB
MD525dde92c4b2706cea5bdb39797564a4f
SHA1101ff7e3318f94cb676cb6b314af9cd5bb34fc3e
SHA256677860e656a98a027999f8817e735cdb5460a7fb1c5bcdd26051e75edae1679e
SHA51252b03ec3b3c7c3b53552b7d0526e32c1665741df5038f894bdfc987047e05b63fd75a3e223c4fda3c6b5479043e79a43103f46349ef6252d448d17259a4a90fd
-
Filesize
24KB
MD5aca9f6792bf33eff7571038dc52f48c3
SHA13e758053eb5ac7535735dbb7fe2a5b85b8b52222
SHA2560eb7ba97ef5c19b3c2d8214e1d25fb650929010a7784e7160038bbfa64d3605b
SHA51211d357c2223fcfbbd060d11126c05a52b6076ce16fe4e412d15ff6f134a54b5f5b3dc8dc38388da9ff5212cbf0c9bf28cb1bc7011cbd08c63d6387396fe0c92f
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
1KB
MD55f70884d5bcaa4397dca3193360643ba
SHA12ae500fe3e97192f4849e5613823828af5fe0558
SHA2565188feb242b5096b16b1b374637534471fbe4b4d74661547606b1615324d5de4
SHA5121ec5a8e3d1171913625e796483b4ba74c24d2c9146cee1119a33ad679f24b52a2c1c5a589dd65e309b90c826c256df22c1dc1111ca3c18701ab4ded978f8a7d8
-
Filesize
1.1MB
MD5f4bfc5406e65e0970e3a8ad7b9ff5c7c
SHA10959ec1b662bea47c8bac62e64b6d9a61048a8ee
SHA256798f3839ad7a6050d9d0d1632dad094323d3990a4742e753db318a27e830a4e6
SHA5120dcf92611438ba49b35afed1c218c6b2461c54ca5a8fbe75377ae45e1b2d1a7c77485f768f0d2c6c8f6e6b92b10f8f25f98cba8c0fd307736998f1800bd80579
-
Filesize
1.6MB
MD5468a614e33bccee889aa0802a237ac8b
SHA1642f6c4be8a0f805e50c4bd7bb9b19dde46ce27d
SHA256c2f4dcf0cfcdd6fcbac0d12e7fe94396f86e5d942b41455f823aef9a410753f8
SHA512f1e0e7934ea971c650003e19657b4663459734d261e53e43437d9fb39bf8164a646113b74e5abefd27ee0f8a540faaf8d0e9bb788f1c35c62979d527e31f4e33
-
Filesize
1.5MB
MD55da1615afc5108169c7431c08a0cab9d
SHA1976bed6e59187f72f2e6f79b1bf098a5637193e1
SHA256f2aa3c23ab988859e1d09358fab0459131664cf37e7652f05e327b999ecb15cd
SHA5120f72e1a69363c5645cb7a6039b9ef01eb9a7580043df7758a1b53b2137a97f2747d0d0e1ffc7f5ec963df515588b922dfe879a16d518f3478190090c695a4a7a
-
Filesize
158KB
MD5f201ff7b4bc97c22fb95e6c1155f7cf3
SHA1aa37cdbb19aed8b5cc8e001da99f2a73e990ae5e
SHA256463c9ca2aa4e2552f3cf85545085bbc846139841cf748240c9b8869d4884c9e1
SHA5126e07cccd16943b30023e20730fdb40bd5da37abe88c618c6a7578f971db005d1a8c907245b2001c25114ed9715116cf6b601748cdd08d1591983de86a3584b39
-
Filesize
177KB
MD558d7f04d6d936369fb6f3efe180c8e24
SHA13ec27d982d68a991c8fcae9b6500e7a7e86e9895
SHA2562b06b8f0879cee09906e19034c3bae445a51678c0f7bc08926d3fcf79700263d
SHA51232e0c3751b3f18bc0d31e4a3e3afcf9f45c564124fac34e334c2464add8a45e5996e3464ea6119fb1436cabf47a90e010892746bca8cb974d930101506583235
-
Filesize
107KB
MD59a8dc62e32501d04cb18ae5f7494bc04
SHA1273b186014c267bd179f59509c803c7766bcfbdd
SHA256ddda8b4645a8994e52b3136d7dc9485cb31367931da6fccae36dd6e0018f39bc
SHA512d19575e20f016dd2666d3815f93acacd30aa3e5a82a6bde901a3f309ad191a57e00feb86a8e3f68d5016bb1ae90fa738a8bea8382d673d72ec109dd4187a0f4c
-
Filesize
134KB
MD597ce3c53764afd4faef6abbfb083fd61
SHA1bfe281d6e83a8b69f7d18a8163330817255dc5d3
SHA2568eee375af634ed26c1f51f857c2c98752c49160cb4ffc28689af8e1eb9273595
SHA512251472e865bff70a40b3f8adb83637c392a3a14f162a30d2bd1a1464d55f821e1636752d8cc1996d112426c3ecf52999651a368fa43ea2e8bca6c88c1918b38b
-
Filesize
5KB
MD5ff6af6b65238cf6431d67a9dc19688a2
SHA1af729735a2cc11452f949eb4efa0b849696be39c
SHA25694a86b8d722ef9103f1d6efc5f731b10639c0d56235f29d3321d2a3c34c5c750
SHA5129194f2fdee55e41a5d481a03081773d2bcfa8d7c704064c1030217fe1ddc56969653d4756a6897706dad55df25807a059d816991ce75eecce97fd41f0996e55f
-
Filesize
75KB
MD532cd4f02545a050fe870da7c0f7adfd5
SHA1f123b4408f7bfdb82c7de079bf8366522bc63566
SHA2564b25de3bde7cec30ec2e10ce4f9eeb0dd10dc8b526afd0c90c54819a9d6758c4
SHA5123c71050ac52b202a276ff8e87d114dd475085422cc1937cce2b9d8628c8962d56eeffb74c9a483448577367898f00535cf6110921216ebe2a1aec871558d7674