Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
6cf99878a472700f873bfe4ba861b27e.dll
Resource
win7-20231215-en
General
-
Target
6cf99878a472700f873bfe4ba861b27e.dll
-
Size
1.6MB
-
MD5
6cf99878a472700f873bfe4ba861b27e
-
SHA1
0b3c08f07d5cdc9b5d916ac6588361d426bc0d5f
-
SHA256
770fabafd2e9368ab8dfdcce39b8dfde8df9439be93f5fc9184c90206dae4d16
-
SHA512
bed1c895105fca948804d5cdb88b5146a13d03eb1dde422c21810e055a94ec7a10898b2d0b79827a0dbd404fc8b50f7474b0f5acb759bf0d843d4d56cc4d1513
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1216-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SoundRecorder.exeSystemPropertiesAdvanced.exemsconfig.exepid process 1292 SoundRecorder.exe 2920 SystemPropertiesAdvanced.exe 1844 msconfig.exe -
Loads dropped DLL 7 IoCs
Processes:
SoundRecorder.exeSystemPropertiesAdvanced.exemsconfig.exepid process 1216 1292 SoundRecorder.exe 1216 2920 SystemPropertiesAdvanced.exe 1216 1844 msconfig.exe 1216 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\xy9FZ\\SystemPropertiesAdvanced.exe" -
Processes:
rundll32.exeSoundRecorder.exeSystemPropertiesAdvanced.exemsconfig.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2664 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1216 wrote to memory of 2708 1216 SoundRecorder.exe PID 1216 wrote to memory of 2708 1216 SoundRecorder.exe PID 1216 wrote to memory of 2708 1216 SoundRecorder.exe PID 1216 wrote to memory of 1292 1216 SoundRecorder.exe PID 1216 wrote to memory of 1292 1216 SoundRecorder.exe PID 1216 wrote to memory of 1292 1216 SoundRecorder.exe PID 1216 wrote to memory of 2924 1216 SystemPropertiesAdvanced.exe PID 1216 wrote to memory of 2924 1216 SystemPropertiesAdvanced.exe PID 1216 wrote to memory of 2924 1216 SystemPropertiesAdvanced.exe PID 1216 wrote to memory of 2920 1216 SystemPropertiesAdvanced.exe PID 1216 wrote to memory of 2920 1216 SystemPropertiesAdvanced.exe PID 1216 wrote to memory of 2920 1216 SystemPropertiesAdvanced.exe PID 1216 wrote to memory of 2500 1216 msconfig.exe PID 1216 wrote to memory of 2500 1216 msconfig.exe PID 1216 wrote to memory of 2500 1216 msconfig.exe PID 1216 wrote to memory of 1844 1216 msconfig.exe PID 1216 wrote to memory of 1844 1216 msconfig.exe PID 1216 wrote to memory of 1844 1216 msconfig.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exeC:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1292
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:2708
-
C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:2924
-
C:\Users\Admin\AppData\Local\Yqj\msconfig.exeC:\Users\Admin\AppData\Local\Yqj\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1844
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
607B
MD5cd01476ba10d363fc923283d8cd56b08
SHA159a3d2b8d0727cfe24856c657c810fb2e3db30b1
SHA25606862f900a1604875d8b17cd667507a00d0679de55f2c8962dd7eba91f8f5d9f
SHA512a8f1440490ec9d807491ff894c1a8184aab13abe403f291e33d0d9324240d4d4c316722301f346056cb2458b8fb33b7f56658a61b79ccfa3046c512fe2bcad88
-
Filesize
5KB
MD519265727d110d662cf6bfadfdd4e00c9
SHA11b4d702be0fd50246b245098a867b50182563bea
SHA256813e356f5f23e11bcf0ac4632d36520548c88330547aa0c5adecb7c87bf62472
SHA512f0a1aa49f8a1c90ec866a6037ee5a5b4d91f180ac4c804c119caacb2b60e7378faa4f9ea0003063430a7592b9f7fc83f8bd668033e6b303ea80b33202a5f8fe7
-
Filesize
19KB
MD57b806a720dbe39890f2eca2e11ba8309
SHA15fa8378b8505d50005575e6bb90a51398ff6ba01
SHA256899d791bd78375862e69e47ec08adc1cee40a64814ca5331888cf850133a2a71
SHA512c198537de4dd921a0916749afade24375141c2ba902f573f93430599b41b173659e9ae2ea8e5884b369c9b0aecf63f3656c337d61750b567f55616a376f68688
-
Filesize
42KB
MD5ee0f110169b129e276b969de2c51355c
SHA16842d2c73c8f36f134c29f8652351fb4a7d60c3f
SHA25651ec7a6268d026fb5fc87b85fb098b500352acabddbdf026b2315fc82292ffc0
SHA512ee77528055bca2aa6fd82b7b06157320cf44435655623cacec0d99df63275f89f169465ba8e0cd2630dd07b349cc66de41f428ddc7b2b3d943ce8b830aa52a96
-
Filesize
5KB
MD552677ccf0e00e6a1c3a6a4e670c316e3
SHA10d717bdbd63a293e780b92ad954a60f4ee81870d
SHA256cedff001376a5cf428ed711aaa0d4a1a6a9148950bdc5deeaebb362f05329da7
SHA512809fb48ccc627a78930c9125cc80226e1e5deb0d27d60d3a7a703eaefd91b88859aaa347d23c21432d54e1b2a41302b86e45eb0740410475e47316a4bb2d7a53
-
Filesize
48KB
MD504c87c34c3ed8efc420aa4fa397c7004
SHA1ae3326ba4338a68ca9c00f0ba01facd932ae1f46
SHA256dd7de0badd6bf4b5a7e3aa4b1fe5919b1f87df95cc772b97f895e644904b941b
SHA5128fa2d8f13d33bd696d205a54effa306dfa6063b6c59b546a0451b3fa4526d23c6f6f8a981b89e8283f7f1e775abad2d1ec286aca182dfde320fd7b3fa0e2fbab
-
Filesize
25KB
MD55ac21c76b5fab933065fd80c63bde06a
SHA1c31f17a297091fad0277999490914f03f63bce28
SHA256c617230df9e34186f289425c9cef70e581eb746294dc61fdb30dd3586acebe15
SHA512855deeb825b6ddb197b6db0749b3c1e751daaf4f9d995289c9abd14a232d21d155b653e45f69b92cc3b4f992d499922db6d4263eb61cf340326c403434d2e6c5
-
Filesize
27KB
MD59eab35db34fa05dd5d69117173a726af
SHA1442fbeaa5cfd402bd2848c2118a1dfdc3f93916d
SHA256cf1bf7e109bac823cf549f676cfc4302768e14a1214d260cccaf6f185c3f86f8
SHA512740273cef0e9d8780b08cd5b3c21a23f183fd1999b0a9ca2a5aafb30e477848daef4f54250e700b8d2635786d32555b238e4aae4b6e7f61bc4606bfac02a348c
-
Filesize
1.6MB
MD5dd616d9b615128f716552a26bd3f3961
SHA18e4c76d02e686bd93ed1dffe3365950edeb7026a
SHA25657b06fbe0baba6e08c0a94f3e94282b6a474f6bbb9e989ca4888a5dd493e6940
SHA51291ff79058c63fc6a022071ec13a61861aa7da4f768cb0d29652022b474ffe006846bdcb9a4b48bbf9fee4efee6199b2b5d433a07298f95f45d49ed7a5f11145a
-
Filesize
904B
MD57f422ca1159b41e1a07f6feea4b0eeb2
SHA15d4b2370e91163eb23cf635379617c9c0fa418a6
SHA256fe5f2fab05b725d7a167bb747e81d33fcea2570089056fcbf74a100e1d9cc054
SHA5129366bcaeba91fd716520f0ba10d538be1d5e3d023ed283dbc3eeefe9d2e68ddb6bca5df68fd721fba0224af8cbf0d07f9b80202f24b90493cec5bcfe65cd3577
-
Filesize
1.6MB
MD5c155d0a18267ea1d067e6bc36173bb9f
SHA133bab8653f5dbed520720e9b6af844b2a4c35685
SHA2560f82ca53c025ffdba719dc7508d8910c3d8bab25e721f97d1550352d58941e0d
SHA512b7af5a805ad6c192a89d502d065a110ed965990c30c19cf41f44acc8427be0a5e213acda0b8d0023e9a396e718dbba5e297a8c5bec4a6b694d73b70c3bcc3468
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\xy9FZ\SystemPropertiesAdvanced.exe
Filesize78KB
MD5ead965d732d239d5474dacdf4afebf28
SHA18d39ac4ccb96bddbb7dc5df01438933b46981233
SHA256070dea755a2c6d99c7d49dc267b45d0d9d6c7b0ec7bdc4c1cef130756c1de155
SHA5122a16d6aa4f07eb344cea864ead90e6606e427c7aa7300f70708c62dd3dbfb6353d10650c92d79893b91f2a640eb3ccc8f9f4a22e1f7a4fcaf6ef7466f52b3c35
-
Filesize
1.6MB
MD501e287f87e336e8a39ce70bc054d6de7
SHA1dfaa3c8ba7ebee54c57ffada7ce3e3a8030fb91e
SHA2561a6d91fff1d991c4f8fa17af63be5c962ca44edf0a4efc4201b9194ae1b1962c
SHA512a2996bd25a5ec3a40097a7610823c68a05dc50795c4e9e77f2300d2507a9992e82ee50f2b7a5dfa2522f77ca5f33fe9ff2c95d30cf62fe5b39437426d9aafb1f
-
Filesize
16KB
MD5730191b71f3aeba67026482ab955d5b6
SHA1768675473ab90e82c87df9c2210eed07c591eeea
SHA25612634afa07a7c7307291581b3c6971ad7e30424fd2f2d59833d668fd0e115c8b
SHA51244c1374d497889f2abe15d4d0b9f56e8554da832297655d2a019edc2192ddb949d14f84c0ab5e7ccfddebe3d46a32df4bf20c29893384a5e00ab5675c1c8e2b0
-
Filesize
10KB
MD53c606c386ce5723f7a3a9266f33dc4e1
SHA1226ff7ec913cf874cda957ee78fb4ab9d57b4751
SHA25646839127b2c6e29412191f16f9c1f75155a6dfb42cc8a2123aba7e363eb29a06
SHA512d545e2fd9dd90616601ae3d3e2fe283445e5dfed934b8c194a647ce39597a26663aac3572dd9a1dc3d5f0d729cab027667b5ee7b8b637b3cf61423924b8122bb
-
Filesize
5KB
MD595e0b25bf51f48d7f9474a834dc9d1ce
SHA1524eb97726b9e69b47db6f2e8f3222e874a72b17
SHA256374e7edc13b23a3a0873385e79c035bae3413a5f9ddd84c046bda29c04691228
SHA512f5516b722fd51b8b183ea59c9b483a4ad87aa9a6c81f82dbef1ad871e6cf1438e996b1e8ac6ad19306ed8d8f02655907781694098ab67c86b3748da72e188a8f
-
Filesize
9KB
MD5f592f69aaba7e985c06d07aad25d8f4b
SHA1d6b11806331fdae75f731da5e4c21ebf380c1ba6
SHA2567fb944af8bdfba90c9a845cb5964b7f27037da221c16dc460365fdf2eaedbe60
SHA512f822841b218efa2f62dbaec8d26f093cf764eb22babe1d8487dd3be9d8d39dc87bc86b8bf57f94ea9f16a78d7e0d5c36691206e1b7ad80dbb8022102f57b62c9
-
Filesize
45KB
MD56a8017b0690ed6aeb9d12c41b873597c
SHA1a6b6fe9e236b7fcaac311d153cbb818e5d707c16
SHA256f81b2b9fef8d8e5a63819037d432cd8667f1c7ee926819cf99b05bd1311f5215
SHA5127589572d35cac717028b98ad77322b20c9a52f44bf79b95343500f1d7609f8989b54ec7e97b4e343ede2e43c822df40a086466ae29070c830d14b396ad2c4adb
-
Filesize
1KB
MD5aae2999ee9a060773660f375b64ec492
SHA1d56d28e90dba3b60eafd09695da5eca97755e071
SHA25622cad07bfc5784085ad6a7f33482d418265933e2cb6e15a23a7314c9925176bc
SHA51241d5533dc89733edf4035e39b5702d37d7d0937f97b6139bad2cd73742c5fecbbf626d751dd26cbb533c80448e0972adb6595052ca8fd30cecb05a80d7ba6866
-
Filesize
9KB
MD50c60d317dd776c0377f574ab777cfeab
SHA1f44ec7ccd9b3dac70c53e736b52f805701dd80e8
SHA256b6aa5aa94c0ffd2eaace97f77ba50bc8e65b7debadf2422631512d6fa8bbc9a9
SHA512b047f411c285aa158139060722d95b30d1b412a67576d79be1eb000e91e3ebe07d2d7f2df4b4716f2ef4e8115085970868ee0452ce8e3aa178cdcbb00c39aeab