Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
6d6d6e2d25e5004f0487405fdb25a600.dll
Resource
win7-20231215-en
General
-
Target
6d6d6e2d25e5004f0487405fdb25a600.dll
-
Size
1.4MB
-
MD5
6d6d6e2d25e5004f0487405fdb25a600
-
SHA1
ef4b1bba3fc0114114c00180262f1404a88e66b0
-
SHA256
6c28f1dd1c3bbf1187846af408ba671bf0fb28984469e666b284d4f4b1c3a823
-
SHA512
8a8d615f34930e4eb5d717414e3443771caff2416815ed529ba4a0a2ec7fb5fe6637198d6482626dcd3f0edd428776a637c8608cc00fcbf35eff55812bd24608
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1188-5-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exetcmsetup.exeosk.exepid process 2640 SystemPropertiesDataExecutionPrevention.exe 1588 tcmsetup.exe 2920 osk.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exetcmsetup.exeosk.exepid process 1188 2640 SystemPropertiesDataExecutionPrevention.exe 1188 1588 tcmsetup.exe 1188 2920 osk.exe 1188 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\2AOpVFzcLX\\tcmsetup.exe" -
Processes:
SystemPropertiesDataExecutionPrevention.exetcmsetup.exeosk.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1188 wrote to memory of 2620 1188 SystemPropertiesDataExecutionPrevention.exe PID 1188 wrote to memory of 2620 1188 SystemPropertiesDataExecutionPrevention.exe PID 1188 wrote to memory of 2620 1188 SystemPropertiesDataExecutionPrevention.exe PID 1188 wrote to memory of 2640 1188 SystemPropertiesDataExecutionPrevention.exe PID 1188 wrote to memory of 2640 1188 SystemPropertiesDataExecutionPrevention.exe PID 1188 wrote to memory of 2640 1188 SystemPropertiesDataExecutionPrevention.exe PID 1188 wrote to memory of 2028 1188 tcmsetup.exe PID 1188 wrote to memory of 2028 1188 tcmsetup.exe PID 1188 wrote to memory of 2028 1188 tcmsetup.exe PID 1188 wrote to memory of 1588 1188 tcmsetup.exe PID 1188 wrote to memory of 1588 1188 tcmsetup.exe PID 1188 wrote to memory of 1588 1188 tcmsetup.exe PID 1188 wrote to memory of 2816 1188 osk.exe PID 1188 wrote to memory of 2816 1188 osk.exe PID 1188 wrote to memory of 2816 1188 osk.exe PID 1188 wrote to memory of 2920 1188 osk.exe PID 1188 wrote to memory of 2920 1188 osk.exe PID 1188 wrote to memory of 2920 1188 osk.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:2620
-
C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exeC:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1588
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:2816
-
C:\Users\Admin\AppData\Local\BHKZxD0\osk.exeC:\Users\Admin\AppData\Local\BHKZxD0\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5b918311a8e59fb8ccf613a110024deba
SHA1a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b
SHA256e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353
SHA512e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1
-
Filesize
1.4MB
MD5c2643eae06ac9cc0fda13c796c36131e
SHA151316ed272064e37e459f20a8c8a2f6add3412b2
SHA256bfaeec6613997bcf82e41077fa1d02a934cd361e1d168ad1e7d9a50b9ae96d97
SHA512b81551be9ca442da82e2ddf901f03a2033eb90343a58756ce95bb89d32ca939e233b2ccffa9ca41ec22648a0039c09897ea662f3c69b0a71ddf9106dc439d984
-
Filesize
1.4MB
MD5f5aaf822675f3ff5565f64ebac272d39
SHA1c687794391440629118bfa9e3d16f51e9c9510f8
SHA256fd61a51c15cbf35e632938333ac5e1f3c472bb7760e6645ad1e9a5fdf586e111
SHA512be7541443ef8841103000470f21121ef83f59b3e639fa36e4f9fba898b5644a5b55a91c831d195f4aad8b069739a52707876314f41d2a1bbc92554c9b9ec7f14
-
Filesize
1KB
MD54226746aea5e60126dc602df3d4a0de4
SHA1b296a138183d36798e6b6bac886f43bbd7e45bf8
SHA25676e13d0cf8e2d2e699532d880ab6862794248a51b818a56700fac621f02d50a7
SHA5123a858b5796626a82e506f257403234c7205522855ce085f2b463bb4b5bea39d215b4b2ec5cb5947065175e6266bf6cf8c2aaf079a99bcec6f0162e17a8d2ca67
-
Filesize
1.4MB
MD562a31f0c69e4e51ba92f9ce221491ba5
SHA11fc006d6fe2cb3b510e25c7ff7e0619061fb2ae8
SHA256ddf59b686325b020bf449b76cbd93f716854c3075f239f2cb37ef9400c7e9566
SHA512d579914db5e53b527172bac4b67705eac8af1364a0f553929d8a607d498a9baf07794fd4966b96b46b9942bffa3d45dfc2ada9317642422be42b13d26a7c91f8
-
Filesize
576KB
MD5b5ccc580308ea920c8c0e31d17f21b23
SHA10d760edb7f98c92a96ee84870f160ca282863763
SHA25649bd64d5d22fe03b6fcdb6651c97e99e77c86d1bfc338f51879bb6b5cd597781
SHA51218f6065b985197f0c3764da8f22ae9f56d589c1b83f447a2b0bbb6287c43059d7d534b90a7ce660e8a5a36e1a8a2a0cfe6f944b4b384e14901d6b66461ccf272
-
Filesize
80KB
MD5e43ff7785fac643093b3b16a9300e133
SHA1a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA51261260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58