Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
6d744bbf016772634f87aa5fdf2fc9c5.dll
Resource
win7-20231215-en
General
-
Target
6d744bbf016772634f87aa5fdf2fc9c5.dll
-
Size
1.4MB
-
MD5
6d744bbf016772634f87aa5fdf2fc9c5
-
SHA1
e1b3f458533b0b13502b8fdf2d07d05eb228b467
-
SHA256
d0c33dbcd2bc26465a2cdf232d5cfea8a77135f9572037c8a0fbe21ae5cd0c2c
-
SHA512
a7f14f70607bc4b4169427c833c0bb6b7aac746c13f7b990314d01086d4a2d0df2b57b8826afd2812543032484f37b737d652449784a12e8e9852782d5419410
-
SSDEEP
12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-5-0x0000000002B60000-0x0000000002B61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
calc.exespinstall.exeWFS.exepid process 2640 calc.exe 1900 spinstall.exe 752 WFS.exe -
Loads dropped DLL 7 IoCs
Processes:
calc.exespinstall.exeWFS.exepid process 1200 2640 calc.exe 1200 1900 spinstall.exe 1200 752 WFS.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\fQTVdY\\SPINST~1.EXE" -
Processes:
rundll32.execalc.exespinstall.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spinstall.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2060 rundll32.exe 2060 rundll32.exe 2060 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1200 wrote to memory of 2588 1200 calc.exe PID 1200 wrote to memory of 2588 1200 calc.exe PID 1200 wrote to memory of 2588 1200 calc.exe PID 1200 wrote to memory of 2640 1200 calc.exe PID 1200 wrote to memory of 2640 1200 calc.exe PID 1200 wrote to memory of 2640 1200 calc.exe PID 1200 wrote to memory of 1668 1200 spinstall.exe PID 1200 wrote to memory of 1668 1200 spinstall.exe PID 1200 wrote to memory of 1668 1200 spinstall.exe PID 1200 wrote to memory of 1900 1200 spinstall.exe PID 1200 wrote to memory of 1900 1200 spinstall.exe PID 1200 wrote to memory of 1900 1200 spinstall.exe PID 1200 wrote to memory of 2744 1200 WFS.exe PID 1200 wrote to memory of 2744 1200 WFS.exe PID 1200 wrote to memory of 2744 1200 WFS.exe PID 1200 wrote to memory of 752 1200 WFS.exe PID 1200 wrote to memory of 752 1200 WFS.exe PID 1200 wrote to memory of 752 1200 WFS.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:2588
-
C:\Users\Admin\AppData\Local\HPIxUr\calc.exeC:\Users\Admin\AppData\Local\HPIxUr\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵PID:1668
-
C:\Users\Admin\AppData\Local\YAd\spinstall.exeC:\Users\Admin\AppData\Local\YAd\spinstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:2744
-
C:\Users\Admin\AppData\Local\xCWjnC\WFS.exeC:\Users\Admin\AppData\Local\xCWjnC\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD587c67c13be591a25ed37c09ffe8a8078
SHA1c5b0ce806e5cd8bc2b3d654d3d97676ac5acb7a5
SHA256a27eb6541964f39331bcf2515a8caa8eb841c0c53b4fb42633556c8b85845adc
SHA512848c4d7f8dca843fdeb1f3659996a4191773dc82543f05ecabbc101bfa5f16bca2f805714571a416a4c09ba6845d0514f3726d8780196f5a8a43d0edc50fb7b8
-
Filesize
897KB
MD510e4a1d2132ccb5c6759f038cdb6f3c9
SHA142d36eeb2140441b48287b7cd30b38105986d68f
SHA256c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
SHA5129bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d
-
Filesize
320KB
MD5ba7a86a07d4a79bfb7244a33e543f8fa
SHA1c1aaf14e17539cee0ea6fd43ceff50f58cd0d931
SHA25679a2a8e5f55add3bd88a04deb5ee3bf8d1cd64de27cfa30c1935ff0ae083e3a3
SHA512f81920abce6b99d7c25a496c773f720c45c5f58f78f80a85a068f3565d30e0598a34c6e61efaec39ee99f7ebcdfb8be264afb3e92528468af43e71d6d19d1f1f
-
Filesize
448KB
MD57ecb8e9704df710d5bd546535162f1bc
SHA156e0ee9a9faf5702343efa5d03ea470ceaa8ae05
SHA25649613fc250d16d4effec004f208f2bbe24f7220375bc5d3a6f64ed87e994795a
SHA512400824f2739f730c938b8ac3231cfd13d640667a53ec1bb2ff9387865cfde1ce4808a036981c56ed683d7d213e10979a7e89378f5a82cf0ec62821c25e79c8ad
-
Filesize
1.4MB
MD5e9180b8d59f92b38fb7399b648eda0ae
SHA188c7aedde9aab4abec1bbfa62425e8d29640f840
SHA256223defcc75297e8265c802179456a01b5de55d2221a2358b5c69d029e6555db0
SHA5121caf9e4d0995be361acef49837fb7b1e64498667f78481c0eb2e907e40a10d0b9be2fe9638c0f1283eeff0ca6e68cb11bf4dee30901e42949824d824cf8b5b84
-
Filesize
1KB
MD502c51fabfe44853f0cf5775099ebdd50
SHA1d470cfcd7620c22550763a6ed619850b8bc170ac
SHA256100e1df37f89b9c49f722ec3ae3bfbe41db6a6c745c81b327324802031786354
SHA512fba1b6264aeddba2f5f6f3914f5bf2d6b70f5ecb500dba0c64b9a68000ef31861ceb8807b06614d891f7ce88cad1f28c1cd94be3e9e34d6c594b0913a2379a8f
-
Filesize
1.4MB
MD5351acddf71758690cc80ac73100f1b19
SHA12ef9f25046432aa3722f46443a77539732cb8595
SHA25678520e1be605bd74981bab62c52decaf8d41c1ad1844346fa57bc816fb5e4a74
SHA51275eaabfd3a474c6822d3757f7518c900edf64d49e10eabcb8afc5eae16bd09f7a98f6507ccf2eb45b8a7e6ac62cb9ecc40ccfea3782c4096b69afd0a03e4b9dd
-
Filesize
1.4MB
MD503966c64269893c80162606bd5c2c666
SHA1d18176057e17622c04d4493b4ca6fa7b477f4dd6
SHA25600d0635ca687ed2ce55b8f864f9b37240d25c28a83c6a8dcaf378154d2734cf7
SHA51250ebbb7a1cd032e168df53c088e1c7bc2bdd26b37d066bd3b13b42867661fe372a94a98779936ece4d1a72350aa816d56e12a336cd71f041c214f712eabfbff0
-
Filesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee
-
Filesize
951KB
MD5a943d670747778c7597987a4b5b9a679
SHA1c48b760ff9762205386563b93e8884352645ef40
SHA2561a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA5123d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934