Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 20:49
Static task
static1
Behavioral task
behavioral1
Sample
6dfd7436bd4deb041e0a6690557c4397.dll
Resource
win7-20231215-en
General
-
Target
6dfd7436bd4deb041e0a6690557c4397.dll
-
Size
1.5MB
-
MD5
6dfd7436bd4deb041e0a6690557c4397
-
SHA1
8689cb744b5e5d497a20d4f95a479cf3d1b07ef7
-
SHA256
670c71a7ce5a1d03db1879db686c7f2ba96a4e6488cc14aa093b3831ea02405d
-
SHA512
a86ae46acc04e5f976c9410544c1977949ba48fc26bd05d0324ae59db0cfe178873e18029290f81950ac2b58fb4a2a43b699e15123b46dfd282b011f159fc085
-
SSDEEP
12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1276-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ComputerDefaults.exetabcal.exetcmsetup.exepid process 1092 ComputerDefaults.exe 3032 tabcal.exe 2244 tcmsetup.exe -
Loads dropped DLL 7 IoCs
Processes:
ComputerDefaults.exetabcal.exetcmsetup.exepid process 1276 1092 ComputerDefaults.exe 1276 3032 tabcal.exe 1276 2244 tcmsetup.exe 1276 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\4MrYue\\tabcal.exe" -
Processes:
tcmsetup.exerundll32.exeComputerDefaults.exetabcal.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2756 rundll32.exe 2756 rundll32.exe 2756 rundll32.exe 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1276 wrote to memory of 572 1276 ComputerDefaults.exe PID 1276 wrote to memory of 572 1276 ComputerDefaults.exe PID 1276 wrote to memory of 572 1276 ComputerDefaults.exe PID 1276 wrote to memory of 1092 1276 ComputerDefaults.exe PID 1276 wrote to memory of 1092 1276 ComputerDefaults.exe PID 1276 wrote to memory of 1092 1276 ComputerDefaults.exe PID 1276 wrote to memory of 2944 1276 tabcal.exe PID 1276 wrote to memory of 2944 1276 tabcal.exe PID 1276 wrote to memory of 2944 1276 tabcal.exe PID 1276 wrote to memory of 3032 1276 tabcal.exe PID 1276 wrote to memory of 3032 1276 tabcal.exe PID 1276 wrote to memory of 3032 1276 tabcal.exe PID 1276 wrote to memory of 876 1276 tcmsetup.exe PID 1276 wrote to memory of 876 1276 tcmsetup.exe PID 1276 wrote to memory of 876 1276 tcmsetup.exe PID 1276 wrote to memory of 2244 1276 tcmsetup.exe PID 1276 wrote to memory of 2244 1276 tcmsetup.exe PID 1276 wrote to memory of 2244 1276 tcmsetup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6dfd7436bd4deb041e0a6690557c4397.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:572
-
C:\Users\Admin\AppData\Local\MsXOWmAi\ComputerDefaults.exeC:\Users\Admin\AppData\Local\MsXOWmAi\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1092
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\QDQuFPry\tabcal.exeC:\Users\Admin\AppData\Local\QDQuFPry\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3032
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:876
-
C:\Users\Admin\AppData\Local\UX9Uw\tcmsetup.exeC:\Users\Admin\AppData\Local\UX9Uw\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5b8554068bd6c3121358109635a556da1
SHA1aec59f313bcd222dedbc5488bb272ced14705a0e
SHA25694ba3aa954d3dc42f3bbdccae1d0d4f8f16a8f391bc028242f03bb0ae0e4dca3
SHA512f99a982ba9fd305acde98dce52e7410f5fe85469c351bab3e5cc8c180a7b91e09bbc41c676b93a6e5fc13d5a3a12a4ac56b4f4dc551c156bc299cdb8d466ae7d
-
Filesize
1.5MB
MD571492b8eae659ad08cb7330d134f1768
SHA1896685756517d798d3edd5c9186b12cd5c4b9ce4
SHA256fc9d90dea7bb405e6d448d281a07c2c443a90dc2423c7b0bf6c0eb3b4c54bab0
SHA512c2e8768833e43900a55f0a7e32f24112052f0f56ec72e1541455f6bfd7b725e8472417297c379676a915e9499ab020319accae1fd2509694af0ca2f59b201a58
-
Filesize
1.5MB
MD5ceaa4716997b5f11fd6b7504e2349d8b
SHA15c30a3d20f4ab162b31c7f6d65c6053070ef2880
SHA25691e1d9c2ba1894fcaacf183cde4df92795c64afec3e77a82d09ee7037f128602
SHA5129497a8e78f8144a1dd504c060fb48dea8d5cc979c988dd18c34ffc4b926a2508b34c1d4cbb5160b9af309767c267cb76c85ae9c3e5977454bb6ef4acee06dc9f
-
Filesize
1KB
MD5c8024ba02c7fd5bfec58f9468eded68d
SHA15e561c40c37a0dd603334f8323669479f0e6c63c
SHA256cfa4148b047f6071db8b4a52055eff8d92d95d6b7969a3824f5d57aebab9d938
SHA512e05943e29481df33c15399a9b4e9200adb25640e07e6f15bf1f7071775e66b6aaa54c116f9a60bda0e1a9a2d8d1a6976088304edb0b714f30903c135f9994307
-
Filesize
418KB
MD5228a2abbbd298ad38631b2f89873fc16
SHA1d506bb9be6a2e07de0a7e39dca38c059c35b1943
SHA25619d247cd6b7882c393dc7fcb9b81ef51f6a6e1cbffc4b70a8dffdcf3fb44b943
SHA5126d7a2093b111d5fd50a199abed763318ee1a695f26cd97abe521a2fb8e3c3c2acba413e4e4f4970dd20b0af53f71a12f8dc5a788899c98184fc223573bac8c9e
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143
-
Filesize
77KB
MD598e7911befe83f76777317ce6905666d
SHA12780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA2563fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58