Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
6e701a6565714d75f57e4ac97c8b92cc.dll
Resource
win7-20231129-en
General
-
Target
6e701a6565714d75f57e4ac97c8b92cc.dll
-
Size
1.5MB
-
MD5
6e701a6565714d75f57e4ac97c8b92cc
-
SHA1
25de2e09d2506a090f949c1091c99e8209029564
-
SHA256
bd76a02a02d4a0c8c7837fe4c4985ace8f6249f11e0a71ed9ffa55e8f4639be6
-
SHA512
b38cdaa350fc05950787cfe6fef67253e63f4c4d037f9708cd7f74845fb151a20693d20ce0b57ae6cc47e3d6a8a9e22384a5941a3bb2fe26c6466b296d122882
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ177:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1352-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
cttune.execttune.exemsra.exepid process 2492 cttune.exe 2424 cttune.exe 2712 msra.exe -
Loads dropped DLL 7 IoCs
Processes:
cttune.execttune.exemsra.exepid process 1352 2492 cttune.exe 1352 2424 cttune.exe 1352 2712 msra.exe 1352 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\c2\\cttune.exe" -
Processes:
cttune.execttune.exemsra.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2324 regsvr32.exe 2324 regsvr32.exe 2324 regsvr32.exe 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 1352 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1352 wrote to memory of 2456 1352 cttune.exe PID 1352 wrote to memory of 2456 1352 cttune.exe PID 1352 wrote to memory of 2456 1352 cttune.exe PID 1352 wrote to memory of 2492 1352 cttune.exe PID 1352 wrote to memory of 2492 1352 cttune.exe PID 1352 wrote to memory of 2492 1352 cttune.exe PID 1352 wrote to memory of 2088 1352 cttune.exe PID 1352 wrote to memory of 2088 1352 cttune.exe PID 1352 wrote to memory of 2088 1352 cttune.exe PID 1352 wrote to memory of 2424 1352 cttune.exe PID 1352 wrote to memory of 2424 1352 cttune.exe PID 1352 wrote to memory of 2424 1352 cttune.exe PID 1352 wrote to memory of 908 1352 msra.exe PID 1352 wrote to memory of 908 1352 msra.exe PID 1352 wrote to memory of 908 1352 msra.exe PID 1352 wrote to memory of 2712 1352 msra.exe PID 1352 wrote to memory of 2712 1352 msra.exe PID 1352 wrote to memory of 2712 1352 msra.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
C:\Users\Admin\AppData\Local\ve93MSX\cttune.exeC:\Users\Admin\AppData\Local\ve93MSX\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2492
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Q9P\cttune.exeC:\Users\Admin\AppData\Local\Q9P\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2424
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:2088
-
C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exeC:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2712
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5af23e57e9f12570ae71a028da8e9f8b1
SHA1d98c021043ddacbf2e6a39ece38681350af11ee0
SHA25645d9dc9ff8b4b6d6936c916df570e3ef0e7363744b389cece4adc6652d7a3ba8
SHA512ed5e7c5f27b838624b101d765b375e02b7a93f9d8149e6c169cd0e8575dc4af65df9283fd0e93b98573b4cf573a45dbb370972d419b5338549c86f8f8e47c21d
-
Filesize
64KB
MD5d58052adf867cf1cee08b892fb092b1d
SHA1b74c7a8e8d212f1f4f4cb82362f44e7643394d05
SHA2568653f9ab8986534f1b33eb01142a4442ff3192d784a894d00519e14197db4da2
SHA5124420ab69c9b09467d6d15e2f302f39ad8c0954af5646f4fa2fc858b6f1e43d03a95a7e3e9529f1b5c704d8bba456ea484bee69cd5d205739d93c9bca48878468
-
Filesize
130KB
MD5f01c9d4555780b277c81718890ffc42f
SHA1534cd3d56c599a2a126f11ec5b07169909ff0b10
SHA256111398c6afa943d141fd7ebd62f0f1ff156f1a0b4faf9a370a771657f0a61927
SHA51253f1924058da9d808c02c64d8a8ffc39cbcd6990acbaba57752f8972b8f20ef2ea727a2ff91220ca7a0744a780c1e17854ca09c85d8a1605b54ff30396fa06c9
-
Filesize
217KB
MD5b5d1885a2177af486ce85408de4526ec
SHA1d336d19263c463ac017b3054c4b2e70c639e5291
SHA25650fda92dcf2753b304ae2728f9d04e9e110950ca882d4e85ff2eef22bcd8a0d6
SHA512ee7c4b1bd5bf98dbaba7951e836cf1cff485cf0253d968d4d0633ebd2d7fd1414e3be9eaff440546f3a957c1965cf42a6105c94d8b49966bef9b0a6d4fba5bd9
-
Filesize
63KB
MD5d1e20b16b60b6803510caef8881e1194
SHA193ccf27e3d3bea286447bd6ec675876048ed8e77
SHA256b23e106251aa6f3311980f271ef823a14b27bd27631984969d219f768a435b89
SHA512f556765774622c2fe8e15e4054b3a074cfe5d9c281142821b35513864c1de1438799c8a2e7cfdd3a4a5e89f70695cbbd871c4754909526dbdf1ef7d38101f4d5
-
Filesize
57KB
MD5d2fa98ad090b909b45b85e954dada722
SHA1d25dcd5a4cf0fe9489606acb2af9addef107137f
SHA256f610159f859e99638acf379b7e66c1510c4e0869a5fe6e06c4eddd72a7a9a89b
SHA512f77005db07a07477260e112e7f50320f0c9ac21d44688be90ff52ecb861568741c338da0d4b32c068f4ce07f5e3935352852b9a50008db83d0dad548432ab5d9
-
Filesize
155KB
MD544c3a38325752df5ee0d885f26e7b545
SHA1a9261793401898ff86e0cf65cf47b70a2997794e
SHA25610cc1b4430e82e7ab9ee72c494bf6d91b284ebe30f24ad9e48430be303c527cb
SHA5122f41483506faaca0dd067bd79eeee2f875a8bef175a81db0dd08822fbe1c77feb4f9d818efc14d92fcb30ba4a98d5a6ddbbecdfbb9f0e438fcbd1199b22bb6e1
-
Filesize
60KB
MD5616858298155b77fb0d6bbb26a5cd1ba
SHA10e606db0dd24ec59c0c9112b10b50e2b99716e9d
SHA25675a65e15de76118ad573bff1e6b3344cfd25ce9e196641103f66a23f7d0f0245
SHA5121ad858b96a779698714c3687b7a0867fa33f8e8b1951144dfcaaf979c587a927f9ef6769ac24816701fb960884b0dac91fe0ffb43cf4da6fb02c02ce4af5acb5
-
Filesize
1.6MB
MD5386d206dfadbb216e26fee868466afb9
SHA15b9f741f2f72d97f48f9df97c14ed041ea8ae935
SHA2560059b4b865c99b2ceb402aa45ab339aef29ca57fc6aa0b51075d2b8b204c247e
SHA512f7f680af7ce1e9000107599a6c20a6566897101eb2a624876d8fd6b4558e508ed47e5597af76dfe91d1408b41312c19f2b2a2de82da715c47acdc3e8cb5fa983
-
Filesize
1KB
MD5f3ca7089aadc220a5ae1b2ff2c97308b
SHA164b0d34c9af83edbe143ec190fe7f5582055b87d
SHA256458035737261cfb51044c12dbc5806146f99a2be94936097782026423a5dddec
SHA5126f7b894a8a8eec21d12d120a2bc38596f8c617d25bb6a5e212e281f00fecd47a4d9c1dfc5501fec1c71edefe0c7c3619ca04578c6650d58e744632a091788892
-
Filesize
1.6MB
MD5772fb215aabbe4e188ee8ab76f4dcb7c
SHA1faf90ccaf93b95e166371e509d4549a44a67fc2f
SHA2562948b756f13042294114378cb6bf1600728c93489b33703b87d636e74cbea516
SHA51257ae1952d42ca74bebca4550ceeec29ca07b895083e74fdd878441484deaa0676846f5903a47dd46fb8d9e463df90b2b316f08ed9d8d3e05479d22f3b951dcc8
-
Filesize
1.6MB
MD57e7d055d97ce50462c911ba380bde4ba
SHA1a41e20cbdbde6b4aee6f9da95d5be6ad469d2c23
SHA2563f2a5f31ffa7bd2ae37dc9f31f79fbbab7810544fad6fd1afd2167bad01ac7fa
SHA5123bd788451db22b6d9beecf84c310dc975b743ae420985b2543a5c20c7fb632496135162754e416b531c154a15cd0636dcc30762957937c4170147bd1f510f568
-
Filesize
100KB
MD5c9f4655e2e65c349ea4d21556b7097af
SHA137bafdbc9109b9ec8a9017443960e9cc0edf4cac
SHA2567b06676b80dbb6ac703c158914ec912b41f782fafd9fdfdff4206ee22c050232
SHA512daf3de69239017a76af00842ff1c86f65bf6d4b04bb058d75ebd6ba8a0c90b4248229dc618749797f0959047d2043f8153bb227fe458ce7673d07f6090490828
-
Filesize
357KB
MD5acf25c1de82564b6517868ff6835d541
SHA1d4e326eba523e7e7b47408d8aae1292a483d662d
SHA256d06a5fc49b5e66e88bc685d83c271eb7019a6f17703034b37d3a4338aef639eb
SHA512c71d575fb8eb80bc67279d8f5c067fceffeff5b13823cd0359ce73afbe37f00642de9f3e622054bc1299e6a6e7d022ebf2e7f37bd8bef67d269facb0c5bd411a
-
Filesize
146KB
MD5a25cf12a1f79cdc9676aca0a0ad6ddb6
SHA1a2c409091408a83b3b9e516ba3e68c7990185480
SHA256fbce1218619839b4565b7a25d201dea01b74ecb7525fe3043b15a4582527e8d5
SHA5128cb770e0d50cde26e386c6460b6cd8946ff47de23af91ebc03a6d665b5e1fa4aadebfd91726c05bf11d218799ff89c735a69666e5744150da349c6658391606d
-
Filesize
59KB
MD5aa31ed5c61cfa7d5e5c2f635372ba429
SHA14424e6e7b36353e3b16903f8f438bd2dcdf89ebe
SHA2567ee79d8602a1905d3ba50c84374490952be8c7bde744bf1915e5b02503df1a6d
SHA5121b371e0e69e26e04dfcd881f5e142406c09f2a36e3534721d6a359b5c69c2e7ef2c24d2e618de4b39a29e39256a12b1cceb59fa83a3afaa47d1db7eb6fca061d
-
Filesize
210KB
MD5d29b3f13c7c69551767b77abcad4125e
SHA1a9b279b870b45a58c1eac409147fd33a4646dcae
SHA256d9c6ca875da779818afd6b2dbb205d5fd0e8490f22b5775a4708d4f991e1071d
SHA512b60bf43b8520d5bd8298f142db75b8ad1d1da405c5c1153a142bbbab0252c264d3a2a79c7d5fc8db4deadb2e2980bfd1c51c482dca2844600ae53762b8df4669
-
Filesize
127KB
MD52d601a6850c3ea535280c828ce7fb76b
SHA1f9bb659886a6f3e35b377c4e197694f72edd1968
SHA2560e2ccbf8f819dffea21ed3f0413cf85dd315ff497203818e94a6e229a5aade9a
SHA5129f5fd75406597951dad4486afe5e48270ed9ba97279cc775124978ba306660d343f3169f76825af53842c6d6762104cb8c90171ce309d14dd37e2fde5f85bff8
-
Filesize
92KB
MD5794a278db74270984297b38c7d03e4d1
SHA1adbc0ac6b6f1f3d2eaa081895e43e9873cf594d5
SHA2563d229681ccdd324aea62113153e43c09ffe593bcd332e4fe165ddeaca286d619
SHA512b24e4ae5f5103cdf84ed8714a46a45e6f48dd0eb33b7f1eb73904814cff79db861ac6ae8520be37248e438b100f670032d77ff56a2e37ed65dab65c7dce4eb47