Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
6e98953bf2fdd7c3a404f182f3070944.dll
Resource
win7-20231215-en
General
-
Target
6e98953bf2fdd7c3a404f182f3070944.dll
-
Size
1.1MB
-
MD5
6e98953bf2fdd7c3a404f182f3070944
-
SHA1
e547a54cfbc50fcfc2bf78c348984e7b6b1183ce
-
SHA256
995bc9b977d5419139f29029dd2d9df2ce41f3a0496ec39a37946620a20d877a
-
SHA512
e50c9ec714413a89c14492af9d1dffa90e20be98411b44c6df78d0b751ade15cef5476aae6b4d6f3b143146fddc0345366dbda75593926d97e05b23ec9a4521b
-
SSDEEP
12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1228-5-0x0000000002A00000-0x0000000002A01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
calc.exepsr.exerecdisc.exetabcal.exepid process 2404 calc.exe 1276 psr.exe 2872 recdisc.exe 2156 tabcal.exe -
Loads dropped DLL 9 IoCs
Processes:
calc.exepsr.exerecdisc.exetabcal.exepid process 1228 2404 calc.exe 1228 1276 psr.exe 1228 2872 recdisc.exe 1228 2156 tabcal.exe 1228 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\mkeYyQPRag\\recdisc.exe" -
Processes:
rundll32.execalc.exepsr.exerecdisc.exetabcal.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2772 rundll32.exe 2772 rundll32.exe 2772 rundll32.exe 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid process target process PID 1228 wrote to memory of 3028 1228 calc.exe PID 1228 wrote to memory of 3028 1228 calc.exe PID 1228 wrote to memory of 3028 1228 calc.exe PID 1228 wrote to memory of 2404 1228 calc.exe PID 1228 wrote to memory of 2404 1228 calc.exe PID 1228 wrote to memory of 2404 1228 calc.exe PID 1228 wrote to memory of 1172 1228 psr.exe PID 1228 wrote to memory of 1172 1228 psr.exe PID 1228 wrote to memory of 1172 1228 psr.exe PID 1228 wrote to memory of 1276 1228 psr.exe PID 1228 wrote to memory of 1276 1228 psr.exe PID 1228 wrote to memory of 1276 1228 psr.exe PID 1228 wrote to memory of 988 1228 recdisc.exe PID 1228 wrote to memory of 988 1228 recdisc.exe PID 1228 wrote to memory of 988 1228 recdisc.exe PID 1228 wrote to memory of 2872 1228 recdisc.exe PID 1228 wrote to memory of 2872 1228 recdisc.exe PID 1228 wrote to memory of 2872 1228 recdisc.exe PID 1228 wrote to memory of 2628 1228 tabcal.exe PID 1228 wrote to memory of 2628 1228 tabcal.exe PID 1228 wrote to memory of 2628 1228 tabcal.exe PID 1228 wrote to memory of 2156 1228 tabcal.exe PID 1228 wrote to memory of 2156 1228 tabcal.exe PID 1228 wrote to memory of 2156 1228 tabcal.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e98953bf2fdd7c3a404f182f3070944.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\GukUKJE2\calc.exeC:\Users\Admin\AppData\Local\GukUKJE2\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2404
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exeC:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1276
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:988
-
C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exeC:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2872
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exeC:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5bde6641292d720dd56057a18e50922f5
SHA198f6913079c749af587c26852d5f27738277b351
SHA25624720d623864c0f590d9dad00114c20bf621bede64bc02ae765f62d72643d8e0
SHA5120dc6d040ace983fde7f82f72d5af7a334cce266817c00cfab699ffc59bce425e12ed30e961e83098b079e7a77c9347bfdd022e736144cf5544c8c9a24ff9e471
-
Filesize
1.2MB
MD5ea59b40082dd620886c253cc44b756bf
SHA14945943bba6cd323c3f7a57ee103c7ec1eff6881
SHA256f3256ed7f6e6d45ca4b2ec6f81aab0b8928dee84097f88848a6b480712c1b225
SHA5120021d3d67b1ff435ce65e45613f1223d4d1ffd6830c7290e5406d889fb0b44ba2e4570065d8474034ca9b68d6041ff21d9aa4bf3173f872a23872beb1e791545
-
Filesize
1.2MB
MD5adf6b7f83f587ff6a4f2702c60a3a0b3
SHA1768cd893c31c1f29b447a467b23a772b0decee1b
SHA2564388a8b5332e0989261e0205bf948361ee2ac4e169f003220ff248f9216460a2
SHA512fac2cee79a20e89ac2ced81252c42284f4ae1156f94281213d9622b2b24cb7bdebb56a168e81e0ba8f1bcaaa9b04b9fae7878e106ef51f0785e29020f96dafc8
-
Filesize
1KB
MD566a497b400e738e6be2e940e775d4993
SHA112b3c17e250da0387ab2d418d5646e84a7343d50
SHA256d31d2da9d91444670f407be7d258c244357474be667409de60282c2bc42ff674
SHA5126b768b21c2f6ddde11eb2045f772a173c04e4c0859e8420e0144c38dcabaab4b8d6b17159a7e30798289ed7a2f1092d2ba469b9c0411981d7e2ddbbf419d8d3b
-
Filesize
897KB
MD510e4a1d2132ccb5c6759f038cdb6f3c9
SHA142d36eeb2140441b48287b7cd30b38105986d68f
SHA256c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
SHA5129bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d
-
Filesize
77KB
MD598e7911befe83f76777317ce6905666d
SHA12780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA2563fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6
-
Filesize
232KB
MD5f3b306179f1840c0813dc6771b018358
SHA1dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA5129f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4
-
Filesize
1.2MB
MD5954ce73f0386a69a3335b4432b12e343
SHA17c6b3ee8c8e868c43253f1d6a857976e1e92ecb3
SHA256d69dd0208a409d4b1a2d5566bbccad1d780b23bae4f9d812b2659474c371c81d
SHA5125da3d4469c6d66c16abe166ff7cf320df6feb1288700289198b147b41108854e667e3ebeddfc6bdeb5bb660b6e0cd665f6cbe9972eb566c0bde2d995760ef00f
-
Filesize
715KB
MD5a80527109d75cba125d940b007eea151
SHA1facf32a9ede6abfaa09368bfdfcfec8554107272
SHA25668910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
SHA51277b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774