Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
6edcb3e9a95b87f3dd31d12871219ad1.dll
Resource
win7-20231215-en
General
-
Target
6edcb3e9a95b87f3dd31d12871219ad1.dll
-
Size
1.4MB
-
MD5
6edcb3e9a95b87f3dd31d12871219ad1
-
SHA1
0f9808dbdb07056ce6154ff9ec192a829382527e
-
SHA256
fcec9ee59606ca5763dd3f779b2fb2e60ec8a2382cf095b0b00634a4c5ff6bee
-
SHA512
eae92f278b0b7d945a43c8eed204f8bc86e62713fc1700b6f04962361d1c76400b43e955ec168f20aeb4895984e9789654ad7c4cdc4b40bc741f623e617aa802
-
SSDEEP
12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1228-5-0x00000000029F0000-0x00000000029F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
DisplaySwitch.exeDevicePairingWizard.exeTpmInit.exepid process 2624 DisplaySwitch.exe 2484 DevicePairingWizard.exe 3036 TpmInit.exe -
Loads dropped DLL 7 IoCs
Processes:
DisplaySwitch.exeDevicePairingWizard.exeTpmInit.exepid process 1228 2624 DisplaySwitch.exe 1228 2484 DevicePairingWizard.exe 1228 3036 TpmInit.exe 1228 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\UPVinfCysLm\\DevicePairingWizard.exe" -
Processes:
DisplaySwitch.exeDevicePairingWizard.exeTpmInit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2524 regsvr32.exe 2524 regsvr32.exe 2524 regsvr32.exe 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1228 wrote to memory of 1796 1228 DisplaySwitch.exe PID 1228 wrote to memory of 1796 1228 DisplaySwitch.exe PID 1228 wrote to memory of 1796 1228 DisplaySwitch.exe PID 1228 wrote to memory of 2624 1228 DisplaySwitch.exe PID 1228 wrote to memory of 2624 1228 DisplaySwitch.exe PID 1228 wrote to memory of 2624 1228 DisplaySwitch.exe PID 1228 wrote to memory of 1664 1228 DevicePairingWizard.exe PID 1228 wrote to memory of 1664 1228 DevicePairingWizard.exe PID 1228 wrote to memory of 1664 1228 DevicePairingWizard.exe PID 1228 wrote to memory of 2484 1228 DevicePairingWizard.exe PID 1228 wrote to memory of 2484 1228 DevicePairingWizard.exe PID 1228 wrote to memory of 2484 1228 DevicePairingWizard.exe PID 1228 wrote to memory of 3032 1228 TpmInit.exe PID 1228 wrote to memory of 3032 1228 TpmInit.exe PID 1228 wrote to memory of 3032 1228 TpmInit.exe PID 1228 wrote to memory of 3036 1228 TpmInit.exe PID 1228 wrote to memory of 3036 1228 TpmInit.exe PID 1228 wrote to memory of 3036 1228 TpmInit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:1796
-
C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exeC:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2624
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:3032
-
C:\Users\Admin\AppData\Local\4Ne\TpmInit.exeC:\Users\Admin\AppData\Local\4Ne\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5132f99eecf5e54ab873fcfeaadec55b4
SHA1b40978bf6c2e1962ed09c65cacf134e936e04fc7
SHA25626fd23d965e04b30c85dd36046b343aaa85dce9704c02668d85446b810eaf08e
SHA512bb3a77a1d454e77db1e5891f7a2203777f02a34a04e4025a8dcc015aef3696df85ae4d689640d427f621538d55b372e34125b144b4f8586c04709eb8a1a03cf4
-
Filesize
517KB
MD5b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
Filesize
1.3MB
MD55ddca64654e7e37fd357ef3c2876116e
SHA1954a35290383c3900c30e79593e8883f0e991eb3
SHA256f65626d967fe0f91986e667db87d4d79f80a413e3d1a1da698b43052a17cdd7b
SHA512dca4a6810bcd1b8fb3dc49b3c482c90b1cf5a544fb8880ae92dc2f3660d54b3c0e44f6c29fbcec621949d0c70983b60c15dd7aa832206312f0b61aa7a68a5311
-
Filesize
45KB
MD535e5c945b96057c572620a4bbe0500d9
SHA14dc483b7dd19323e47b8830d9130c21bf8ee317a
SHA2560e0810be544e957f73fecb0f2cb1b8ff5b81ea8d2bc5871c6273c0708ad1a33e
SHA5125222d97b56e5ac9d8f13eb5d1e532340e5b50b87dda0491516db15a7be10c876f308ca45532bbc3fd46d68479a29c6a83c6a98e1a5a22a9086379e834a094af7
-
Filesize
45KB
MD5bd8d60f9767810b4d8231ec8ad0e7341
SHA19fe98631cd201bfd2b8216394714d01c0e609a22
SHA2562b961fc86097b9a919e90e343592f13d0efa14acbab2f81c71f43eb6801353b0
SHA512e8fd254a61cd986d307ce5337312073afe805bfaa343b8fef52d2be8ddbfc216d9f9d88a134d22321e5c4f0af962092506fd1771f8e4e5f0c8d51260ac9ed71e
-
Filesize
1KB
MD5a8155de67e25a43b4a6db05ed3f50740
SHA16130434ef041453b33859afab24bf8da3be1397f
SHA25678d1ea12d159280d2f6964fd0d6ca95edae92a4ead2aa8b498a98b50d2ca098e
SHA512a589eccf75cc56222a858210780801c4156a59a633e616449ef139e000e5c381c7a3318c65a72f62bce93a0cc4cc9d2df986ebd498479b09ecafcf5022463c95
-
Filesize
1.4MB
MD593d73c749b402259eefee7541382b8fd
SHA1f5d21c00580f48d7ada754063e0ad03435a0ec67
SHA2562410496537f6a650c5d3738ed47f1cf98cc915b491ca91bb4176d1ee174de6f0
SHA51207bf980ab63e0fa9abfc33fc29131482af6f6b5d654e5b931348237d25ceef4e3de8156b3c331281a77e5405c09fa46116f88a3f8c5ad752038b7cab9f83847d
-
Filesize
1.4MB
MD5e3811f428799ef0e1549ef6544b5f2ce
SHA1fa25624a97af0deceb0cf5b2b275a4621ee5fae8
SHA2565077e7211019b4da96d980f0e8ee82ce546853a7a43d9e4d93c298baa0678ad7
SHA51236c0bdef26197d76616da79b1c3406e00be632978e6331b2a8e45e6ec84330d5333e4f75b2f03d0e4f7fbf009491ece8df2b9378e25205f6a9a96822e19ae952
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
1.3MB
MD54e894969f989fb8e7bc98273ed64ce24
SHA1eb3bd1c1217dd622d485fcefabb34c00de435fb6
SHA2561cf85f751986445565ada0424f4530549e2ec940d75372c646d80aa05021d10f
SHA51291c3cd7b3f421cc28c3259d25bdad3be5e2cd1342934e23eb505efd3a166c9c0cb641a7c806d1bf8acc51c9fd4c7b90b393e6eb28ee409aa71915168156390e3
-
Filesize
73KB
MD59728725678f32e84575e0cd2d2c58e9b
SHA1dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377
-
Filesize
7KB
MD52aa868b9a1d668c0101dbb992e5182e7
SHA1c471c1ff6e721290d03c8af9ff273b03404874ce
SHA256c34e7714e9a733cd7caf32808abadf5f6d6783b3e0cdb219d7da21e407fed650
SHA5129bd9f0a42a3478b5c4311f06cd5d06d17ee3d9f0c76fa327fe96e9261a4eed467b843ebb3b1810f05cacd134436cb12d963dbb09913872919574ae518ca4715d