Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 10:55
Static task
static1
Behavioral task
behavioral1
Sample
6f7d97ba73906e0867f0f46d5c537049.dll
Resource
win7-20231215-en
General
-
Target
6f7d97ba73906e0867f0f46d5c537049.dll
-
Size
1.5MB
-
MD5
6f7d97ba73906e0867f0f46d5c537049
-
SHA1
4760cd9fbb77d0a05a0f5a86a70ea98057e3bce3
-
SHA256
9abc5f5cc3312da7b9eb0e44a7a2306afd47d84c49b9cb86ed120cadfc05c824
-
SHA512
631240994428b1f4ce8ab54362384c7460ae14f97063c2320c33a3110f3daa7d4c6fee969bded9fead352bdd47c52c4a139877c8b52e5f4cf21915cfe61dd634
-
SSDEEP
12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x00000000092E0000-0x00000000092E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
FXSCOVER.exeSystemPropertiesComputerName.exeisoburn.exepid process 2400 FXSCOVER.exe 4632 SystemPropertiesComputerName.exe 788 isoburn.exe -
Loads dropped DLL 3 IoCs
Processes:
FXSCOVER.exeSystemPropertiesComputerName.exeisoburn.exepid process 2400 FXSCOVER.exe 4632 SystemPropertiesComputerName.exe 788 isoburn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\lMA9ZqiHm2\\SystemPropertiesComputerName.exe" -
Processes:
SystemPropertiesComputerName.exeisoburn.exerundll32.exeFXSCOVER.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 212 rundll32.exe 212 rundll32.exe 212 rundll32.exe 212 rundll32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3480 3480 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3480 wrote to memory of 1048 3480 FXSCOVER.exe PID 3480 wrote to memory of 1048 3480 FXSCOVER.exe PID 3480 wrote to memory of 2400 3480 FXSCOVER.exe PID 3480 wrote to memory of 2400 3480 FXSCOVER.exe PID 3480 wrote to memory of 2444 3480 SystemPropertiesComputerName.exe PID 3480 wrote to memory of 2444 3480 SystemPropertiesComputerName.exe PID 3480 wrote to memory of 4632 3480 SystemPropertiesComputerName.exe PID 3480 wrote to memory of 4632 3480 SystemPropertiesComputerName.exe PID 3480 wrote to memory of 3692 3480 isoburn.exe PID 3480 wrote to memory of 3692 3480 isoburn.exe PID 3480 wrote to memory of 788 3480 isoburn.exe PID 3480 wrote to memory of 788 3480 isoburn.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:212
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:1048
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:3692
-
C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exeC:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:788
-
C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4632
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:2444
-
C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exeC:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD55769f78d00f22f76a4193dc720d0b2bd
SHA1d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA25640e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f
-
Filesize
374KB
MD5a55aedef6d273880cf3f6c9e7fb940a6
SHA1cae7ba4bd1edc038a602c39e4700d06f25fd2bf0
SHA256859d0e5a712509fbb8e12d91fe6edf77b9c10844fae96eb464f7c251b18850b4
SHA5125acd4e2e7bfb3b3af56a608bc96c59e94d9e6093ad730aa71929bb902707476272a215437b52cb721f23c81de5088b1d3f5aa014ef951b1b2b7d0e0248cf9508
-
Filesize
149KB
MD554b7c8d1324f00bae261d9491df0da00
SHA1608ef1104361ec2dddf70c43d6b78c9ff49c7022
SHA256578f46c289a050933cbba3ce82bc5a20a6752b5e1122372694c63788439d1c79
SHA512e3c582aa6053b3876d2bdaf56866bfcf2002684de8f9d8298ba2a57dc0cfffa7b74bc095b2b6b49f09c96b0e47cfc1904b375691152ba960341cc06407873c22
-
Filesize
122KB
MD5cd7a0dc0979c29163e515a93322dad7b
SHA1f78d56ebcaa40676b85eb8ac6508b08d06b5ee96
SHA256ca125724013118043cbd16f4a9c3a2295e61539fac93bd3762433ccb76fb1e2b
SHA51250aefa848a6c4b26d36b79e432102a148a33f6cde225064aa33f39561e4a37f2b310a124e960f8c851ab8944fd9d7a0e5dcbac521a429c201997c9fac511eec6
-
Filesize
194KB
MD5f1b170ea1dda44677c3ba38e3cbf50cd
SHA150681fbf6da59e7f2db40b624f0bda7dcb187894
SHA2567d6a5854e3b9d9b1c5cb37535ba0e57702205e370799fa63853955dd72917e03
SHA512e495817e48f96403b083fd6372917ea93f8b08fbe729c343a05221b28c14c723bcf24980a1c43fefd1bb29627a267a12093888736f47aca257d0fd08b293c79b
-
Filesize
116KB
MD5d0424a92635b8082986fa890fd11533a
SHA12817f53c507781cc07fe1573acd6cac65c3d210f
SHA2566d08bbb342146b59718ee5968209b752cd0888b17de7d5ab07e2496e4368c3f9
SHA5124594cd42d3590aba6ff0cc7704949cf0e30cabce06a9841a76145e2c08451af8513b335dc5ff90871831be5f50f96f244fbcfe9c3fc19310b5df1a57b7be083e
-
Filesize
73KB
MD5a89c25f7990178de6ade691a6a4af103
SHA122198054dd8dd2ea22b8af496f46bfe522be638c
SHA2564325a1d1bf5359c223124d5f8317ab5e62e19752f8516beab36bcf32d6f4d0f0
SHA512eb7fbbe9cc6a1520b0d810973e071f93495fefbb68c4854e3067d432bcc6c43734d1af4f28df6354aa718437d614726a9b7b73c3b3454836af8548b1a0678555
-
Filesize
105KB
MD534b6806c6b5cee9a6ca238024ff34e0e
SHA180f3aa1b9f309b563115a7133e1a780644f0379f
SHA256fc0e646a4f94f492b6d7e74ed8d69d64b6e0d461a923e21af8b90e938c3018e1
SHA5121599926952e0d0d599551c21330c1286b01a3153458e3773dcb9dfa4f17392131eea85c2c16d5ab2e78268563fdfa15f9ba1ca2178b686a5df8e636ea246c2c6
-
Filesize
452KB
MD5defec8037532b01c15373ca2a9faa987
SHA1c05c4ecf7e8758ca32178aee0f29f607b31aed67
SHA256142b4a6c9804c21e3630ce1f1b1ddc98ecd3dce485275e3413a74de69a6e1a4e
SHA512ce08385d306f75c8eb645b729b79a86feb3d7baf84ff38f71b4c359caa28eeac9c86bfde2d9f19597e90250d514b75427836ce4a72b2f63a11a6c85a3e2edd48
-
Filesize
82KB
MD56711765f323289f5008a6a2a04b6f264
SHA1d8116fdf73608b4b254ad83c74f2232584d24144
SHA256bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8
-
Filesize
1KB
MD5f97f2c7bbed73335d9eb0b27914fa94f
SHA1b185772d2c4b65b575728de30ef436fe2cee97c5
SHA256ef16912de6cfd3e449cd4d288622abb72d4afc3f9e53209e237c274290332c2f
SHA512b9b4acb39d4d9b1be5258c7cc30bb6da46ce3ba82be7a02430c40c16725b1a71c5bfea02954ec4eaef94d04fcd8e6b316c43a5431471f1b2aac2af62e50a5e30
-
Filesize
1.5MB
MD529b7a3b41d5c013158cb24fb27366b6c
SHA18be2170d516911459511cd5adf848a5dfd6ce6d7
SHA25616248768ad81ea58fb6751d8ef3099fbc89ae1df4026a4f4dae25143d5468587
SHA5126e86899e5f279da4f708b8ea1de37eb84fb0d6843f1ee5d18d69a0685fc9e92b6e58b533167f767c656850030ddada16874b6e036aa9c3eacff4f46ec186ebd9
-
Filesize
1.5MB
MD51f8679b303071771b9e742575293f492
SHA193940b3b0add0f5c6b974f20c6c0c0b0552b39fa
SHA2568323786991091280c896af68b3403bbce9cf821a7eba7a01e3540bd676883b5b
SHA512926dc13398d342a6f914c01ff0bdae0a8201c74c9b71700b8dac0adbf6633b7ce545db69320178ad5e6e191b7a4d9d07dace3a9b790f64738da29c730361805e
-
Filesize
1.5MB
MD5de2ddd33bda4fb19b4cc48e0ed787584
SHA10cb9cbec7027d3edf5bbc8b7a21beee280f7782a
SHA256eafdb8b7c07513866d1d663d056514f94a6c6805f6298d26d71a81730efde818
SHA512b1a9fe8dbc749139ee828bb5cea4d23fdb23e3ce0e51881efdfd56e07396b09fff1530c04a1332e3a44fbdb3d55f9dfb5bc3074ce5278a039cb67b7881e62bd6