Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
6fc1300c924c848e73451dec1a26af99.dll
Resource
win7-20231215-en
General
-
Target
6fc1300c924c848e73451dec1a26af99.dll
-
Size
1.5MB
-
MD5
6fc1300c924c848e73451dec1a26af99
-
SHA1
356d8a25843e120f2e5974fbd4c2cb992dc4b881
-
SHA256
b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b
-
SHA512
e5ae18253c6d93810db46d694d798097c1d5706df51889f03faeaa8a12d9de9691c71914f4fc6589c863e4269ad69ec2b041d77a37ea5efe5aaf196f5914b3b2
-
SSDEEP
12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-5-0x0000000003A20000-0x0000000003A21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MpSigStub.exeMagnify.exerekeywiz.exepid process 2640 MpSigStub.exe 2836 Magnify.exe 2156 rekeywiz.exe -
Loads dropped DLL 7 IoCs
Processes:
MpSigStub.exeMagnify.exerekeywiz.exepid process 1200 2640 MpSigStub.exe 1200 2836 Magnify.exe 1200 2156 rekeywiz.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\xUyXBowgs\\Magnify.exe" -
Processes:
rundll32.exeMpSigStub.exeMagnify.exerekeywiz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1200 wrote to memory of 2596 1200 MpSigStub.exe PID 1200 wrote to memory of 2596 1200 MpSigStub.exe PID 1200 wrote to memory of 2596 1200 MpSigStub.exe PID 1200 wrote to memory of 2640 1200 MpSigStub.exe PID 1200 wrote to memory of 2640 1200 MpSigStub.exe PID 1200 wrote to memory of 2640 1200 MpSigStub.exe PID 1200 wrote to memory of 1508 1200 Magnify.exe PID 1200 wrote to memory of 1508 1200 Magnify.exe PID 1200 wrote to memory of 1508 1200 Magnify.exe PID 1200 wrote to memory of 2836 1200 Magnify.exe PID 1200 wrote to memory of 2836 1200 Magnify.exe PID 1200 wrote to memory of 2836 1200 Magnify.exe PID 1200 wrote to memory of 2128 1200 rekeywiz.exe PID 1200 wrote to memory of 2128 1200 rekeywiz.exe PID 1200 wrote to memory of 2128 1200 rekeywiz.exe PID 1200 wrote to memory of 2156 1200 rekeywiz.exe PID 1200 wrote to memory of 2156 1200 rekeywiz.exe PID 1200 wrote to memory of 2156 1200 rekeywiz.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exeC:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:2596
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\V61vQ\Magnify.exeC:\Users\Admin\AppData\Local\V61vQ\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2836
-
C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exeC:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2156
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5013d457ae3111ab1dfa0a8e8853bf61d
SHA192ed82292a6df64fa7a63ebcbbdd24b9bf1b030d
SHA25600884b26164d293f7c72f4cc8fc596613c1950e7cd326abcbde23fd9d1f42792
SHA5126f2a10c133f97c81b1b8c5bc8aebc1cbaccd154ea15ec8d18fe995ae94fe0e4451f67358699cc959fd41c3cb6249d40b37c9fcdb3cc4e9460d228423e403b189
-
Filesize
64KB
MD5443afb161b51a0fc7f7919da764ed1f0
SHA165c39c309d626bec5ffb582e22dc1502e3c308f7
SHA256102e79a1d1ebfe82d25476205a859238b321311be58d2800b5931c6d71774865
SHA512f7d6a3b49f40e05b8b02f3368edd1e89708aa0cbbcb376766ba6ec80cec5b45ca43bca0780e6422ebf730aceb7f754d1b5da3bacff220666de178291ab0607af
-
Filesize
2KB
MD50d8aeeefe9d95e647498859530c70bf9
SHA10ebcdb64d8e142e4a63e23f6c56e395f8025ede4
SHA256c777a047cd8e99b1a07827657d18ad5d5a4f412fe88b2f4a1c5e1f6b8f77503a
SHA512e2cf387896c5d71e499e2514287de3855e0a0035ecc38c5607f4ba54af52d5f71e55073eecc193d3c6d4e8ed0d4acca1a9c677c5da3a512d0bb43f54c6a35b25
-
Filesize
153KB
MD5bb189e398e1f7baf7c5ea75a69f7e06a
SHA145f769e84b3290ae8b0a3029a082740f29eb8b8d
SHA256ee545400ad3c0c32bc8503647a72aebc893df4587f6cc96d6048d2cc07cb3116
SHA5123a39d344f9cb72571969e6b24fc979f64b04e595fdba768220b02e2e122c84d2ca35d2371f9415a4e44e26b1d6fa960ef68c472036a835e276cd19b0be90bff7
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542
-
Filesize
155KB
MD513838a89f2e53c4899765056e774385a
SHA1a718e55cd18b7af7af86c3caea7ee6d26deb8c26
SHA25644a5d21e293e0fcc0bfc9e69716dc69af528ea531fb1f7fe56102211480bca40
SHA512900ee8af6d2fe4dfd79ef5862e8a02f00d5850e165d679544dc2ee644c5bab2a6e8ea74b9e692f1877e576ca7d4a28a261834943001bf688192f8817ae19f44d
-
Filesize
1KB
MD508f45fedbdc3f3d5d8c8d6cfbbe7daa2
SHA1f51620dcbd69238e055700750e0edd5a8c1da381
SHA256a51955435f82f26327208d4a42710bacd57e375b193bbec36aef68cbb9c09792
SHA5121ab517e4ae233de5a3ea3f070487dabb0654730d53c76b48adfeb41ec1fffe99b3a0d2dc3e5ba5b7fef56ca86dc434ad083264cf149a5f2be9aaf09cc6281ff1
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\GtBW\slc.dll
Filesize1.5MB
MD5d3db31435367004bc910a39391724041
SHA13138ffe7fad70b6c9f39c6e942378b644448ac67
SHA256450b1f12f1b9d80d1c297751c8db6a9912c0ae34c6575a6d8362d5fe581f9769
SHA5125f96decca98e79578201359042f3397fde42b78a7bb1e7085f80e49db62b83655b5a34c214b0db547039a36044ea82cb2b1f83db6bd1c8caff49c960bcdc70b8
-
Filesize
1.5MB
MD5c956ca66000ff6455f1f646fefc764d1
SHA105796b3d3389b0212f21aeffd360485df47d3e7a
SHA2567e715eba02bbb8d7bc36186a47aecd6979d363ef702a0b4894c4ebc3e802dc05
SHA512cc7078b027a511e80427ec85dd48b906f516a724ef2353275972883ea1832c58630a85931530afa70aa1eeda9c1288caa6098b2eec28b48b2980b28a07e4fbde
-
Filesize
1.5MB
MD5ea71c1fd5e7b0edddf97c9ca7d3661f9
SHA1f305830c79470b9b32b07051c10e2c27a66f060e
SHA2569434c21c2a06d2cf773e779495f339f27f0d2001eecad26367ada2381ffd1162
SHA51245bbb6a8c8d68164b72a820fa132229b32590dc23d20d393d274891e58f368f59b29068bcae9f1f2aeffc4f2d32e94e365924d60a09882ee3380810b36f41265
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
250KB
MD5df31e22d3438239f7649d433f0c1fc30
SHA1f8289fc1b582d458fb600dc6c6bbb5975450fdc0
SHA2564775fa5304da47c2f91bcf98ac29d12a85bf665d3ea34e3400b034a9a16510a7
SHA512e269def62bc6bce94e774b657591479a50f6e8cfe28360ea8b05e88b582abf6fc810d2f8c04bc5d6e7b1a003f1f2290cfb2d1e450ff6e155bb0ac702435e44b1
-
Filesize
45KB
MD5fe208b3c74a20468811be570c4f8c60c
SHA1eeda6ea0c3dd012bc590f11102b0b54776922be9
SHA2562d29b01562283bd5b7dc7533e9288af1e47f1e13d84d0246616c7db516b60ed6
SHA51214c71d937adeb968b9736b242e70d4d3b3021e2a7b7692b2e48d4134ad13cc2a076c7e223bcda941949f68eafba56bcc92ee664e7228da3a8018e0fb977fae3c
-
Filesize
42KB
MD562ed47d318d148c700f88a1b843181ed
SHA1f9c1012ec40f9dc3ce2c7d981072a1c14475914d
SHA25606a3411810af492deedf81406a4fe84f48eb1c239ef01d3aac6ffc4723a07ccc
SHA5124bb5dff25a3e7baa1e6545772b923b233342734f14ae86011139c6bf43924199c1e9c9fe36a333bdb87f516eda9055f9d5ab67e4674d3d09ea55d6978aab7e35
-
Filesize
118KB
MD5910c48d6c2ce35d9b8ad175b8a25e2e4
SHA198a3cb09d09f7b99912b80a4142990146fa84198
SHA25617e9437f4b86f48ea3d8853fe9df5a20edd62496492fe3746fb865a214c002a1
SHA51270cd1c864ce43d00b19cf1a59145cddf081100686fc0f7b043336d204256b30cf27afbc0abc8f9e52bd166d340527db71562bf579d3f97dfc955544d5fc07dcd