Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
70d941d4f0bc1d1f47611a7b8ce5c05d.dll
Resource
win7-20231215-en
General
-
Target
70d941d4f0bc1d1f47611a7b8ce5c05d.dll
-
Size
2.6MB
-
MD5
70d941d4f0bc1d1f47611a7b8ce5c05d
-
SHA1
b66d763099541372aa30d4ccd5922b29c991ef3a
-
SHA256
6f1a36b2dc535c3a9a2e9611c3261d7d5970599318c0811e556b9ee731865de2
-
SHA512
5aaf75580bec3c99f034e60e8eac36b5a0f9d0921b206b17d93fd6920d0f6a3add25254e51c0605f4e8ca36e5b1573a2c7a89ae7b7c21c74b67c35b1d91a260f
-
SSDEEP
12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1336-5-0x0000000002730000-0x0000000002731000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
consent.exerekeywiz.exewscript.exepid process 2456 consent.exe 1200 rekeywiz.exe 2660 wscript.exe -
Loads dropped DLL 8 IoCs
Processes:
consent.exerekeywiz.exewscript.exepid process 1336 2456 consent.exe 1336 1200 rekeywiz.exe 1336 1336 2660 wscript.exe 1336 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\FHHWBY~1\\rekeywiz.exe" -
Processes:
rundll32.execonsent.exerekeywiz.exewscript.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA consent.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2052 rundll32.exe 2052 rundll32.exe 2052 rundll32.exe 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1336 wrote to memory of 2780 1336 consent.exe PID 1336 wrote to memory of 2780 1336 consent.exe PID 1336 wrote to memory of 2780 1336 consent.exe PID 1336 wrote to memory of 2456 1336 consent.exe PID 1336 wrote to memory of 2456 1336 consent.exe PID 1336 wrote to memory of 2456 1336 consent.exe PID 1336 wrote to memory of 1436 1336 rekeywiz.exe PID 1336 wrote to memory of 1436 1336 rekeywiz.exe PID 1336 wrote to memory of 1436 1336 rekeywiz.exe PID 1336 wrote to memory of 1200 1336 rekeywiz.exe PID 1336 wrote to memory of 1200 1336 rekeywiz.exe PID 1336 wrote to memory of 1200 1336 rekeywiz.exe PID 1336 wrote to memory of 2504 1336 wscript.exe PID 1336 wrote to memory of 2504 1336 wscript.exe PID 1336 wrote to memory of 2504 1336 wscript.exe PID 1336 wrote to memory of 2660 1336 wscript.exe PID 1336 wrote to memory of 2660 1336 wscript.exe PID 1336 wrote to memory of 2660 1336 wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Local\nmF\consent.exeC:\Users\Admin\AppData\Local\nmF\consent.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:1436
-
C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exeC:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1200
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exeC:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52f50edab6ea1c65fa3881fd28a3c0b85
SHA1d5cf691f8de06d7c4eb67031293436560f162d4e
SHA256b17f7bc8962e1d9b71f6de690f42f5b0f38c33dfbb0b5b6bf1e84cef97f2350b
SHA5122882cd79d6b86d0851eed2132c77b938bb5180468b653a5375d5a12b6f144aa50c577a820aa06ffb95b049cb871a0a04b8a12986edbbf6b517b987aa80d08d5f
-
Filesize
7KB
MD5b464c81bbf5206b7eafe6c6d0a466e31
SHA12e38283f8d7e3cce25571aee0c7c047bb9e590d9
SHA2568912cca64645c1b1b4339b6eb7824ff2b312fcc865d4e580252e45381a8e5719
SHA51273e9b46174240bcdadcf6e410c0856179a9fae5d3ec8d875b08f190e357778675ccf801cc0b47f95ccc72f7069e2fe86f0edb6e27c3fe5789d228bcaa516e3cf
-
Filesize
759KB
MD596e2f0de131df664ea78ffbf61bd91f4
SHA1dcc279d24bb93f6a8f36a8592a76bcdb6bc8ab3b
SHA25680b640a5c7c622b0c20fe6ba7d73d61a197d07684b2e0b791707373b02e1f682
SHA51208042bc5ed96f605d676d0bf7501dd6c0c27eadaa450673d89efcfa650c67e46e2a64a76d83d778c4723db21066ef0bc923a22ea11c1d40e2d3740a9d45f5755
-
Filesize
2.6MB
MD520498b24731d8a6cf17865361ea8a819
SHA17799b23b9823af56cba2f20ec82ef76eff1ec73b
SHA2560d36a6f3fa72984da71fcd0b69ba260ce3fbcba07c05fe41d067679c0c771587
SHA51251acaa2a7599f9be226adf3db65938d3998125b8ba6c076a3e3ff83f158b199d4e8170090e41d0a93fd087dd07dd07d1e7f69e451010e75e74dfd0ca8fd46fff
-
Filesize
109KB
MD50b5511674394666e9d221f8681b2c2e6
SHA16e4e720dfc424a12383f0b8194e4477e3bc346dc
SHA256ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b
SHA51200d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7
-
Filesize
1KB
MD5d254be37fc481cc40a9a1f27e10cf209
SHA17e7a6c9f28cf2a37e8b6c2298fdc4a2328cec7bb
SHA25660fedac7b79c2e06f181609c24ff63ba91322b60472b37e479affd2e575b5343
SHA51222b2694617ef1419b3a051b46ac1e3d54b957b4c48d1e606b3e85ba7191b27a8efa5e14ae20f246dc287b8e4c51b0975863b08fbe0bad94f96bb799993c47fe8
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\fhhwBy8kM\slc.dll
Filesize2.6MB
MD57d1ac477b19a81051d544b25fb83d3fb
SHA15e56b6a80f7d5d1b16adc0ff0999b3b6ae77c0ff
SHA25604308e59f1b707bfba38e7d20424ffb219d3690674b63cda08505e7dbedba7d7
SHA51241bd9fef9cc332fdaf4703a41dfed605823a301db861f6eb03761ad499c107dba504f7fcc98e45d4bccc06df9a8e590911d75b4c5c2c86e6b2759788c5f61145
-
Filesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
45KB
MD5d1bdc2dc25fc70bc0196c0ff185cca28
SHA1b3ab5ba55f6d9ef1f9c8e096ba5d066db6f0a90b
SHA256408b8079536e714715966e950b60a24781f7ba2bfdf8c9992204d912b8710342
SHA512ce6e78df07dda6e15f2dc97a991d4ef04ab85bfd2fa1786f4956932ee5059355e7d34f67384671de27a9777ffcb9a080103d5873d67039eb8eaa1ec3ce766fad