Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
7315a7e24b903536485987c77dc91956.dll
Resource
win7-20231215-en
General
-
Target
7315a7e24b903536485987c77dc91956.dll
-
Size
2.9MB
-
MD5
7315a7e24b903536485987c77dc91956
-
SHA1
526cd2d7389cda304cc3c81c002c1114073f1c92
-
SHA256
17b5bae1fc1b7efdbcd4dc107c246ffe24201cdb7e3bafe80e23b7e5f3c1169b
-
SHA512
b3399a9415848cb351726ff2bebf8124086f61d5cb5823a7789dab291da8780f5ef313b662a1a925054e8ffde76f5f5b960b774f51b9b894d02733bd4ef33489
-
SSDEEP
12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3560-4-0x0000000007AE0000-0x0000000007AE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wermgr.exeSystemPropertiesPerformance.exeWindowsActionDialog.exepid process 1140 wermgr.exe 3664 SystemPropertiesPerformance.exe 944 WindowsActionDialog.exe -
Loads dropped DLL 3 IoCs
Processes:
wermgr.exeSystemPropertiesPerformance.exeWindowsActionDialog.exepid process 1140 wermgr.exe 3664 SystemPropertiesPerformance.exe 944 WindowsActionDialog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\hWbJ7o9\\SYSTEM~1.EXE" -
Processes:
rundll32.exewermgr.exeSystemPropertiesPerformance.exeWindowsActionDialog.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wermgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsActionDialog.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2540 rundll32.exe 2540 rundll32.exe 2540 rundll32.exe 2540 rundll32.exe 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3560 3560 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3560 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3560 wrote to memory of 2196 3560 wermgr.exe PID 3560 wrote to memory of 2196 3560 wermgr.exe PID 3560 wrote to memory of 1140 3560 wermgr.exe PID 3560 wrote to memory of 1140 3560 wermgr.exe PID 3560 wrote to memory of 832 3560 SystemPropertiesPerformance.exe PID 3560 wrote to memory of 832 3560 SystemPropertiesPerformance.exe PID 3560 wrote to memory of 3664 3560 SystemPropertiesPerformance.exe PID 3560 wrote to memory of 3664 3560 SystemPropertiesPerformance.exe PID 3560 wrote to memory of 8 3560 WindowsActionDialog.exe PID 3560 wrote to memory of 8 3560 WindowsActionDialog.exe PID 3560 wrote to memory of 944 3560 WindowsActionDialog.exe PID 3560 wrote to memory of 944 3560 WindowsActionDialog.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:2196
-
C:\Users\Admin\AppData\Local\hfh2T\wermgr.exeC:\Users\Admin\AppData\Local\hfh2T\wermgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140
-
C:\Windows\system32\WindowsActionDialog.exeC:\Windows\system32\WindowsActionDialog.exe1⤵PID:8
-
C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3664
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:832
-
C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exeC:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5ce33dad82399d6ac36fc44c84068a255
SHA19d8ae4c44ed4ab3dc7437fcebd2214cf90ab9bd8
SHA256cc77a05cb6bbe2f6485fb0705444525f316ceb94aad066b929fb0f6e306d64d3
SHA512beb46d76e4a60d13ef872ca9fa60ca289fef6692a946c6a221411c31efdfd0150dce4d8a4e21b616183b74228f1c65bf2fcc402a5bf7a89293a35ef932185a78
-
Filesize
186KB
MD57eecc70a2af6c67cbf073a1a9877a8d2
SHA1298ea5133202bba47d16a7bffe92c0d079913b7d
SHA2569545225d34644d38838307a53c4bad67c8e0b875a3492976d794e37e847a2b08
SHA51206e79c88db8cdd8ca64c415c0635ebccf786a60c0afb0d52540e4d30576bfb2d2d9a63f15e04c0ecd1510ed154683967ebb4b71404a78d8be417cc61ab14b9e2
-
Filesize
61KB
MD5dd4ca15d85b439dfd9a0defb21597de1
SHA1f85f568a6150bea37cb3b408f5d1fa0515d676f4
SHA25679d3f31067d0d1583769f4ad37f52e641c5e2c2519763ec05507ea13c692b85a
SHA512aa2b96297d8311b35bb7b4882646a229ba60a4e53db724a5cc8de04c923dd36dc3ecfd782b7e1971a1a2de1411342fd753e07a6548a7e829f4faf3bb7197e29e
-
Filesize
82KB
MD5e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1adbfa782b7998720fa85678cc85863b961975e28
SHA256b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6
-
Filesize
21KB
MD530036a22f610fba4cba7a6e73f29b0cc
SHA1d81de8a459b18939f127176bf6079864024b7717
SHA25645ac2a17e2cb0eeac42a91cef1ef65e83405a8f90bdf7935d74b3385684de27a
SHA5121ca05fb5bb7ab6392d0b37c812ba895aa606c5a381ad657916d83269b0a58226e928eee241a568451a72abd4336f464639e053c93dd8cd0fda773508595dea49
-
Filesize
55KB
MD589699660c36e2f026cf5419b90c685f4
SHA1297ac8a9c23a48fa41fe18189a3b87abc35e5a11
SHA2569f43af45382abe74baebd1a49bb979ff9ecd861a730ee31e3eee1fd4bc909153
SHA512c54ceee340137e61925875b5ad28d808ff9eb20121998289964139542726bb811677ff195f3f37d803210d1123b3b97ffb122da0520fb66d59ec0498b2da5dd9
-
Filesize
155KB
MD581eb3cae0925383c3f6ea5ce082adc6a
SHA1fea6e79f859ceeccdce73ed1a6bebe14564251b8
SHA2567b091829e990568a6b42f482b3163895e36bd5654f4fd0eca370e3033429ea22
SHA51233bda227dac25b17d6f7bd7a3ce74f6d6bd9647af8c7bbca03921e4fb92d80808f3295265d5cb1ae30e3a52728540313904d563f3b7dcdabd61e17aaf09d2d33
-
Filesize
1KB
MD5230ef8b1058b75e97f084989c74dc96b
SHA1f6e1a353feae755573ecb1d31f255c42dd2665b6
SHA256d6ae5bfd214bd94d4b9984a689c188e814d0513a8eb3c5211c33526f9388772a
SHA5129a1a0b3f6cd7b6ab58f44dfa20f736475795888ccc13ad894a07439a158956fc8d4e84c19a3af522d4124ee3ed89631b0869e04dfb1e5b8c9787c3a9536b0f91
-
Filesize
37KB
MD57af5e968c0ca0ad5cc33dc0538bb782f
SHA17ea7d55ccf187e8baea28031481f75f4180e4280
SHA2569eae608108dbfc93a752d04e8fe30cda745e717c9c139586a5e9a039833375dd
SHA5124fdaa2886cb869104c29dc525bf61bb45662bf03e054961c3a55bbe3bbbdcfa6f61207bf230c05fd7a67425730a1d95b11659fab03dc60a5ff434e8a8b38a75a
-
Filesize
69KB
MD52cd7579f6042e8f71f4109c109c6bab0
SHA1d239821a4201902114faf58ae60a47063de836af
SHA256d2ab351d90dfc440a0229930d0e03141226f77b702ed189fa4e094da1055403c
SHA512be6c467baef91e196efb3b215904c0756f8b1e2b3b933dc387afdbfef07a29ab686cee37f52415a0d4030e0a62a371e222ff6abc29c208b606ba3bddfaa04591
-
Filesize
61KB
MD573c523b6556f2dc7eefc662338d66f8d
SHA11e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA2560c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA51269d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912
-
Filesize
87KB
MD57a9b84a8a91d94fa1b9200421dec2df4
SHA186de5b54956dae1c805c4f12a8eb62e7a9399b1b
SHA25612ba51f62ae8f3d2554f88dedacabc193e8ab5eed3a70b7f9324cb67128ba6a2
SHA5120af9754e0a657b05bde0f76586d58b7b534248c9180f426264872b429f9cc3ff3a40d1948676039521192130751bc52760d5cef5badd9cdd5b08c5815ced9329
-
Filesize
89KB
MD54779f3f8fe070c35bfe0c2a4d69515e9
SHA18121a4bcbdb0685bd81e4599026615cbe30e870d
SHA25667e14e9ac4cd27fa45496d73b9bff74a09e0548783538b98888fa38bb6fdae6b
SHA5129668f4933008f9ac95ceac1a3c833ebd9dcd2bd5a68ce59e0331020e4632e7426f6e037a678188b12af8a0b87c9697f3ee8a01e48a005b3ff6d786c570e81961
-
Filesize
1KB
MD58bfa0d03b77f9343a47c9aa3e42bac58
SHA14f9564bf241bfca52ea4d3023617fef8d3a7b047
SHA256f2d4425ac4a58a52c8485c64b900471bf0ccca1781a1c778d5a2a24f283abb56
SHA51226ed47dbc5d73465c44e017b5f947ef62b3c69750dd9826f33a87127f34db6b49ad8719e48b253d185ae946e7e974bf6d9c1db1e368b57aadd811f61ecfb1cad
-
Filesize
349KB
MD5c1691a80aed6ac9ee6bd27b02f829b6f
SHA136e73f92b63faca833c2226b70913c27d7cae48a
SHA256636978bff1f2258f21a5d8660e095b20c8341fcdc891692f82bd5a2d63fba15d
SHA512d8b03f7950a98449b9bd169e84ff0406f048af0615d0a7f0effb9b84789d1f29570666117631f36f175fd77050e32c88a62f9d3cc0b308ab89b867eac8ede4a9