Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 08:37
Static task
static1
Behavioral task
behavioral1
Sample
71c41494c927e33c33dadf1925c47cd5.dll
Resource
win7-20231215-en
General
-
Target
71c41494c927e33c33dadf1925c47cd5.dll
-
Size
1.5MB
-
MD5
71c41494c927e33c33dadf1925c47cd5
-
SHA1
d9522d823725eced87e847799aac6e00e0d9c985
-
SHA256
6a19ea54058dfc1a9678abc823f1ed3697c8e77fba5279d998dadaef5e7ebf04
-
SHA512
1e0f16a9f44cbe3f6a807a86b6d0a45fa8186463bb4fd17aa76792d532d7695017442642d488fd43ba725b8a5dece1bafae44ae512d897252d5dde90184a1ee4
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
tcmsetup.exeWindowsAnytimeUpgradeResults.exeiexpress.exepid process 2272 tcmsetup.exe 2996 WindowsAnytimeUpgradeResults.exe 1960 iexpress.exe -
Loads dropped DLL 7 IoCs
Processes:
tcmsetup.exeWindowsAnytimeUpgradeResults.exeiexpress.exepid process 1212 2272 tcmsetup.exe 1212 2996 WindowsAnytimeUpgradeResults.exe 1212 1960 iexpress.exe 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\dQYhzbi1rd\\WindowsAnytimeUpgradeResults.exe" -
Processes:
iexpress.exerundll32.exetcmsetup.exeWindowsAnytimeUpgradeResults.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsAnytimeUpgradeResults.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2524 rundll32.exe 2524 rundll32.exe 2524 rundll32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1212 wrote to memory of 2344 1212 tcmsetup.exe PID 1212 wrote to memory of 2344 1212 tcmsetup.exe PID 1212 wrote to memory of 2344 1212 tcmsetup.exe PID 1212 wrote to memory of 2272 1212 tcmsetup.exe PID 1212 wrote to memory of 2272 1212 tcmsetup.exe PID 1212 wrote to memory of 2272 1212 tcmsetup.exe PID 1212 wrote to memory of 2924 1212 WindowsAnytimeUpgradeResults.exe PID 1212 wrote to memory of 2924 1212 WindowsAnytimeUpgradeResults.exe PID 1212 wrote to memory of 2924 1212 WindowsAnytimeUpgradeResults.exe PID 1212 wrote to memory of 2996 1212 WindowsAnytimeUpgradeResults.exe PID 1212 wrote to memory of 2996 1212 WindowsAnytimeUpgradeResults.exe PID 1212 wrote to memory of 2996 1212 WindowsAnytimeUpgradeResults.exe PID 1212 wrote to memory of 1248 1212 iexpress.exe PID 1212 wrote to memory of 1248 1212 iexpress.exe PID 1212 wrote to memory of 1248 1212 iexpress.exe PID 1212 wrote to memory of 1960 1212 iexpress.exe PID 1212 wrote to memory of 1960 1212 iexpress.exe PID 1212 wrote to memory of 1960 1212 iexpress.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:2344
-
C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exeC:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2272
-
C:\Windows\system32\WindowsAnytimeUpgradeResults.exeC:\Windows\system32\WindowsAnytimeUpgradeResults.exe1⤵PID:2924
-
C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exeC:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996
-
C:\Users\Admin\AppData\Local\Sh4si\iexpress.exeC:\Users\Admin\AppData\Local\Sh4si\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:1248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58
-
Filesize
82KB
MD562e80ab94e81f2ba8314581ea90247af
SHA182ad70c55b862ce01224d523f692fed5c2b65f0d
SHA256a4d500538c235461fa99eb5ecb2b79ed2dff241bb0ef0a7457572d1fd892d0de
SHA5125a59138394ab3f243991d963c912d5969f5d97e718c87d7d3b416b5338516ec79c78efe4f463cab3eb950fb259eef44c347739fcef8ba6e4eb44240d8816d141
-
Filesize
100KB
MD54ce30803fe1b2f91a4c50a736dd8ea5e
SHA1f6cfd96b319162da2e3e0173e7ecb0d4cefd70ac
SHA25604034e248d35c49ff3db4a8f1ea73a4c80ba295f91e4e5060fc97786a040740b
SHA51200a1392b715ff0ff86c055e0fa010dea6829b92b6e5b163e8c5269277203ea2d2e16c02a461e07f34db8975aaf9694e69580423b4ecc823a7c4d074206c9d2be
-
Filesize
100KB
MD5f5b608370ff97e655c584bc84e92b08b
SHA1214597b0a6c4eef50ef68b5fd7e247ae234b132c
SHA2565fdd03790ea41a631a0b9cbb5893a8bd6c793aa5e885bdf1c79b2e6e5bbecfcb
SHA512930d7dfcdbb772845b0d742f11cbe9be0b2ac6f9a1a4220ad99326a2ba12fed1972a446281041f3697c6b12cbcc3588416d659af856fa06648c4b037333579a7
-
Filesize
71KB
MD570355dafda1ad274740c6f8aa1a9bdc8
SHA14134311e39a83ab92cb7a41d10634c3d019f6766
SHA2567ad16e800ca65642cfa8f708304c9f4b6069e87818b038818263704ad26ae923
SHA5124d244aa7c8fc5146df63b1534013747be7a6f65aa93afd4302f27dd7b6842c0c43074e6c184e157dce9219abda34db9ec08918d1dace6021743b9ad6a6534244
-
Filesize
62KB
MD5b477b89e38889a8d36afa6552d7566cd
SHA1bef192a09e78ae0c5bcf9de3b55edbd7f7c46971
SHA2569a7dc98c3406fea6429b35f7d6edb8b06de74a7164498f7016756ef2d6672c11
SHA51287f527eddeae665e5e8532fec04de0e96fa36aecdb2ac668996d69aeff96dd9e968c6e0f31010773e4be56f7aae7b32866425541545838274ac934089579b549
-
Filesize
1KB
MD504b2a26562a12c8d17a9e1ccb05a3979
SHA103807408d3643b30cc27f0edf73504e4e1f6e3ce
SHA256608cc1a569ab1174b426bcac88811c3103920b0dea546bde5369dcf942f74eb7
SHA5120ad9c8866bfbe60639df0c779bf3ba32284b982a887ffbc64b0a211306f56ae4cc9f5e44b9799ac32af59e9c3ccda0201900f2df65faa42c6bfe2b6deec42565
-
Filesize
1.5MB
MD52980575998a8a21f7a1f3fecb4accbdc
SHA1b9f9060689ad9dcf4a3969de23818a72ea26dc47
SHA25629d34e78b031d33b6fed294738a03fd74a15b0466c4c50a3a2b724267e9e94a4
SHA5127df68c27efb99e2f72eb0ec709f209af41203df55db09aac634944ebf6b16354a1be0f6323e7c1005a0e00fc09a9f0aec331604fc5753d07e22f8fbf5389cf8b
-
Filesize
1.5MB
MD56fa2f6f34feeff9da50297744a175815
SHA1e9f936f7abc7a05ff93c8809e8d4e9f356abcc76
SHA2563db7789c331823216fcc0b84dc839762877f5ef2f1e7d6302f156bc87655411d
SHA5120124167f1411250a32aa71c09da05cfa2fcacb7307ccaf2d9b386f5cbbf8e9eab85581f4e544d243bbc432d50dae1bf302581b764106a22ae842a21014b78353
-
Filesize
49KB
MD5f58a4a422453cbde4a28416a42b6f8a4
SHA1a991911500174def40026385282f162c15879f80
SHA2567267b1f60c0b24d7554c6edb1a600f36afed921ff1d46654aa1bd2f229d1dd49
SHA5120c0cee49238c5cd47915e234140eef0d63b748ba76aa03692a2e1fc8ffd1607c35ed7f04c179f9cacedc60b4c06bde6167655dd9616f7e99b97421777189ffae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\kAs\TAPI32.dll
Filesize724KB
MD579b47f8b6428b181596c68b50d5d4190
SHA11f63e25da12c47289cc91c0c1f673c55911f800f
SHA256e277c110a0254cf5a0c367a58c10f06a61bcdd51e0adfbe696d6c2aa25fab8ca
SHA512ade9146ca5b89def6d38964c29e04d96598cce53a462ad02b0662e072a9b308873cf7a7f11d40b35d5f22b30ef4cf8c0439af1e5ec5d4a2c8fe8ff08b3a1eb6f
-
Filesize
1KB
MD50e8580bb505f37f55a9ccc6410025006
SHA1c63e91ab81aa134484710977167d7a3b5c243601
SHA256d0524353ecaec64f35fe6d35a8c97fbc344ebece3c41245c4afb091229580cd5
SHA5128ee29562c447b9bb90ab992cdfce22c6a30591c9f0464a663861da45d05ad71a6e3f4d15d3141b5340123ec9db00902a2f7381e8384819422deaf26c073f278e
-
Filesize
83KB
MD5150675ee71427332e1efa4ef3936b201
SHA199b97e3ec7a07b783a67be2a330f67fb8c4d3538
SHA2569c0cbffcb730fcf4c5e22d6085eda94289735a31d3ec8711aaa8c3ab6731268c
SHA512d8494a7f9e507b061b1955e2c530dd17b3179e8cc769c95ac0dc4573428e524ce15a1d9dc330ee0d43b7faf9d8c344c3a2c090699880b0693a4816a6b50ae013
-
Filesize
60KB
MD56e3cd2b208d684c37038107cb1193320
SHA1cd00bfab8a32c17ccf39b1e097369c894349e3ce
SHA256b9295b2141b35234a68e60b826af20677295435adc3eee5a36e3963e8a16693d
SHA512ba0429147fbf71c4a894c188ff097855790e7fc7d929c6b6e46b7a7d139cd060b9b699c8a3615e83266bca378905aa37516fca66b95bc88b67a22a49a249edc7
-
Filesize
73KB
MD5e424e5b5f27e99dc7d70641d10633010
SHA183fc389674aac7d797d1926dbd9510cc66a26413
SHA256ecd8875e1034788c812e4747f9a64532aad5142e2173056fb69ba76b6f16cc70
SHA512e031594389b6971fa05111c8369062b036a661cc4313040ef4dd6bf30ce97933e190560fb282e2b19ff64cbf8b47387bb0931a06c34aab78cbd4a4016189856f
-
Filesize
97KB
MD57e4922fba02f84e550aaba4932097b59
SHA1d84aed8d3faf480f7e41e7e5291854793311492c
SHA256ce49ac77a5536549ea398f53917457918b02857c207b424c23e4ff7e4035a238
SHA512f2bbf5dae69ee9a85bdd2258f0b39906e091e0669db6160d8b746eb441237bf32a72c9ffec51b8ad1aa6f337518ff2a6a0dba8f91bf8ef6fb7e1baf33178b254
-
Filesize
18KB
MD5c6ab788e4ffdbf72567f967a696d6de4
SHA1174075b0bf4d2cb25139ad413af9a0b01fae8f80
SHA2562abedddaf86b25562675c636c0abc5d6dd65ddde66b4533ba45927748c434947
SHA512dc2bbadd503d2d174c042404d774f26544450aeda58a90b574c30eadb981fba5a2d0015aed90d9085994e7a20299e0a48f4b5abd3a6c9e8749d740aac9870e72