Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
726f982410725cb34272e9e44b3c0310.dll
Resource
win7-20231215-en
General
-
Target
726f982410725cb34272e9e44b3c0310.dll
-
Size
2.0MB
-
MD5
726f982410725cb34272e9e44b3c0310
-
SHA1
8450bd8609660c8fee5e0a8460e391b44ef07bfd
-
SHA256
1af3b38b228078c0c78e70ef3bf82e55635240069d5f982819899db2bf5d9972
-
SHA512
e1540efb22d0c7bf2f5a0f1a9ad38f0d78d741db0c49c4628f620f315e4a093b449628b12aabd597c89042344318b3db6dad4ca03e3390d67944c84f72cfb728
-
SSDEEP
12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x0000000002170000-0x0000000002171000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
p2phost.exeStikyNot.exeWFS.exepid process 3060 p2phost.exe 1092 StikyNot.exe 2956 WFS.exe -
Loads dropped DLL 7 IoCs
Processes:
p2phost.exeStikyNot.exeWFS.exepid process 1208 3060 p2phost.exe 1208 1092 StikyNot.exe 1208 2956 WFS.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\ZsMGn9qpQs2\\StikyNot.exe" -
Processes:
p2phost.exeStikyNot.exeWFS.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p2phost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 2620 1208 p2phost.exe PID 1208 wrote to memory of 2620 1208 p2phost.exe PID 1208 wrote to memory of 2620 1208 p2phost.exe PID 1208 wrote to memory of 3060 1208 p2phost.exe PID 1208 wrote to memory of 3060 1208 p2phost.exe PID 1208 wrote to memory of 3060 1208 p2phost.exe PID 1208 wrote to memory of 1636 1208 StikyNot.exe PID 1208 wrote to memory of 1636 1208 StikyNot.exe PID 1208 wrote to memory of 1636 1208 StikyNot.exe PID 1208 wrote to memory of 1092 1208 StikyNot.exe PID 1208 wrote to memory of 1092 1208 StikyNot.exe PID 1208 wrote to memory of 1092 1208 StikyNot.exe PID 1208 wrote to memory of 2932 1208 WFS.exe PID 1208 wrote to memory of 2932 1208 WFS.exe PID 1208 wrote to memory of 2932 1208 WFS.exe PID 1208 wrote to memory of 2956 1208 WFS.exe PID 1208 wrote to memory of 2956 1208 WFS.exe PID 1208 wrote to memory of 2956 1208 WFS.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
C:\Windows\system32\p2phost.exeC:\Windows\system32\p2phost.exe1⤵PID:2620
-
C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exeC:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3060
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exeC:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1092
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:2932
-
C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exeC:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f700863ff7b9e5dffcbb473d5004aa7c
SHA167df03da729316ca71b93d29f76f61b7e760e864
SHA256ee13b7d68a2029c48cd4bd59c42e0b1a612a98148c4b8b962b39f283d986396c
SHA512574c758b2e9e9c207afc40151467b97585d0485ffcacc547e385b931294b469f25c4e113eeb4891c860a96486a017170f6609cc092fb9deea6cf82063af8d60c
-
Filesize
2.0MB
MD5389e5f672ae14f4c6348ac833459fb9d
SHA1885b2702fe55cc21923c89c0c311cccb4d2087f5
SHA256c7563823eba650b99aa97a7b02e80f936b47c13edfed7206578d6224807a8333
SHA512ce730bf4f1fe46ff414e17cf0439850468b65440cdad4eb946ae83461965c90ff753401df57bbdb0836b1e1ac4870f7a6a5c4526f9956c8073b1c96b3f6016f7
-
Filesize
2.0MB
MD5c4a9023a87e0bd135e4f37fcd1742d4c
SHA1e41a01500c2811f145781cba7be9eb3546fa77d3
SHA256e8c4003f0fc23e8515493136840d9be36c81b35a71bc647b0d0b5c256f948475
SHA512001d2175b10f1b9f91508d90f14eba9ea4375e57ed649bbeda6873d96daaa794918607449694d60ee7628b5670ef9fc9bbb56e485d6f72f156939478bc4a6966
-
Filesize
1KB
MD50da2e7a17ddc3c8a8596faf645c14088
SHA12e5c209e004404140b4a4747e0c032a83d5ac441
SHA25600857d0bdc9550e97e53164f61297ba154b76f14781bced8aabc2b28549fdb6b
SHA512393c0f39b1149b67a5cc01628b013a16b779803966ad5453424147fd421d1743b9aa5634313a3ae9c5589b21aec75b035854e59fc2fd551a967b7edad76860aa
-
Filesize
951KB
MD5a943d670747778c7597987a4b5b9a679
SHA1c48b760ff9762205386563b93e8884352645ef40
SHA2561a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA5123d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934
-
Filesize
2.0MB
MD53465d3ca47eceb7b6f894678f79f7d22
SHA13225e7c426e038443ec99aaa518ebc8425a16567
SHA256b0d42e7b78e85b58bd43732117c5aefe975f375b244d95000c39f125f7300395
SHA512ac452a22160ea7277a0261c094bdde995398ccaf44d6899d48e1e8a99c1c1915393a8d974155ac477b7ff57698eb1741cb62208b376b34ce90f339c1b32a176d
-
Filesize
417KB
MD5b22cb67919ebad88b0e8bb9cda446010
SHA1423a794d26d96d9f812d76d75fa89bffdc07d468
SHA2562f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5
-
Filesize
172KB
MD50dbd420477352b278dfdc24f4672b79c
SHA1df446f25be33ac60371557717073249a64e04bb2
SHA2561baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA51284014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1