Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
736aa5c70532729a4ab7c493762c3d38.dll
Resource
win7-20231215-en
General
-
Target
736aa5c70532729a4ab7c493762c3d38.dll
-
Size
1.8MB
-
MD5
736aa5c70532729a4ab7c493762c3d38
-
SHA1
4d8366a845fc4143af2ebb056656bdfec85bb91a
-
SHA256
fa34c06663e6fca8921608ebcdb3bd6056258c39f2270a46397eb552e3396575
-
SHA512
1180962f8ea4b01a8521271a51290a752d53cc389be6345c64735c84b2ef6f9640b6880e058350a02b5075ad5be839b13caab461740da5399bb6f95aa9811448
-
SSDEEP
12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1220-5-0x0000000002530000-0x0000000002531000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exedpapimig.exeSystemPropertiesProtection.exepid process 2360 SystemPropertiesDataExecutionPrevention.exe 2780 dpapimig.exe 1976 SystemPropertiesProtection.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exedpapimig.exeSystemPropertiesProtection.exepid process 1220 2360 SystemPropertiesDataExecutionPrevention.exe 1220 2780 dpapimig.exe 1220 1976 SystemPropertiesProtection.exe 1220 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\9N8Um\\dpapimig.exe" -
Processes:
dpapimig.exeSystemPropertiesProtection.exerundll32.exeSystemPropertiesDataExecutionPrevention.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1220 wrote to memory of 3020 1220 SystemPropertiesDataExecutionPrevention.exe PID 1220 wrote to memory of 3020 1220 SystemPropertiesDataExecutionPrevention.exe PID 1220 wrote to memory of 3020 1220 SystemPropertiesDataExecutionPrevention.exe PID 1220 wrote to memory of 2360 1220 SystemPropertiesDataExecutionPrevention.exe PID 1220 wrote to memory of 2360 1220 SystemPropertiesDataExecutionPrevention.exe PID 1220 wrote to memory of 2360 1220 SystemPropertiesDataExecutionPrevention.exe PID 1220 wrote to memory of 2572 1220 dpapimig.exe PID 1220 wrote to memory of 2572 1220 dpapimig.exe PID 1220 wrote to memory of 2572 1220 dpapimig.exe PID 1220 wrote to memory of 2780 1220 dpapimig.exe PID 1220 wrote to memory of 2780 1220 dpapimig.exe PID 1220 wrote to memory of 2780 1220 dpapimig.exe PID 1220 wrote to memory of 1800 1220 SystemPropertiesProtection.exe PID 1220 wrote to memory of 1800 1220 SystemPropertiesProtection.exe PID 1220 wrote to memory of 1800 1220 SystemPropertiesProtection.exe PID 1220 wrote to memory of 1976 1220 SystemPropertiesProtection.exe PID 1220 wrote to memory of 1976 1220 SystemPropertiesProtection.exe PID 1220 wrote to memory of 1976 1220 SystemPropertiesProtection.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:3020
-
C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2360
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:2572
-
C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exeC:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:1800
-
C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD50bb0823b481b0b97b74b35b71b19156e
SHA152879d5b981f845a251de624ccabd8688c75fbb9
SHA2567c33191d9f5ccf08704a1cb9d057a13862c526a6ca13cccd05674033582943cd
SHA512d37ce0c5162b6db04bd8c695f165de40af3b738208dd971160a7a9330b0a412a238d40baaf556dbf6e8a0a72decf690b4e1be623c603d767032a80b5076f7f8e
-
Filesize
80KB
MD5e43ff7785fac643093b3b16a9300e133
SHA1a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA51261260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a
-
Filesize
219KB
MD539face98b70bc6d3a868038ae31d650f
SHA14d4ab5d441d8b1372b9a606913573a57176bed47
SHA2562dd26da89b864a38e7c02fefa84f5b56737e757f58e8a2f791e902eb5b0459a5
SHA51266ea181b92116aee8ae5831afc66a11d8ecfa9b4537ad89c52a9e29824283177e205625e5822ddb7048da303c25f8cfc3e44d5eb98253c3b4902b001513401bd
-
Filesize
73KB
MD50e8b8abea4e23ddc9a70614f3f651303
SHA16d332ba4e7a78039f75b211845514ab35ab467b2
SHA25666fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA5124feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc
-
Filesize
17KB
MD5c4a16d510b419b1fecdb254fc5420343
SHA17948508a401329cbe1951fff7b1e1ab82e4ac247
SHA256c4db01fb8117104abda79d4ccf1e650dc77ac697c4b353639d09b5783b9e2bb9
SHA512035ff28c0e0708050c0e4ecd1c04dac8517c8cc3957830812f7d0c8543122dea17e922f3b76e7cdffca3d5ece2a33c9f7d9c7b3f799d8659276a2ebc73c05eee
-
Filesize
80KB
MD505138d8f952d3fff1362f7c50158bc38
SHA1780bc59fcddf06a7494d09771b8340acffdcc720
SHA256753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA51227fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255
-
Filesize
1KB
MD5a94806f29d68c5699a978d39592e4482
SHA1b1d6118c1c357b7c5d18ec2ba52ef6c52d861827
SHA256a9cb9352103d8567d3971fcaca51ac88d4a11ce6bd1b61367b5208b949c01c19
SHA5125eeaea2466a52b2cbe4a4f195acc51a2143909022d6677592fa7d19c4f712fd80bd8e9ee1428f2c528f59f1a32b4b9dc41182b43a296a58799ad1f399fe56144
-
Filesize
2.0MB
MD5595c0ce0524000309d584db4a4301127
SHA1bff374f90fb4b7ed464deda9f1928971101a7d6c
SHA2567a5a71f69dee905d9e7dff76d0f456b7829570beffabb356dbfa7d1edb258c68
SHA512740c6be3a62785d30e4af2243d6bcf42cf53518565d44206df53322f88c5c028fb3b7b1b6bdd0aadf7615cc1aeb00ab57731d6f0eeab2080600af07561863ca8
-
Filesize
1.8MB
MD52f32bc3d2662852a9e9869b770c3299b
SHA1efa523cfb7ba2b6c139152792ae21aa3885d2eec
SHA25659b9a449539feb7d79cbe7f9f16b87ada31faf592843be52ccb2c99bfa979d26
SHA51211f5eb782f5aa26120c445871bac2a95c352e3c167c85850797dd20bbadc91d951378b5b8668cb3f6ddcd3dfe9e497429c242ed3364a38e90aa7f486d05c6c9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Vq0xh9bSyx\SystemPropertiesDataExecutionPrevention.exe
Filesize42KB
MD52ddfefe103ac36e66dbbb090c65aca36
SHA1a4a0edd6c62d0ae89cf3002d01e4b8c1bed357c4
SHA256c0edc59b6d8f5c2e45f206f6fba063765046554d660cefb3913431f5957b5ba3
SHA512dac3ed3b7a18ec3e5b89db5b4609c453d5249179b3b72bf151e498884c5f4a7e70b88cbce2fb1ad6fbb6861f8c98bfd8ed9f7052a567097b47658b9c17b3567f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\6MCRrQx\SYSDM.CPL
Filesize1.8MB
MD59256781cb2a6f40dfaa9c1377436858d
SHA18d8340293b65f10210891c66ee3bf2a68b4ab0d6
SHA256faa14d29c4554755188f027d40ebb41700829f1e86f39d15172850f9fff29cb2
SHA51271e3817ec7aae10f34358665a05121aeed0ec4a942e26041ff56c49087d9fd536bf5e17a6b730b08b0e6e3f4ceb82d65b7b71ca31a5ea4951924b286135d0b0f
-
Filesize
305KB
MD5a32ae6808847c5d7074533b3b7644eae
SHA126399c2ebdabf1fd09e70eb09f6d84fa726c5c64
SHA256dbf129520fac05ca38965a7784a8507012757a6789e1f971935b6017eacfb178
SHA5127e1c298ffbdd4da830e4ce1a12b9b65aafbd45aea9e078a8d7f2adff8d1913d3d86618e6c7c24f00e71e360429013109fdf1ffef56d34a51c575c58b131b7b5a
-
Filesize
307KB
MD5371033d8e2678acf0a4e9bfb02a82613
SHA167c581ff407df093fb5286c91ca641dc48ec2aeb
SHA2566bfd6d69dbf34c6200a63741c848991bc6cb9ea15c33e96e22050c1bb1c73b86
SHA5127b18d19da234babecd14f5717d3e5e590e9418c91113ece6ebaa81435a90bcddeeec58a8d3acecc3e017774a271dcaa9bf9410a176e95ff9343af17d7cd7256d
-
Filesize
136KB
MD51528bdc7e86baadbe372807e265bc996
SHA1028cad64b057e284541812fc66bc4bc4fa03661f
SHA25653cb4d6413238defe88c31e93494389fad6f1210027cb46aa478745a8f3f5cbf
SHA5129bc8201ed6f757dfdcf03a8ec46d6d6a3724eaf8a8cd8ae0f675be081af341d7f9c8713002eb04ebe1bf05166b1f1f2638ed1d15778e2253b53433e953e49da7