Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
736aa5c70532729a4ab7c493762c3d38.dll
Resource
win7-20231215-en
General
-
Target
736aa5c70532729a4ab7c493762c3d38.dll
-
Size
1.8MB
-
MD5
736aa5c70532729a4ab7c493762c3d38
-
SHA1
4d8366a845fc4143af2ebb056656bdfec85bb91a
-
SHA256
fa34c06663e6fca8921608ebcdb3bd6056258c39f2270a46397eb552e3396575
-
SHA512
1180962f8ea4b01a8521271a51290a752d53cc389be6345c64735c84b2ef6f9640b6880e058350a02b5075ad5be839b13caab461740da5399bb6f95aa9811448
-
SSDEEP
12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3368-5-0x0000000002610000-0x0000000002611000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
consent.exeperfmon.exetabcal.exemspaint.exepid process 5016 consent.exe 1984 perfmon.exe 5000 tabcal.exe 2864 mspaint.exe -
Loads dropped DLL 3 IoCs
Processes:
perfmon.exetabcal.exemspaint.exepid process 1984 perfmon.exe 5000 tabcal.exe 2864 mspaint.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\IWLFXJn1gD\\tabcal.exe" -
Processes:
rundll32.exeperfmon.exetabcal.exemspaint.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mspaint.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1628 rundll32.exe 1628 rundll32.exe 1628 rundll32.exe 1628 rundll32.exe 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3368 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3368 wrote to memory of 4212 3368 consent.exe PID 3368 wrote to memory of 4212 3368 consent.exe PID 3368 wrote to memory of 5016 3368 consent.exe PID 3368 wrote to memory of 5016 3368 consent.exe PID 3368 wrote to memory of 3360 3368 perfmon.exe PID 3368 wrote to memory of 3360 3368 perfmon.exe PID 3368 wrote to memory of 1984 3368 perfmon.exe PID 3368 wrote to memory of 1984 3368 perfmon.exe PID 3368 wrote to memory of 2572 3368 tabcal.exe PID 3368 wrote to memory of 2572 3368 tabcal.exe PID 3368 wrote to memory of 5000 3368 tabcal.exe PID 3368 wrote to memory of 5000 3368 tabcal.exe PID 3368 wrote to memory of 2176 3368 mspaint.exe PID 3368 wrote to memory of 2176 3368 mspaint.exe PID 3368 wrote to memory of 2864 3368 mspaint.exe PID 3368 wrote to memory of 2864 3368 mspaint.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:4212
-
C:\Users\Admin\AppData\Local\R6V8l\consent.exeC:\Users\Admin\AppData\Local\R6V8l\consent.exe1⤵
- Executes dropped EXE
PID:5016
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:3360
-
C:\Users\Admin\AppData\Local\t8Irx\perfmon.exeC:\Users\Admin\AppData\Local\t8Irx\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2572
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Local\6IK\tabcal.exeC:\Users\Admin\AppData\Local\6IK\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5000
-
C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exeC:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD57ed1431b8b5ee5500db3ff397e36d893
SHA10110a6efc457986e33b2df409e3159de901a2b1c
SHA25648d24aa440b086ee74523ec19b8ee1015562dec7b7a90b0b8e2e4a48ff4574a5
SHA5129a39ddc98f61449077b198649ba540a0056161d60ab872391b23ef24a6b416e99194799895a91ad88bbc3551a84e82ccedf981df411cde97590ecf067266deb5
-
Filesize
181KB
MD5f2f4fbef7c9d65ffa977c9b9cb4f898c
SHA1f67c424289864f6324fedcf50c3d8b455e9d9e69
SHA25654feaa2a3b5fecf31b7965e6c8ed6dee41401da3087ce98042b0c18925904559
SHA512b447277861dd4d0943bff73ca82f9da27d5a392ca2b9c94695c3cf30256b898b3e1ae9e27fb46f28de65175d99abefc36adacecdb7ff989aba823d1fbdf5ce25
-
Filesize
84KB
MD540f4014416ff0cbf92a9509f67a69754
SHA11798ff7324724a32c810e2075b11c09b41e4fede
SHA256f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259
-
Filesize
162KB
MD56646631ce4ad7128762352da81f3b030
SHA11095bd4b63360fc2968d75622aa745e5523428ab
SHA25656b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA5121c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da
-
Filesize
476KB
MD5a67f6c0c5b7664f5a2aaf056c494e6c2
SHA152ae78be4e41376b83f7be835334974c84a2db6c
SHA256bb1094665225e5c8eb42bb16a68c4f6f2bce5b16c6a8cac781c2278ffe7bbcc1
SHA5129621669a34135205d6328c1dcbe176a57a966d1c1872665a128cce17b71c24c6dcfb7c0e1d285456e9b7d6de80a5bc40e2ccfb8352b4150cad776489d5806144
-
Filesize
822KB
MD5326bdb872bf4c18bdbf05f85d73abaae
SHA1ce763ea71276eb13396783fa1641827759980de3
SHA256894d9eefcfcd5c33d8d4cd64ac28aa566e4f26b63e9a29d73ccb91ba6b6d961c
SHA512b88af2871af13abe8fa029cb3e6e10cbb9d5246ceb19ae750209b0cd07fa74a05886143159605925385442029f032610b4447b8043cfd92cb5c554ee6b1a8a5e
-
Filesize
918KB
MD542684e8605a33d33e4707ca9e5ab3da9
SHA13847f868319bed6db65c0a113eb0fd0ee1977682
SHA2569af583e4e016595fac497f5c536f67d198e27b847af1ab90c0ec39d9cd081524
SHA5127a85eeb0cbbbaa275a86797b6829f15b163f5735465d427c5cf90f7b8172cbaeca47217a6b8aa75a06ca8837d35daa561d238070eb4dc32838fcb65728864b90
-
Filesize
542KB
MD5e166e34dedd8688d836afd921314d6d1
SHA181b13421919d41eea362e582fc123bbdaa79d2c7
SHA25655efdea9bcc3b41c4d4ff3739df58786fb7d8b4922a12af6936a5417f5427445
SHA512f66d8ef1bba62b38ba45d8c7bc14df57b2d57dc89185962c6d29f00e71a8f4a05ce60c985b652bd029d933d58934961ebaf1d2c53e31f03ff726ebe0b098b041
-
Filesize
337KB
MD5357276d19be2fcce36116c0fcb693b46
SHA19e8c6bf3b9f9d935268b92d7c9cd7cde2e4d8572
SHA25637afbc207ad20c5904c01765a79d38dd3941814f24cda62388d5951d5e6493e9
SHA512e3ada519d8edff655860f9ab523557811d0d552842521712ed00715222b103f4e6710db73c0659d6ec6baff5b75cfc1da7442f010d9c2f1724bb9b48a24b5509
-
Filesize
376KB
MD52e6eac83b1c28747493f3c82d6459dc6
SHA154aff036806a238258ab7315586b1d85767b3c34
SHA256b178ccea4e052d5b6bf0e9466601ccbd791db5a593789fa5af48f090d99c8961
SHA512803ad88e765905da6aac8bca8cbb1163d05b6f755f42b7b89d9e496e4776054b10da10a7bac777b85fe45780e38c940dc99ba6b61e32139741f237caf7b68367
-
Filesize
177KB
MD5d38aa59c3bea5456bd6f95c73ad3c964
SHA140170eab389a6ba35e949f9c92962646a302d9ef
SHA2565f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c
SHA51259fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68
-
Filesize
123KB
MD5f4f9a2c0fd8cdd76bdd0d08f7695cd07
SHA1f74397795f6a54b20198d7b1ff54e64730800d47
SHA2566201fd292638b5b00182d98f0bd48247fa654bcc78803669a8d944bcaebc653c
SHA51262431302cdebbab357e25173320824b5ed5b8359edeb00f5c11715837386ac247f5d0f492f32958e2549c59986c8c7ebfa8118d2c811e188484f582b7646046b
-
Filesize
1.8MB
MD55648979db1f3fee886cc2ad3b3373548
SHA1540ee4fbeed1f4508a368edf8d106ce7f260f804
SHA256e86d31d808570bb6100b4ff6495fce74e310e7d5846fbc63a29bd67331fa7be0
SHA512032ce43d4435cd963c375e6a0c8f908beba8833e2cf28a4eee81181a59fdac481879329cd36daaa8ab4831ba6ed4258c0de12825049d0b7e6234b112d1d56bb2
-
Filesize
1KB
MD59f53967e1c293653faa833eed3b78aa5
SHA1356a08b6ff5254967f756d825ab3023960c5d452
SHA256bd63a8aa3b580cec7e5a6e2a19e924e10da6c290b5428c9a3b4ae9b778eac749
SHA512862332b7cc78db6abd6da30d312a242ee459b9286e9f580c54f4ca3fca68ec51aaa9c5a2d9a12b407e180a076cbd36a7cb84a8349965390d9e502b02dab9693a
-
Filesize
1.8MB
MD503e31b0416674efa7d9f74c0ba890289
SHA1c5ff2ca131b7fbba3bb01f04fb97396409d93d46
SHA256c1a2dfc8222074db49dc1a074fecada3e74ef50892a5c23850dab950b6e6cf8c
SHA5123e9deb984d1f0425b868ef2e80f4bad48ddf03b2902d201a424b9d2dcb72ea52a3e21f8c1f71e4b2561011c171f62fe694e03d5d8f5e22126ee776133e5eb32b
-
Filesize
650KB
MD5b33df8683fc4cbff364a8a1b91adb5c9
SHA1fde72cf5f9c7300402375e71563e1908db5d3a05
SHA256d2ce468f6f374d60f488da2c28cb625f9b70323424e3ce638235a7f88b176f1b
SHA5124322f7f87f8e04725e184facdf78d95bb03093a232ab134696f368b57bf097fe44d9cd44b2cfe8e898f6ed6ff917034d31f364e8da6f81ba03cdcb58e4ecb801
-
Filesize
1.8MB
MD5319c412643df6904316145a6c05ea9a7
SHA1c044196d9cc517dfd0b015f176b4b34e95b9a6aa
SHA2563d95bbfcd29ae12a732f426f13235608a52843e7f61b1c15eceae31bb0c676f0
SHA5127e0e372fc31b449367bb8d3f3374791aa144a153e2c27b87c5c915a5698181f8f1b362f26483200a9c6866f60e4d10c286468af034109ded21402041fd34a69d