Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
736f4c09867897af390e3e0bf50a0b23.dll
Resource
win7-20231215-en
General
-
Target
736f4c09867897af390e3e0bf50a0b23.dll
-
Size
3.5MB
-
MD5
736f4c09867897af390e3e0bf50a0b23
-
SHA1
3194159767a1ca1c25f18e33b5f790394c9f5cd9
-
SHA256
fee679a74d93c6adee409515fdf168e955e056dae2949cbf848a48e03a8ac97d
-
SHA512
3c33731da1c256f43480f8b6e9480209a9f65dcefd9ea45f3bfa754e8f21fa022dca160f227fd223da04027d692e7001ed19882e0c3ba60962d79c119b76d497
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x0000000002170000-0x0000000002171000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
spinstall.exeSnippingTool.exeDxpserver.exeDisplaySwitch.exepid process 1484 spinstall.exe 1568 SnippingTool.exe 1736 Dxpserver.exe 1620 DisplaySwitch.exe -
Loads dropped DLL 9 IoCs
Processes:
spinstall.exeSnippingTool.exeDxpserver.exeDisplaySwitch.exepid process 1208 1484 spinstall.exe 1208 1568 SnippingTool.exe 1208 1736 Dxpserver.exe 1208 1620 DisplaySwitch.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\YFXLWlp\\Dxpserver.exe" -
Processes:
DisplaySwitch.exerundll32.exespinstall.exeSnippingTool.exeDxpserver.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spinstall.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2208 rundll32.exe 2208 rundll32.exe 2208 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 1384 1208 spinstall.exe PID 1208 wrote to memory of 1384 1208 spinstall.exe PID 1208 wrote to memory of 1384 1208 spinstall.exe PID 1208 wrote to memory of 1484 1208 spinstall.exe PID 1208 wrote to memory of 1484 1208 spinstall.exe PID 1208 wrote to memory of 1484 1208 spinstall.exe PID 1208 wrote to memory of 2956 1208 SnippingTool.exe PID 1208 wrote to memory of 2956 1208 SnippingTool.exe PID 1208 wrote to memory of 2956 1208 SnippingTool.exe PID 1208 wrote to memory of 1568 1208 SnippingTool.exe PID 1208 wrote to memory of 1568 1208 SnippingTool.exe PID 1208 wrote to memory of 1568 1208 SnippingTool.exe PID 1208 wrote to memory of 1968 1208 Dxpserver.exe PID 1208 wrote to memory of 1968 1208 Dxpserver.exe PID 1208 wrote to memory of 1968 1208 Dxpserver.exe PID 1208 wrote to memory of 1736 1208 Dxpserver.exe PID 1208 wrote to memory of 1736 1208 Dxpserver.exe PID 1208 wrote to memory of 1736 1208 Dxpserver.exe PID 1208 wrote to memory of 2032 1208 DisplaySwitch.exe PID 1208 wrote to memory of 2032 1208 DisplaySwitch.exe PID 1208 wrote to memory of 2032 1208 DisplaySwitch.exe PID 1208 wrote to memory of 1620 1208 DisplaySwitch.exe PID 1208 wrote to memory of 1620 1208 DisplaySwitch.exe PID 1208 wrote to memory of 1620 1208 DisplaySwitch.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2208
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\k16Ck\spinstall.exeC:\Users\Admin\AppData\Local\k16Ck\spinstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1484
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2956
-
C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exeC:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1568
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:1968
-
C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exeC:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1736
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exeC:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5d13998e695b9a489ec9c72a26b77359d
SHA1d4ada77aeda6845e5a8323244549e2f0dc30e9d6
SHA256d4499394031f6e3cd4de47266131e071246a4db2f58877dc98bf1b85726f45e4
SHA5123872e97f9f12de1af0bbaf53a912a3ab9acc57de1fdb804f4433c6a9b0f4daaf1e43bc3287b80bb1ab2d390a9e34e887be05321abcba534803fc07c15993cbaf
-
Filesize
3.5MB
MD5959843c47eaa9bf47c245f7a7c54cc2d
SHA12dcdd7573d2610e191c93dd9258bd34b4ff9db84
SHA25643aa786c45ea377bc4a94866a73c928a1c837847886d2beac226fb0bd4545a47
SHA512c4a708ad81d4b74199789314fa6b9271b3dac8bd5d860468fd5e20f4170ea0385e031925e895f9bb218e1d050008686725aacc1672ef18ec7222590066d1fcc0
-
Filesize
3.5MB
MD5dddf0650057a9829b318e04ca649712b
SHA12a7536c1a41714a4a414c59cddf3dadceb051069
SHA2566bf59a4cf6b430b08be2e0d8040d021479a24f5a54ca7ab4452694bb3e1625ca
SHA5122cfe9b1cc4721dd359a24494b70d9bc25cb6ba3460e70dc957942ef99c5aa4d79c440ca92c509f7f0c1b0d1951b99d57fb975c19c3607f74cf298092e3f15df8
-
Filesize
1KB
MD5446aee12d83216e14a6be88e30f14504
SHA189cfac8fd71c730139b0ee4442532b1a97d20278
SHA2565188e885664b6a89a8316d23e0b2adf0b7fa6b483fafb850ceb424bad7167428
SHA512244cbe4a354281cae1c50544b08e2b657c38393cf3b5979150a64ff9887d8da43fbb70ac528b677a7b5aca0853634532add97d537bd793e56cd93925a2e2a8b2
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba
-
Filesize
421KB
MD57633f554eeafde7f144b41c2fcaf5f63
SHA144497c3d6fada0066598a6170b90c53e28ddf96c
SHA256890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA5127b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203
-
Filesize
3.5MB
MD558787c8a3f1b7b4b511aa735b79d2cd5
SHA196bcbd2c9cf87ede17a25e95eda96ba1171a09bf
SHA2561ff2979a16cb202124f72d196d276453a5234e52f1d157f638df0a5c40fae66e
SHA512e4c07af389b06ec61367efd8a8149b8ad8b13161a55baa042a0a56b9fe1f9cf97b53b408f67c0dc482643f220e81385e0d29dbeed3811234ef3c6637d1614c10
-
Filesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee
-
Filesize
517KB
MD5b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1