Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
73d3e10fa82e2301bd8fb5cabf77c864.dll
Resource
win7-20231129-en
General
-
Target
73d3e10fa82e2301bd8fb5cabf77c864.dll
-
Size
1.8MB
-
MD5
73d3e10fa82e2301bd8fb5cabf77c864
-
SHA1
d2b3b357137270b8fd1a4d7e2cb60a8b6ff1dc05
-
SHA256
bdec67160c740cc4f649a1688c8cdc2467729c086df711606600d9967c967641
-
SHA512
8b3af541942e69cb96783ed8ea2ac18bda4e9e91d1ea57e1ab8d6b66ca07ec51c699bccf3b612e98b98ab37f929a30cb3547a7d97210289a8928e90b6fc46c81
-
SSDEEP
12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1256-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
PresentationSettings.exeiexpress.exetcmsetup.exepid process 2764 PresentationSettings.exe 948 iexpress.exe 1824 tcmsetup.exe -
Loads dropped DLL 7 IoCs
Processes:
PresentationSettings.exeiexpress.exetcmsetup.exepid process 1256 2764 PresentationSettings.exe 1256 948 iexpress.exe 1256 1824 tcmsetup.exe 1256 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\O60FA2\\iexpress.exe" -
Processes:
iexpress.exetcmsetup.exerundll32.exePresentationSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2188 rundll32.exe 2188 rundll32.exe 2188 rundll32.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1256 wrote to memory of 2624 1256 PresentationSettings.exe PID 1256 wrote to memory of 2624 1256 PresentationSettings.exe PID 1256 wrote to memory of 2624 1256 PresentationSettings.exe PID 1256 wrote to memory of 2764 1256 PresentationSettings.exe PID 1256 wrote to memory of 2764 1256 PresentationSettings.exe PID 1256 wrote to memory of 2764 1256 PresentationSettings.exe PID 1256 wrote to memory of 1700 1256 iexpress.exe PID 1256 wrote to memory of 1700 1256 iexpress.exe PID 1256 wrote to memory of 1700 1256 iexpress.exe PID 1256 wrote to memory of 948 1256 iexpress.exe PID 1256 wrote to memory of 948 1256 iexpress.exe PID 1256 wrote to memory of 948 1256 iexpress.exe PID 1256 wrote to memory of 1068 1256 tcmsetup.exe PID 1256 wrote to memory of 1068 1256 tcmsetup.exe PID 1256 wrote to memory of 1068 1256 tcmsetup.exe PID 1256 wrote to memory of 1824 1256 tcmsetup.exe PID 1256 wrote to memory of 1824 1256 tcmsetup.exe PID 1256 wrote to memory of 1824 1256 tcmsetup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2624
-
C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exeC:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2764
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:1700
-
C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exeC:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:948
-
C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exeC:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD58cdff0acbc15aab78b5c6cd664f60f2f
SHA11f28b10bcab530438e49d7db8e929863fdbc0648
SHA25640ec756adca9f18693267782a5e7f7e7e7dd758ec0138b9c4a84d4cbd0278c57
SHA5125e12b9649569f4977b9318f25b6ed727e2e30a04ee54ac02f114902c3f753b1b43c996f8843039704fda0c5c63b06f5ecd197cf518d3bc60331d088608879a3b
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58
-
Filesize
11KB
MD5c47df0f0fafc67840e5308ca47fb34eb
SHA167e7ba565c6661c863304f329151866843fee13c
SHA256f820ba259fe1e0f6e8ece35b938a14ca7544c175c15db1f9b128fed2513feb35
SHA5120f34eb0bca098344d1ed79bab42757c05152158bee84b63a5a51b570fcd36443c3d5b4bb06b6129ca8d9f32e3ab870c3eeafc216ee5d0e8d0d59cdb5917e78a3
-
Filesize
73KB
MD53f1f0bfab2bd73c1dd3a185a12834754
SHA1db114d9e8b98dd8697d764f500dbc129dd1e2e89
SHA256ffd3d764f0e922321d933e311e928374f3ee58e81b3a58ee5302be0a5ad0a620
SHA5123006bc25d445aed9b058bbd779a3665b790398951f593900499ff13e6bef33329ed44ae6c0b3e34dad9c79faadeac407ebd1670f4c85955105965211bb04db83
-
Filesize
64KB
MD5e9810113a0227ee3c2e866f74230faab
SHA17b37f03123dab70357e6a23904d5a0fa32211a13
SHA256fe460ac2fe97c4fb8a5bc3e61fb6b1c3b05cdb78dbf745e2764cf4dfec3ea9b7
SHA5124be92515750fa5f592a19b2b83ee6fd5dd3dcd272cf97b9eba5e57e2f2c7139b3b8b3ee4b94976dc8fd3df62e2c9938056ae3ad387a5747c56caf35af210fec2
-
Filesize
30KB
MD562758063351e1779b2f43c8a3d4afcce
SHA1764dd1da15e99aa1e5e73eff440af0a0c8f49fb3
SHA25603c7a11e071ea7d4f938de4584f8e0a235b64efb4864b3e65ba4816173338a48
SHA512f875099a3953e8147c219d45da39488cf53ed3a0117c805e15c5cf4922dcdb52e513d751c034fcb5e6ac54cbd151f3d791388f4388864b7d391bf9c60598e9c6
-
Filesize
58KB
MD52dc2336d9661bd0c0a3410b30feedc5c
SHA156d3f8b24f3c8d8cd626ad1b654a5d48e6dae211
SHA256b91d1f53d6171beedd044d0e5e8148112efa41274be644d890d959501ee7811e
SHA5120ae2adfa3937bbe6ac098b4fcc345ce32df2da5437ef384c958e4c3e4b4eb5f83147f07b50f7882d6453df2c1ede5baac3d929c11fb35cc7d4c5ab10cffbe971
-
Filesize
76KB
MD5ac055faf85f34a7a4fa9cc285ed443ad
SHA1222815a74c9af8748ff116455536560f0f71cb14
SHA256cb30ab88fe515ad47a63b9f4e2b3895b42434bbe7c67c1bd102eb05f065c6513
SHA5125095963469beaea86993ff59a21e2784b7f7366b8af5110be2b43a1a6826a6ee91d32e25b06792e070afe49ef450ce3831d8b476a580ddab00af4826a06e4ab4
-
Filesize
1KB
MD5277c50e4065b2485579acc0f2bcbe2d8
SHA152fc91536b88dfe89427bfac32584f4d41d5a109
SHA25694182697fb108b76b17c23ca1aedd2ff60887fc66e9860d1426553720cc06b13
SHA51252ddafafd4ae96cb477328127b8b8536da2c88e659150e8d429a030ad01f5a6306fd1b62f63710f85f51c974245bb69f0877d56df68eee38f409c2b3f0d9fd96
-
Filesize
5KB
MD5eabe8bd7d7c4cda27cfafdcad83df71a
SHA1070320c8622024b87d64c2d34b1903e3c8f19535
SHA2563e7769f937369a90fa467945f097cddd37f89210cb3b2f24aa04c1b168d7f850
SHA512f83589f10d03b639fdf12220309e7a32c3eabdcf2fbcaa924ce6dabaa4028a04620b580184c34af0b7f8d7a84749bc85dc5028dc34567253d439f6fe1319e01a
-
Filesize
9KB
MD5e9a403fa5e80c89ca13994fef2f18fe8
SHA1e1b1ad7431204a105c4f2d6807fcb6be1a5fad9b
SHA2562693d7de76f7dbae7c7fb558157036eec23a995a3d6f72dd23e61e9553b4845e
SHA512f65fef13b38b6ef707c02633b0915b7cd529e5e0f58a35438f6896ec25b8024ea444bcb1cd63192e890ebd9c6fd97e9487841e59f7667c3f3ef9df740bddaefc
-
Filesize
1.8MB
MD5fa2df8248f211ddb2edb3ffe0b474dc4
SHA161cfe95357423020ca3abcacae00af9c0395f336
SHA256040bf7a4a6ad1e7a93d881a23d1c932ea4a8acf7ff5d97681046f7c9783e6d9f
SHA512b3c70abd63849bf3aa70bbe21566329af9bfdfd040cfd4619f8424f259b6c1e3558d4e628d0f95632b258ca9140fa17f758e30dc2ebccee265a1d50ac5e7b7d2
-
Filesize
1.2MB
MD5050f35d3e6f7f7b56465e52c9b13d6ed
SHA1eca1c7f71981a4b78980b9dd03ee6d984ae39a32
SHA2562aeaab8a6ebb6313aaeb67c77f61fbd25e943e55e13c0dda93d65d6199334b5d
SHA5125e575cb18b6cd4a764672ef074eab513779dafa72d3b8f069df7f65879ed7168291fef3cc792f8167e3377fe3d094ad927d9a0b860a42a92cdb2d836bde10105
-
Filesize
50KB
MD50d8ac2a3dee9404410435ddef9782222
SHA15fbbe3d5ff1eab1a079ea59f8f8e7ce533a81686
SHA256de2314ceb3d6dc3a3ec2b825585994f2116aaa0e7fb6c76e0d8e4c3696881a0f
SHA51214ead813bad4efddc8cbe3c9b8611740475835d288026c8aec2f26ba92211ef177c302cddd9cba56e10f6a1bc87856d1219d69ebfac05124d119705a57ad0904
-
Filesize
120KB
MD57d56de3c545e8a1527f2d62cb19fe762
SHA17b51bba11a2f6c64ea3af6e6700183e340c30778
SHA256c703687dff0fbb84b4580f9d24db35903ccd24b9553f232bfbd9ca6666977cc9
SHA5126a38541e300d7cf60793025cb6aab47ec2a7da9913fdfcb8cf8359f2d266131f1a085ebb2da4ac34f301dc5b40a2465931c3562a9718876c76e6ba3120f7bdd0
-
Filesize
81KB
MD547cf6057d543a387014ea38243c130dd
SHA1887f31468257a688bee14dae50d333e5ba6e7bac
SHA2566012cac0c9a5e30012d9d8d8ca027938e63158edda0fee2d76c29e295b49319d
SHA51252ad14826480d366d52d52ac44d6929b4a719e173e5bc5405aa65fc1c536b05cf1d82db7b16500a83fc7705302ef55b5b6cf25902aceb875fcdafcce5637a95c
-
Filesize
96KB
MD567458fce22e3ac3e6a13662fc914af5b
SHA183ba7b4ae0a2e97c95abef3af1d73a619aa5ac80
SHA25643a31a2842ba1f414bd64bd7baf119fbd301ec9a81fbad5dc92b191a3c6453ff
SHA5127a9f7322c04a2f121fea7cbb865d6084d43fc8bfeac8a461a4795a3739ca0ebedc69aa6654d33564e33ccd7756e169c6b50959cd974ca408f30fab790831bdd9
-
Filesize
141KB
MD55c31f8b21a416a2781bf7fefb9aebf5e
SHA1c789a6a96fc743b7c7ab1c1f06f1f61f424e34f4
SHA25612eb45a3b5ec71dbb2ff430016eda3124e3383fc3a1af9ed3c204d02011c0be5
SHA512cda5d113ebc2d259a5106e49a26e484aaeeb5aab5d98b759eb87d85a09d3bddd861993d1b0e8892fda0370f0d605c52d18a8a141e93dc08c3858253510688318