Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 05:49
Static task
static1
Behavioral task
behavioral1
Sample
73e4b574f7a058d63f9b35f74580a338.dll
Resource
win7-20231215-en
General
-
Target
73e4b574f7a058d63f9b35f74580a338.dll
-
Size
2.0MB
-
MD5
73e4b574f7a058d63f9b35f74580a338
-
SHA1
4abd585b62be4d0a8efbd763891772521390c3f6
-
SHA256
d8ae9023a64efcbaf60e37647a920cf6757fa96a6e1e7357d67a3ac970c86eca
-
SHA512
4e9aa099ae2b51d59db1818768b34662b8b812fdd37a26aa72bb7994b3219b34d1f0e14902154ae5c51eade8bdcf5bb0da7aa48fe23f7ca6de3c36974b4f5d97
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1L:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1260-5-0x0000000002B10000-0x0000000002B11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wermgr.exerstrui.exeSystemPropertiesDataExecutionPrevention.exepid process 472 wermgr.exe 832 rstrui.exe 2984 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 7 IoCs
Processes:
wermgr.exerstrui.exeSystemPropertiesDataExecutionPrevention.exepid process 1260 472 wermgr.exe 1260 832 rstrui.exe 1260 2984 SystemPropertiesDataExecutionPrevention.exe 1260 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\hbJZ\\rstrui.exe" -
Processes:
rstrui.exeSystemPropertiesDataExecutionPrevention.exerundll32.exewermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2912 rundll32.exe 2912 rundll32.exe 2912 rundll32.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1260 wrote to memory of 592 1260 wermgr.exe PID 1260 wrote to memory of 592 1260 wermgr.exe PID 1260 wrote to memory of 592 1260 wermgr.exe PID 1260 wrote to memory of 472 1260 wermgr.exe PID 1260 wrote to memory of 472 1260 wermgr.exe PID 1260 wrote to memory of 472 1260 wermgr.exe PID 1260 wrote to memory of 900 1260 rstrui.exe PID 1260 wrote to memory of 900 1260 rstrui.exe PID 1260 wrote to memory of 900 1260 rstrui.exe PID 1260 wrote to memory of 832 1260 rstrui.exe PID 1260 wrote to memory of 832 1260 rstrui.exe PID 1260 wrote to memory of 832 1260 rstrui.exe PID 1260 wrote to memory of 2724 1260 SystemPropertiesDataExecutionPrevention.exe PID 1260 wrote to memory of 2724 1260 SystemPropertiesDataExecutionPrevention.exe PID 1260 wrote to memory of 2724 1260 SystemPropertiesDataExecutionPrevention.exe PID 1260 wrote to memory of 2984 1260 SystemPropertiesDataExecutionPrevention.exe PID 1260 wrote to memory of 2984 1260 SystemPropertiesDataExecutionPrevention.exe PID 1260 wrote to memory of 2984 1260 SystemPropertiesDataExecutionPrevention.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:592
-
C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exeC:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:472
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:900
-
C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exeC:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:832
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD54d7898b5c400a1cda32132e97e4f0fd8
SHA1067df1856188c2723795a4dc6a33c0986d4b05eb
SHA2568a35965c5853e73e12e2e2d984dc925cefef77f5b210af628c95a49ae6409482
SHA51249b6c484bcb8b329acfe111094ed1b115175714e67118123f504e79c3b2adad17005621783f23e0e0b9e59991ed9bdfed865d692e84b91607997a027074645f5
-
Filesize
896KB
MD5d9a378b4f5fb16a14724aa1ccc404938
SHA11511dea6cd032488cdfb7e458adfee99ec2f552b
SHA256dad49aea079a2ac37d3da85e977dc4dd865594ad64e52bdf7cea2be2382f477a
SHA512bfaa037331de080eb6cd89bc45fc8dc97c391a96d1d88662d7eac2951593d5cab958a39c74567b90608cf2cbb16f93e8fe782e174210fa0dbc25c41effcc3e22
-
Filesize
49KB
MD541df7355a5a907e2c1d7804ec028965d
SHA1453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA51259c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf
-
Filesize
290KB
MD53db5a1eace7f3049ecc49fa64461e254
SHA17dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025
-
Filesize
1KB
MD5d63ce2369919ec7fc9e45ea777e80bfd
SHA1d6c55ed701aa22cbb19094f49e2f1a935d014be3
SHA25626db2f7976ae3bc3432af7508ae271c09f1b8ed4ec9c0b4398ca66ca0850d828
SHA5129b2ecc840f2a5435f3a3e9e660c9ef9c342ae260aaed6e728a1857e2221f5bb985378413f4e597b46d6eb7cec3701c664b4c92d23ebf06da3a333dfd37ff10ef
-
Filesize
80KB
MD5e43ff7785fac643093b3b16a9300e133
SHA1a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA51261260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a
-
Filesize
2.0MB
MD5831fa0fe191640a1bc81189c5c968840
SHA1af019f60c44d8f0d82015ef1ff07ff68e2b2e192
SHA2561b087df372b266660ff9e4ec7b67806fe8141505aa748e29b7c58713c599bf87
SHA51291fde0d1a0922036b3e5012ab2215d24dcef91b236d0d36bc27281a3fb1fde617df094a411506e000920041c9b43d49062ece6a8f3449387a7c467ea00a78129
-
Filesize
2.0MB
MD52eb76e230d7e1f6c60065648223eaed3
SHA1f74dddeadd438788e12848fc6e70395ee88a897c
SHA256ea2b6bcb30e8f47ca03385db20bbd7d89db4d553b32727e62de50c06c6daae67
SHA512fa06118bbeed663f6f48d9514c63d065c710815d797e4ba32c60fe4d059a43aad45b67ef73a7ca1f88cca27d94afc3ec15d8810ffe8314135895a0669886a23f