Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 10:34
Static task
static1
Behavioral task
behavioral1
Sample
7477fc39b45ddb88b4ff0de5a954889a.dll
Resource
win7-20231215-en
General
-
Target
7477fc39b45ddb88b4ff0de5a954889a.dll
-
Size
1.8MB
-
MD5
7477fc39b45ddb88b4ff0de5a954889a
-
SHA1
b89770175d0845d1aa7615fc346bcf6d9dd755ea
-
SHA256
1bed54ab01a098e8eefee909a56a0ce2b4ffc50208869d313501680c11e05798
-
SHA512
f4369eb6c97714d9409f67598022fab36555405a4b4a2fcac31b8b8a631a19280c0204e32bd9c46a33d44a77c31134f129e3b7295dfc0c6470c612e62b352296
-
SSDEEP
12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Kt:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnbKt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1384-5-0x0000000002B10000-0x0000000002B11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
eudcedit.exeStikyNot.exemsinfo32.exepid process 328 eudcedit.exe 2644 StikyNot.exe 1560 msinfo32.exe -
Loads dropped DLL 7 IoCs
Processes:
eudcedit.exeStikyNot.exemsinfo32.exepid process 1384 328 eudcedit.exe 1384 2644 StikyNot.exe 1384 1560 msinfo32.exe 1384 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\NNIYfTExpn0\\StikyNot.exe" -
Processes:
rundll32.exeeudcedit.exeStikyNot.exemsinfo32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2436 rundll32.exe 2436 rundll32.exe 2436 rundll32.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1384 wrote to memory of 1680 1384 eudcedit.exe PID 1384 wrote to memory of 1680 1384 eudcedit.exe PID 1384 wrote to memory of 1680 1384 eudcedit.exe PID 1384 wrote to memory of 328 1384 eudcedit.exe PID 1384 wrote to memory of 328 1384 eudcedit.exe PID 1384 wrote to memory of 328 1384 eudcedit.exe PID 1384 wrote to memory of 1180 1384 StikyNot.exe PID 1384 wrote to memory of 1180 1384 StikyNot.exe PID 1384 wrote to memory of 1180 1384 StikyNot.exe PID 1384 wrote to memory of 2644 1384 StikyNot.exe PID 1384 wrote to memory of 2644 1384 StikyNot.exe PID 1384 wrote to memory of 2644 1384 StikyNot.exe PID 1384 wrote to memory of 1492 1384 msinfo32.exe PID 1384 wrote to memory of 1492 1384 msinfo32.exe PID 1384 wrote to memory of 1492 1384 msinfo32.exe PID 1384 wrote to memory of 1560 1384 msinfo32.exe PID 1384 wrote to memory of 1560 1384 msinfo32.exe PID 1384 wrote to memory of 1560 1384 msinfo32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2436
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:1680
-
C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exeC:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:328
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:1180
-
C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exeC:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2644
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\96P\msinfo32.exeC:\Users\Admin\AppData\Local\96P\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58c42d96a06f0c138f7be68b461ba1aca
SHA1f781f66e2bb2b67077869213ee3303626dfbbf96
SHA25655d0470e4494590cd6dea28d3f9f8160913ad252620bc0a960f922fe3198dc1f
SHA512e23dd29de6aceddc9c30332f9678219edd0a25b7d087ae3760673ffa0cde6ff97e6cfdc9d8deb9757f92385db1d38a169a6e843766cca6e53f31bf08283da4da
-
Filesize
1.8MB
MD5e879ed7a139445e4ddd2bbc06e196004
SHA15b4e528b6079276ba220ce7d7da367b910d4d716
SHA256812b84acb47eedf17886b47d6a7edd4521d7d9310d583a1def224083d9c7f80b
SHA512de0507314d4d1e73c29d08fe2ab7b22b35e223ea5c26decd916bdfd52fea777d891afeb83ea168a060bf14970709d3f40fa29c7fdcdeb421d254fbd9fccef5c3
-
Filesize
1.8MB
MD577711413fad9a5293ba0c7c1cf74c219
SHA127d9bb757f661239c3e242cd63031170b59e5a50
SHA256ba1d3b43aa2684d13adc444ef3440e42c5e420093bf5894bf655f21238b0e075
SHA512f42bccf6ac1082ec3e183b62e82a894d111d3c728ebb09e5e7ddddb9e8f60f31011643c263ffe50072c7e6501900854f48b9ab84ecca904ebf855241a238ab69
-
Filesize
1KB
MD5acf4abd5ce068a487b64473c8565c58b
SHA1a1e5a670a6c61c4ecea68fc12d272c468595e09c
SHA256d4abd97813bac609272772b6c495791bb7b758407e1e873d84229461326301c6
SHA51263bef9fdae91564df23190bd8dcaf08d35ef0b14ad30a45c0429ea6fb717f65ae996c42f21eba6a670b3bd5c739becf94217f9618c274cade2b6447efc2c8aee
-
Filesize
370KB
MD5d291620d4c51c5f5ffa62ccdc52c5c13
SHA12081c97f15b1c2a2eadce366baf3c510da553cc7
SHA25676e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA51275f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b
-
Filesize
351KB
MD535e397d6ca8407b86d8a7972f0c90711
SHA16b39830003906ef82442522d22b80460c03f6082
SHA2561f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA51271b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e
-
Filesize
417KB
MD5b22cb67919ebad88b0e8bb9cda446010
SHA1423a794d26d96d9f812d76d75fa89bffdc07d468
SHA2562f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5