Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
78833dc80091e76f426f64b576358fef.dll
Resource
win7-20231215-en
General
-
Target
78833dc80091e76f426f64b576358fef.dll
-
Size
1.9MB
-
MD5
78833dc80091e76f426f64b576358fef
-
SHA1
73bf7b969ae33dfbf064bd0ae6eba9e5caf12a49
-
SHA256
c004c89e8e9190bf7629831fa4b9f1a6a90510777e4d233e119b0f4902f66222
-
SHA512
083b730c34431022a4cea13721af99a789820de1b135a9eff815bbe7a7a8f4e7162576c3c821fb781a2366ab78d83c5382744de3a032b3af02e3db2320557a28
-
SSDEEP
12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Mt:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnbMt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1224-5-0x0000000002A90000-0x0000000002A91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
FXSCOVER.exeSoundRecorder.exeshrpubw.exepid process 328 FXSCOVER.exe 1556 SoundRecorder.exe 2776 shrpubw.exe -
Loads dropped DLL 7 IoCs
Processes:
FXSCOVER.exeSoundRecorder.exeshrpubw.exepid process 1224 328 FXSCOVER.exe 1224 1556 SoundRecorder.exe 1224 2776 shrpubw.exe 1224 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\zQ7qkwq7nP\\SoundRecorder.exe" -
Processes:
rundll32.exeFXSCOVER.exeSoundRecorder.exeshrpubw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2008 rundll32.exe 2008 rundll32.exe 2008 rundll32.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1224 wrote to memory of 1348 1224 FXSCOVER.exe PID 1224 wrote to memory of 1348 1224 FXSCOVER.exe PID 1224 wrote to memory of 1348 1224 FXSCOVER.exe PID 1224 wrote to memory of 328 1224 FXSCOVER.exe PID 1224 wrote to memory of 328 1224 FXSCOVER.exe PID 1224 wrote to memory of 328 1224 FXSCOVER.exe PID 1224 wrote to memory of 2952 1224 SoundRecorder.exe PID 1224 wrote to memory of 2952 1224 SoundRecorder.exe PID 1224 wrote to memory of 2952 1224 SoundRecorder.exe PID 1224 wrote to memory of 1556 1224 SoundRecorder.exe PID 1224 wrote to memory of 1556 1224 SoundRecorder.exe PID 1224 wrote to memory of 1556 1224 SoundRecorder.exe PID 1224 wrote to memory of 1608 1224 shrpubw.exe PID 1224 wrote to memory of 1608 1224 shrpubw.exe PID 1224 wrote to memory of 1608 1224 shrpubw.exe PID 1224 wrote to memory of 2776 1224 shrpubw.exe PID 1224 wrote to memory of 2776 1224 shrpubw.exe PID 1224 wrote to memory of 2776 1224 shrpubw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:1348
-
C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exeC:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:328
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exeC:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1556
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:1608
-
C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exeC:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
Filesize
681KB
MD5a1aa25aaea41d5d9a7e89cb3ae46eb18
SHA1ed1c6b6b57b3becca6ade3e0e7207136fd74e945
SHA256e6a6d24d94345ae6ebb1e9f02deee40037a7d317dd4ea97c551b2947bc553aee
SHA512417ceadc05c2caa1608efafd8a3b36ff24d4b3ac523aa7c7afaa96759be856e09183820aec80c60fc4eb5bace829cf205a70604d7d6e5ced7007db1e4b89f7ba
-
Filesize
2.0MB
MD55a0c00a044d0dff1751584ba329f5c78
SHA1f30974d22b803ddcf0bb3aa259683521f39578e0
SHA2560e9d228489beef2847e2c83ab31c8c4f4fa7a3fd1e917042ea8c5abee9bbf915
SHA512fe895a6b7e03fa0df934d412210c93bf58cff8c070330b0a9ebf8402c01686b5b5097699bf60d88becc61edb8112b8a0d85ed197dd7bec1e99500d71066b1d11
-
Filesize
261KB
MD55e2c61be8e093dbfe7fc37585be42869
SHA1ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA2563d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA51290bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b
-
Filesize
1.6MB
MD595f8e292be0e547be7c164d2862836c0
SHA17e587c8e804270cd9b165b74369fe570a5d1a581
SHA256a632ba150ead8eba38a109f839c1fd6b9bb4192eb2aabab3b096b928ad5efbcb
SHA512d33dccb872143aad15e7db5e525c99cbfea4565b28f44176c9641be7c56b35e726e232ba2bf2d72123f0fc00371000264e380b1910fdc24ba215bc836918f3a0
-
Filesize
1KB
MD5dee39ad5768114b7a77ea105be56a120
SHA13f3916c8070f8c25db6d4d372a4b3ab41b6eb2ec
SHA2561a00a7ab2bb39515707d098f90b5c67354be5ad2c9770f17674526e5c23657cc
SHA512a2545f9936c25d491ce33d2835855314bfc7377f21b4c3119ead4076575fb853ea843865ba7c215825a73807a9c6567c22a85d11932b766866ea9beff9a41b48
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\gx\MFC42u.dll
Filesize2.0MB
MD5758ae7980741f1689e2d4336f0c33096
SHA1a22a928eab901c53e283f4e2266d58993511f6ae
SHA256093cb631c21549f9c79e7fff99e8109b7e8951f8e7b709496beb27ccb9b6cea4
SHA512bbc118159edf3ad6f8c96f09df7d20a8eae9ebc80a5e2b3460d26dbdfd5a2e8a540fbf05815708e8336c08c7d06a4b917c801601118aa2e31583cb381c3270c1
-
Filesize
2.0MB
MD54028fff5c8546308e37e2d3eada89545
SHA1d2fff6699841555ba6ba5f7bfbea8b7d4411e92d
SHA256dca70fe8754e0c90943d8ee3fc75c66618b85252b1a7123ea88e73b8fab15938
SHA512e7c78131b3d16828ae14786f8eed1e3711b33c518f90bf2b8955596f0a7161e59e4b4594059fcef9364853358e3eb8b3146d991685cd135e9e9739048000ebd7
-
Filesize
398KB
MD529e6d0016611c8f948db5ea71372f76c
SHA101d007a01020370709cd6580717f9ace049647e8
SHA25653c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4
-
Filesize
1.2MB
MD5bb61795bd6c8c8c641f4765eb37bcda8
SHA1985921a06688a40046e5791b0d59af3420eb9691
SHA256a82d82db6f65d26b1b9a00278e5ee009adb41b5940eacb2f57292442d91a9db5
SHA51268e743521f9de49798e65fdef046fe24d8602c015464c49caf651736fb801ff4c1a4a0053815fd4a3f2e826ef043ba5ffd1af774d806a27b9b754ccadd3e27f1