Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
767b661339f842a24584de1cfd7ff58a.dll
Resource
win7-20231215-en
General
-
Target
767b661339f842a24584de1cfd7ff58a.dll
-
Size
2.0MB
-
MD5
767b661339f842a24584de1cfd7ff58a
-
SHA1
e01e2af3f556dab1835683abc02c7e6f4886568e
-
SHA256
12f891dd73ef13029a6cb2422c35d390835c149c627ec7f52a985633b4ec14d4
-
SHA512
ac3f08cd8a55c437a73d79529ff0e3133a7c30d666dc11ef200a5096435ffa15a6c3030f41b1de623e7cb080508d2e89b25539230e886abbd6c2c7ed58861b9c
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1244-5-0x0000000002A90000-0x0000000002A91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SoundRecorder.exemsconfig.exeSystemPropertiesComputerName.exepid process 2564 SoundRecorder.exe 1084 msconfig.exe 2144 SystemPropertiesComputerName.exe -
Loads dropped DLL 7 IoCs
Processes:
SoundRecorder.exemsconfig.exeSystemPropertiesComputerName.exepid process 1244 2564 SoundRecorder.exe 1244 1084 msconfig.exe 1244 2144 SystemPropertiesComputerName.exe 1244 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\UxkMfgDlgWS\\msconfig.exe" -
Processes:
SoundRecorder.exemsconfig.exeSystemPropertiesComputerName.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3048 rundll32.exe 3048 rundll32.exe 3048 rundll32.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1244 wrote to memory of 2612 1244 SoundRecorder.exe PID 1244 wrote to memory of 2612 1244 SoundRecorder.exe PID 1244 wrote to memory of 2612 1244 SoundRecorder.exe PID 1244 wrote to memory of 2564 1244 SoundRecorder.exe PID 1244 wrote to memory of 2564 1244 SoundRecorder.exe PID 1244 wrote to memory of 2564 1244 SoundRecorder.exe PID 1244 wrote to memory of 732 1244 msconfig.exe PID 1244 wrote to memory of 732 1244 msconfig.exe PID 1244 wrote to memory of 732 1244 msconfig.exe PID 1244 wrote to memory of 1084 1244 msconfig.exe PID 1244 wrote to memory of 1084 1244 msconfig.exe PID 1244 wrote to memory of 1084 1244 msconfig.exe PID 1244 wrote to memory of 1452 1244 SystemPropertiesComputerName.exe PID 1244 wrote to memory of 1452 1244 SystemPropertiesComputerName.exe PID 1244 wrote to memory of 1452 1244 SystemPropertiesComputerName.exe PID 1244 wrote to memory of 2144 1244 SystemPropertiesComputerName.exe PID 1244 wrote to memory of 2144 1244 SystemPropertiesComputerName.exe PID 1244 wrote to memory of 2144 1244 SystemPropertiesComputerName.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exeC:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2564
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:732
-
C:\Users\Admin\AppData\Local\fYk\msconfig.exeC:\Users\Admin\AppData\Local\fYk\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1084
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD50c8d9b455aa11e7dc816e8d38a4d02a3
SHA19bb035f745e8b8b5c2fed292732bbdedf484c791
SHA256f63046aca45b95b373350d49615056838b1427677595015f30b85946f73e4d48
SHA5126e722e304f2bc95db22a4351049d7656770754d1b44f03c7d2e42c4090fbcafa678354e75a6f986a1e4681c352308990c9fc2f42fc0a575e4926a8966f9228cc
-
Filesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
Filesize
169KB
MD5d077a7c8a72a4c38242d9f9006f3ec64
SHA175b51aedb3bba8b777193252412204d9ea9bfd57
SHA2560e10cdef30f77054f779e0f30b8d5211811348dd9dc9c2740ab71897c69e3180
SHA512dab8f8aca4394394cdeee0914a8d00b849d6fc5b25d665a724d7d7e201fe2940a3f0aabf79de4c65479e454086a1523437b80238fc3d4d78fa7ca509ec4aad32
-
Filesize
136KB
MD55634ebcf7905c20817331419031fa5a4
SHA19f9a1f83cc2dc5b511ceee2fb4917fe89601b145
SHA2565927128afdd8cd9a1d1a23075ed20cbe1ca41ed70e64053622aedceb622e56a5
SHA512e5fc82f26e7009bdfb0f511870b731f6f3453fd139b8686ce47feed128449ba6f94ca0b6359c82778b5d21528e1a7d95d9c72ec84d820eac32e5f8ce4b46816f
-
Filesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
Filesize
388KB
MD52d1d00ffe9fd6ae701c8568e0c20fc1d
SHA1b5f81ba738dbcb294db4f888ae2d28c7df1d2bd0
SHA256f1c98ec49cb9fa17e39923bc56208e02735cfdf225cd813452cd43e4de53afac
SHA512f61bde3b44c56d08beeb0b7b7cce5f2d25f64fd9908f5487b34da23fc909b86e761e414a6b378325203a56bef50a7d12f93cc4be2390f0db79979ea6ea23bfd2
-
Filesize
1KB
MD5387f9ef34fe7e26fb9d4e968c43f78c9
SHA13b02dbc7afb972985cc847061bcd242b216e8ef8
SHA2560bf196619616bf11a8692ffd64836fee6aae505bbc185869e7862d421b2d9027
SHA51256221d2b89129b908833da5fd7dd3341797cdf85f379496200e6f957d8d98fffe09a440bdd67698659db4b9a20406fb272606aa7bb3d84def09cf843aebfa609
-
Filesize
2.0MB
MD5b0f443613e2ed42b8e03a875ea5f3ec4
SHA18991ac75af6d4b3a7945cb4eb3bb9a29aa46b10c
SHA25623874b39912c1f8fce8a4341bf6000120f1775ef0399258804d43123a83a16bf
SHA512154b8c624bcd9e622fb8b979ecf512b5f0542a4a4f9b5077f0f4306288b33c9d1238c15ef9939eb3532700904c5ba9649b3a9d6488ce2367319498ecda399d29
-
Filesize
2.0MB
MD5f7a68cfdd1ae28a7cc4ad3f3a625ad67
SHA108ecded9f291b9e23bc8fd7567c41fd008cec7c1
SHA256def08bf29a1119052d06d367a93f77843b0924bbea639f332741bd2d012a1ca5
SHA5125f257662b397fa320981292e0e5466e04f11a9c4b36dc1a2b75b2c6874f83e2056c563a62b46b26b6cddc7deb0d38ffaba53a5d3a40bfc46c79acdebbb1fb22b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\7WZg\SYSDM.CPL
Filesize2.0MB
MD5abb0d2475979dc8ebafdb514b56a2e86
SHA1827a6e7608e0f968dc4ffc8bb5c0e8dac2345d41
SHA256e06ea96c87d9c8c0d68fe144e3d3f01cf11f56eeeee8cac86707f9296387492d
SHA512091b77204b64510658ac205bb61dbb018798c6d01582299027a0749b652e156b86b3e8de51430379f817dcae6aa2aa5dfc921d5f81e93d958c0836db5373dee1
-
Filesize
564KB
MD535f6cc30a6071d65903d099e339e313c
SHA1a6484f372904c0e6781f61086169d91070a40dff
SHA25687c4a990c1b6bfa1391c38e7a91b3f51322e705c84a7f177ae587f4f23e61ad5
SHA512150f59c19bcb5fbc5ce062c3ca8a94fda7514ee066948ccb09ebd3821652799fcf1679d69d362ea7398b2ff648cea35c9c603fd82ce33ba3c874318f0a235ed1
-
Filesize
216KB
MD5c8a3860e5f9f8c7f08111b604a28bf3c
SHA1b2954e3ead5007d14d747919c7619fd13067937c
SHA256ffc046f77a7066f30ba558a6b16c03bd58a211a26d7111e76ca6ac2a22208578
SHA512ac481f2e4c4cf1115ec92dea334bb2e88e1879a31e881792bde49a300f5a7722a806b364c40eeb9f4493d05a3aae637ec484ff7d8ccc3f86dafb157d58abcb1e
-
Filesize
293KB
MD5e19d102baf266f34592f7c742fbfa886
SHA1c9c9c45b7e97bb7a180064d0a1962429f015686d
SHA256f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1
SHA5121b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283
-
Filesize
511KB
MD51958d2b610a44686c13e715c40cbdb85
SHA17635419f9bb2f4a4362e3809c3a380fb98a8d330
SHA256da22a6cbae9508dff317f228b0901312fab925225050b1a16533bb1748716035
SHA5128690b29f974a9cb9c41ea0b3772bc1e032535cf063f27eed9ab3ce7e820e1b63da5012b31e94d6642fda968adec955cf6f7dca38b98ee138af7af55f24dedf21