Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 10:54
Static task
static1
Behavioral task
behavioral1
Sample
772b68bf3048024e686be386fbfe5083.dll
Resource
win7-20231215-en
General
-
Target
772b68bf3048024e686be386fbfe5083.dll
-
Size
652KB
-
MD5
772b68bf3048024e686be386fbfe5083
-
SHA1
458a9a79779cf07157ec419d9511975e2f8aa2c8
-
SHA256
7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409
-
SHA512
18164714b6ced7284218c0dc8c4e0013b1b08084e07f89322564bdd0bf5d37c62edcb947965e1384e26fe36dd7d613a82697a4429fc935ee1557edf3c9290d62
-
SSDEEP
12288:8KYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:9YQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-4-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Loads dropped DLL 1 IoCs
Processes:
pid process 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\bCGsop\\mfpmp.exe" -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\system32\X31h\tabcal.exe cmd.exe File opened for modification C:\Windows\system32\X31h\tabcal.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
description pid process target process PID 1212 wrote to memory of 320 1212 mfpmp.exe PID 1212 wrote to memory of 320 1212 mfpmp.exe PID 1212 wrote to memory of 320 1212 mfpmp.exe PID 1212 wrote to memory of 2616 1212 cmd.exe PID 1212 wrote to memory of 2616 1212 cmd.exe PID 1212 wrote to memory of 2616 1212 cmd.exe PID 1212 wrote to memory of 2340 1212 tabcal.exe PID 1212 wrote to memory of 2340 1212 tabcal.exe PID 1212 wrote to memory of 2340 1212 tabcal.exe PID 1212 wrote to memory of 2724 1212 cmd.exe PID 1212 wrote to memory of 2724 1212 cmd.exe PID 1212 wrote to memory of 2724 1212 cmd.exe PID 1212 wrote to memory of 2564 1212 schtasks.exe PID 1212 wrote to memory of 2564 1212 schtasks.exe PID 1212 wrote to memory of 2564 1212 schtasks.exe PID 1212 wrote to memory of 2004 1212 schtasks.exe PID 1212 wrote to memory of 2004 1212 schtasks.exe PID 1212 wrote to memory of 2004 1212 schtasks.exe PID 1212 wrote to memory of 1612 1212 schtasks.exe PID 1212 wrote to memory of 1612 1212 schtasks.exe PID 1212 wrote to memory of 1612 1212 schtasks.exe PID 1212 wrote to memory of 2336 1212 schtasks.exe PID 1212 wrote to memory of 2336 1212 schtasks.exe PID 1212 wrote to memory of 2336 1212 schtasks.exe PID 1212 wrote to memory of 540 1212 schtasks.exe PID 1212 wrote to memory of 540 1212 schtasks.exe PID 1212 wrote to memory of 540 1212 schtasks.exe PID 1212 wrote to memory of 1892 1212 schtasks.exe PID 1212 wrote to memory of 1892 1212 schtasks.exe PID 1212 wrote to memory of 1892 1212 schtasks.exe PID 1212 wrote to memory of 2460 1212 schtasks.exe PID 1212 wrote to memory of 2460 1212 schtasks.exe PID 1212 wrote to memory of 2460 1212 schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:320
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wzEO.cmd1⤵PID:2616
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2340
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\b7DyU.cmd1⤵
- Drops file in System32 directory
PID:2724
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ajfbjcebwom" /TR "C:\Windows\system32\X31h\tabcal.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:2004
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:1612
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:2336
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:540
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:1892
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"1⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
656KB
MD555ddc88488c696a723c05159a893df8e
SHA151ac7f06c195feb5e19d32b2a94ad06ee48980ca
SHA25681edde041d1107843ade613d49179aafd6232b539f3cd209ae60888b8cdf1d8b
SHA5121f65ee5061b20c7924fe7260e561293d2167f7f5b47eda3a5dfdf70cce9fe9fdf2051aae445aa9ec1057d345d480c94258ce3d5ba556c4f27b41c150676e9f41
-
Filesize
580KB
MD5079720cf75d0d304b85dafc4aac97405
SHA177779bb972df7e91c26dc79520f81907b3fd9269
SHA256fea7cedb9197a5035b48a46f359310e1e2bc8422e2401dbe7ff88488983e8f5c
SHA5120c1bbd13268b5cb63df74b55480d5469284364962e7ebb8b2845ceb874a552279c89dc066f76345eb981ba47728573030e8420caef9e87301489edf64dff302e
-
Filesize
189B
MD533322a20c75e4ac66bb0da04c49fc097
SHA18446a1e4624e837f32062bff20fedb4a66df6329
SHA25605056bc31b00453c88126ab1bbff3c3f15c650f9cb3f9e64fa18cd1cb3767b85
SHA512f30a737438b03a5973d4fa9b097104feee48fec702f011097c0ab000a0c4d460a3abfc2bc982ed7f1c6040ecfdbc7fa62f78658352defb499ed061798e00525e
-
Filesize
230B
MD5786ba648706ed74aeb13424773ec9fca
SHA1111f666bbdd05088db43d0f5020f3f0ed8dc4ba2
SHA2562967ce021e81dd1ce665190e54ffca960375c0dc25724210a02a69eb89b8bd5b
SHA5125be81ce918a7bce13a057818d5041667ce7f20df91f099515603cdabcd83fb05fb17da773befdfdad0dee08659367a6676c077ca5250e12a1b0026c09decd20e
-
Filesize
781B
MD507658630fc8de684bb30c066c8af0603
SHA1435d71f2ce4a906aa0e25cf01dda0b1d985646e1
SHA256eddceccfcad986d222923ba533bff01b1b764a96387dbbadafeaa2674070b743
SHA512f039bfdd1f4c4ed825a3158f918290ad3db313b018e1b34b7a95b3714649795c28d2030a3ff0679f1593c2505b4a9571d71946cd08c7c2563ad9e52a7b48ed15
-
Filesize
24KB
MD52d8600b94de72a9d771cbb56b9f9c331
SHA1a0e2ac409159546183aa45875497844c4adb5aac
SHA2567d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA5123aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc