Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 21:17
Static task
static1
Behavioral task
behavioral1
Sample
786915fd97a5568543a2c219b4116abf.dll
Resource
win7-20231215-en
General
-
Target
786915fd97a5568543a2c219b4116abf.dll
-
Size
1.4MB
-
MD5
786915fd97a5568543a2c219b4116abf
-
SHA1
4c76633b4440df5c58a8e835001c8921a5171cd0
-
SHA256
a4c35298a6852c3e1ebec89e8d2c739c9dafe977cd2931af02f46f8d640dabe0
-
SHA512
4c78d00677052e2cc189862f72ef6a8acc490fadba92e157292b0af022a437f685794617a3b462d59feb18178f1234019e503b23087cba4d3f3d2e1fa61b47ea
-
SSDEEP
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3468-4-0x00000000080D0000-0x00000000080D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exeSystemPropertiesPerformance.exeSystemPropertiesComputerName.exepid process 4468 SystemPropertiesDataExecutionPrevention.exe 1780 SystemPropertiesPerformance.exe 2500 SystemPropertiesComputerName.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exeSystemPropertiesPerformance.exeSystemPropertiesComputerName.exepid process 4468 SystemPropertiesDataExecutionPrevention.exe 1780 SystemPropertiesPerformance.exe 2500 SystemPropertiesComputerName.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\xiLRQ9\\SystemPropertiesPerformance.exe" -
Processes:
SystemPropertiesDataExecutionPrevention.exeSystemPropertiesPerformance.exeSystemPropertiesComputerName.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2920 regsvr32.exe 2920 regsvr32.exe 2920 regsvr32.exe 2920 regsvr32.exe 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3468 3468 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3468 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3468 wrote to memory of 3896 3468 SystemPropertiesDataExecutionPrevention.exe PID 3468 wrote to memory of 3896 3468 SystemPropertiesDataExecutionPrevention.exe PID 3468 wrote to memory of 4468 3468 SystemPropertiesDataExecutionPrevention.exe PID 3468 wrote to memory of 4468 3468 SystemPropertiesDataExecutionPrevention.exe PID 3468 wrote to memory of 3284 3468 SystemPropertiesPerformance.exe PID 3468 wrote to memory of 3284 3468 SystemPropertiesPerformance.exe PID 3468 wrote to memory of 1780 3468 SystemPropertiesPerformance.exe PID 3468 wrote to memory of 1780 3468 SystemPropertiesPerformance.exe PID 3468 wrote to memory of 776 3468 SystemPropertiesComputerName.exe PID 3468 wrote to memory of 776 3468 SystemPropertiesComputerName.exe PID 3468 wrote to memory of 2500 3468 SystemPropertiesComputerName.exe PID 3468 wrote to memory of 2500 3468 SystemPropertiesComputerName.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4468
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:3896
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:3284
-
C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2500
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:776
-
C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD587d99fd6fe3586e8a5f3f3506dacf026
SHA1df231005ec1c586a4a2461e9d3dff78b6b8e7226
SHA25666b4282dbb2ce2ae9858be918f1261e1dca06f6dc0a7dab16c5b4ffdc0ba2975
SHA512ebc1020c1ff76f725feaa7272a6b02a5bcfd89c96b32ba7e8ab49efa4c3c65cfcc41751243297c9f064c21d6d6a047b9dc03613aea9e3aa69f11e4fd9c7dce74
-
Filesize
57KB
MD5de2d0344d43f4bc280bf787d706706db
SHA1ff99dea3d2f7b96d24bfb42e0ace9858a7ce114a
SHA25645362ba34f0ef22ae2dcb2359bb278bc67a12b68b01518850101c9df5482011e
SHA512aacae331a73e91deb653650ebcd45c299a9ac149605c4814f9b2436d7580829173f655547efd3023a8008e2a780f9f396ffd0a64f19d3ab06f208eab20988be8
-
Filesize
4KB
MD5c2b47442b11544d310b48ac17b0ce799
SHA199cf9f4965e5cb10daeeb9f0f18b5fd44f04ff37
SHA25644b1d058b093fdaf95994a0efa7d7d6b97d815f3d68adb76c4dbfc211b49882e
SHA5126d9fb36a91dfa29427c1e3bf0fe2f80f8f2a857242e548eefa586b519031368b9c2f37625a32afd7f96e0873edf0594471ae337e52db181871b351d634380874
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
118KB
MD540aa53dd1b76a076ef34f4527d945b52
SHA1590f541c86d329e165cdeda1c42a5b0f307d15d5
SHA256336760afa14920af1f657dda517ef1d9a994426ab8f7fdfc2c315a20320f221d
SHA5127f9959e5e4994aa5df7b0eba45608d1a6f213aa8c6a20ebbd55cc5b61c9a46b0cd6c3194cd15a437c63d1476a565efec5d5623bb2a6b0df28e5fc2d242178bba
-
Filesize
185KB
MD5c14cdd357c64cf8f358ac36b000d216c
SHA1affb276602034c97b8c6bec379a05d0b5b444426
SHA256fe9e2b19ba46525c3b2a6d24dfc0aee2ccfa4332d04a7fc4fba321e50064826e
SHA5120732727f614fea77feead6d3de6b24bb8fec0ca0a958229fc3b924f01face0869133576269182de76962224670e425e741b49946853d5eaea0c35b53f2815f51
-
Filesize
82KB
MD5e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1adbfa782b7998720fa85678cc85863b961975e28
SHA256b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6
-
Filesize
155KB
MD5f043c303c7030a1b295cf4991867bad8
SHA1559236ee36894b67137ecad4fb425be17e8cea34
SHA25624eb2954d9a9a9cc0500626b120efbf6b4edf75b53dc546820c25e62385ec7ea
SHA512e347bb113ea8ebd98ffc7372aef8acf5e553d6c12368a9031e077ec9d5a5434d8669b99f970e540e5a34f2d9ef6fe2b5a50a3766bea03761f330080668c90c59
-
Filesize
149KB
MD528c06d75c1575da7300f65d7696becdf
SHA1d2fc2f6acc2c2f6e91f93e7c5820dd7d0b240ee4
SHA256beba11f1a54d4431a08a0861a72da23e96a26a790fae3eacda0eae48961a7855
SHA5124bb5677ff99e1afdf6c2a652a3e7a62116ff28d48bb0f7760728e7dfdb2c3db5051ee19bd426a6bf0c416d4a7088be90517b50774cca610f4e6177033bfe4421
-
Filesize
82KB
MD56711765f323289f5008a6a2a04b6f264
SHA1d8116fdf73608b4b254ad83c74f2232584d24144
SHA256bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8
-
Filesize
1.4MB
MD5badabdfa4073bfd02c0bb1cc338fcc56
SHA1585aad23e994cc1d75b4cacefb219c89151c4da7
SHA2563743a4dd9e49d305b1f2cdf98e84465c3744838b6c95bed7c4d8356f9e1d90e8
SHA512572368b01a33d6bf705832eed869ba49c8dc3ef28704dc5b49ba323a2a1b2de172f8bc64762506a28560eb1b566231db3b93bf86caaf36e748bbb9eeb8eaf76d
-
Filesize
1KB
MD57ce68d5202e98af3abc360048df6aa85
SHA14dc94e98c1cafbffe4564f0474e38f3bbf03f670
SHA25650656b1e5d764d8837d1959563aa76bf113cca5f575ae73601636798efa8997d
SHA51263e4681f67733b56d3aadbddecb1dfd1b61779d0b2e156aa191c870f10fcded8bd3f26847b101c550e62e8880981010db6d2e20ae2c88753d9e5ba1c37b00c2d
-
Filesize
1.4MB
MD5bc07d76c057f9dd38ee477d838b7e8e0
SHA157e2abb3956c680ed6bd5f4ed9b92deaae8c725f
SHA25671c8eea5e2cae90fa696a7554771b2c40149360c9509034da622ccde9d0be60d
SHA5121e43774ab1036f01cd5940869cddb1f2a61161b1ced32aeeb3dab6929509ce27173dbedf290eb14f2f81660aa7e302c2bed8066b3ecc0eba534787ce9651be2b
-
Filesize
1.4MB
MD54b3f78c1616282df7a9f4e63a91c6038
SHA1546454d6b7f43c10f6b16cc1ca235fd207bfb597
SHA2566d752e313d63c421be77de25c75a89e0564515c477d6e2610aa6d766d4104207
SHA512915dca94b8f67af7220e2de83db17953e30e76d0eb07a2f67744063889a04a860f60c97d67ae34c558de483d7df985f765ab1dd4de88491cb382645e73119e94