Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
7a3a76153e2caa54fc663d0fdc121d17.dll
Resource
win7-20231215-en
General
-
Target
7a3a76153e2caa54fc663d0fdc121d17.dll
-
Size
1.6MB
-
MD5
7a3a76153e2caa54fc663d0fdc121d17
-
SHA1
328a9e052e7a779cb70145f52761fe95ce11f2a1
-
SHA256
4566f8ee1f24d26293566ff8f5bd093244cd716536def070a0cc36ef83be64dd
-
SHA512
29dc194e0f6ab90c2eb34c5d989b15ac4950dca13cb3ab8eafcbfa1ac7fc5d108ee9090d25abca1be31633aa6ed0df2cf7369f7855c66f0f952d975d3f8619fd
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1276-5-0x0000000002B70000-0x0000000002B71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
javaws.exesethc.exeDevicePairingWizard.exepid process 108 javaws.exe 2416 sethc.exe 1868 DevicePairingWizard.exe -
Loads dropped DLL 7 IoCs
Processes:
javaws.exesethc.exeDevicePairingWizard.exepid process 1276 108 javaws.exe 1276 2416 sethc.exe 1276 1868 DevicePairingWizard.exe 1276 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\BBvDswG\\sethc.exe" -
Processes:
rundll32.exejavaws.exesethc.exeDevicePairingWizard.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1276 wrote to memory of 1876 1276 javaws.exe PID 1276 wrote to memory of 1876 1276 javaws.exe PID 1276 wrote to memory of 1876 1276 javaws.exe PID 1276 wrote to memory of 108 1276 javaws.exe PID 1276 wrote to memory of 108 1276 javaws.exe PID 1276 wrote to memory of 108 1276 javaws.exe PID 1276 wrote to memory of 1668 1276 sethc.exe PID 1276 wrote to memory of 1668 1276 sethc.exe PID 1276 wrote to memory of 1668 1276 sethc.exe PID 1276 wrote to memory of 2416 1276 sethc.exe PID 1276 wrote to memory of 2416 1276 sethc.exe PID 1276 wrote to memory of 2416 1276 sethc.exe PID 1276 wrote to memory of 1008 1276 DevicePairingWizard.exe PID 1276 wrote to memory of 1008 1276 DevicePairingWizard.exe PID 1276 wrote to memory of 1008 1276 DevicePairingWizard.exe PID 1276 wrote to memory of 1868 1276 DevicePairingWizard.exe PID 1276 wrote to memory of 1868 1276 DevicePairingWizard.exe PID 1276 wrote to memory of 1868 1276 DevicePairingWizard.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a3a76153e2caa54fc663d0fdc121d17.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exeC:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:108
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:1668
-
C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exeC:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2416
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:1008
-
C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5d45923380cf0b736c95c326d8845be2c
SHA147942b70d41a0b0b306e57cbc4ae29f7e02ff49c
SHA25623c73de36853df35eef8557a562dc503689ab8ec1589d66f515dd5333a8c4722
SHA512a58b16c27e234987d788be245b080cb5432f16d093bc6877af28eef18dec158335d305cf8c9719f1fde2c9e15ac13d374247daa1514e40aefbc1a23b60a5ac8d
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df
-
Filesize
1.6MB
MD52c967f8c59ea31ab67599cde387021c8
SHA1658154c8ee1bdc4185387c5918a3287fa0a4622a
SHA25698f96dbd1de8d8cb8991368eb151b9af6139a437e8bd3a93a0e560a227429f23
SHA512f8289d2b15005d41671d3ee712c56e2991c5d7cd57cbf646d33818061eccfbf6e27b43091905053213ea9a86e79e23fdbf0ba4a8980e2a608f05ac756a3a7fbf
-
Filesize
1.6MB
MD58519c97c3cd05e5e55581d631ae539c1
SHA1d1c3808f6a628d3d7bf30313ffede54f9674354b
SHA256909d6411e607254e2ce85b3e48e533a5af8173ab601970bf4493e190437e1541
SHA512d82c9566d44917e37a570861c450cc4c0e8fa7450ed321c2ef74e0c49c06dbe738f432f58c3e3b9159ab5df4547b85929d17c3323bdad87332473ac1dc4582c0
-
Filesize
1KB
MD5af359e2071289bc6d671dd025a79e93b
SHA1dd163a0e769e8735258773909f74ec62b1e063ef
SHA256f177200030cb24a557068d1843649454a8fb9fe06e986fab5f75c56b5a66ad4c
SHA512a10782e0c95930b696d42a04a7818fd923a5353e038410344424d45be81ef7401b0ea72097c596c38566685c588020500973e0c548ebe17b46e5965c869c8fa0
-
Filesize
312KB
MD5f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
Filesize
73KB
MD59728725678f32e84575e0cd2d2c58e9b
SHA1dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377