Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
7a96d67a18be2760a733a25afcbe0987.dll
Resource
win7-20231215-en
General
-
Target
7a96d67a18be2760a733a25afcbe0987.dll
-
Size
1.5MB
-
MD5
7a96d67a18be2760a733a25afcbe0987
-
SHA1
2f8a7ab45bfa0fc5af4ebd3a32788c4d2b70d39c
-
SHA256
322fdc6d77dfe2aaf96c4075f9798da0709dc4418400f9c15171be24360fed1c
-
SHA512
52af3bdb3f5c190049950843159200d683f396f366f74428b9cfde0ce524c4b29a6307b1d70842abaebc2b3b37b4236631743e106bc4da1633a020cec0180007
-
SSDEEP
12288:IVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1rUQ:dfP7fWsK5z9A+WGAW+V5SB6Ct4bnbr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3524-4-0x0000000003060000-0x0000000003061000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sethc.exetabcal.exeSystemPropertiesComputerName.exepid process 3380 sethc.exe 892 tabcal.exe 3756 SystemPropertiesComputerName.exe -
Loads dropped DLL 3 IoCs
Processes:
sethc.exetabcal.exeSystemPropertiesComputerName.exepid process 3380 sethc.exe 892 tabcal.exe 3756 SystemPropertiesComputerName.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\5mpUklxar\\tabcal.exe" -
Processes:
sethc.exetabcal.exeSystemPropertiesComputerName.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1776 regsvr32.exe 1776 regsvr32.exe 1776 regsvr32.exe 1776 regsvr32.exe 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3524 Token: SeCreatePagefilePrivilege 3524 Token: SeShutdownPrivilege 3524 Token: SeCreatePagefilePrivilege 3524 Token: SeShutdownPrivilege 3524 Token: SeCreatePagefilePrivilege 3524 Token: SeShutdownPrivilege 3524 Token: SeCreatePagefilePrivilege 3524 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3524 3524 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3524 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3524 wrote to memory of 4944 3524 sethc.exe PID 3524 wrote to memory of 4944 3524 sethc.exe PID 3524 wrote to memory of 3380 3524 sethc.exe PID 3524 wrote to memory of 3380 3524 sethc.exe PID 3524 wrote to memory of 4528 3524 tabcal.exe PID 3524 wrote to memory of 4528 3524 tabcal.exe PID 3524 wrote to memory of 892 3524 tabcal.exe PID 3524 wrote to memory of 892 3524 tabcal.exe PID 3524 wrote to memory of 680 3524 SystemPropertiesComputerName.exe PID 3524 wrote to memory of 680 3524 SystemPropertiesComputerName.exe PID 3524 wrote to memory of 3756 3524 SystemPropertiesComputerName.exe PID 3524 wrote to memory of 3756 3524 SystemPropertiesComputerName.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exeC:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3380
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exeC:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:892
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD52ba35f78dc89d5a48b42065ac7e87842
SHA1ce712bdf3645e74f74d11535d1aceeec53ef74c8
SHA2566a745be285b5e063d5be02c60483fd400109b015560c805774015ce65866578e
SHA5124c60868fafd707bac36af28627fd3ebd80e32c7d049ca3e209cc2b1682be2e1fc47c4fd0f03f5c2b3a857922c10b2a8c9b070f29e7a8f47783c40cab3ef6856a
-
Filesize
104KB
MD58ba3a9702a3f1799431cad6a290223a6
SHA19c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746
-
Filesize
1.5MB
MD516069e7e4a5b27d164a91239c05d1e67
SHA16493e8c243a12e8b4bba2be9367d5cdffbe418f9
SHA2566e9498ac882d319058758f41338b7fd439986b04341fcddc92451d7747135d5a
SHA512fbf871a952db62c09d11aebfb314d64ae16caf1b73b795b561d4f8919bbe426564ffbefa772a1001bfbfd34ae6778c2e08528419657b6ed3d0c6c9aca3be359e
-
Filesize
82KB
MD56711765f323289f5008a6a2a04b6f264
SHA1d8116fdf73608b4b254ad83c74f2232584d24144
SHA256bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8
-
Filesize
1.5MB
MD5c5ccd7450e9094a8e99c8c33a75d8dc9
SHA1a6ed1f089ac9957b65c3e1a65ca29a4969ad5642
SHA256e37fea720b935433e3a3c55ba2d2dc86e404ee6e754df314022f0c74d3b0569b
SHA5122acd911197ef4a1364e793dee8b7c0296df6215eccaf174d2c21fa75767c842abc80211f697c076a3e5dbaa6cdde28d6a0226309d8e98fe317c23fa70d1054c7
-
Filesize
84KB
MD540f4014416ff0cbf92a9509f67a69754
SHA11798ff7324724a32c810e2075b11c09b41e4fede
SHA256f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259
-
Filesize
64KB
MD5f775f99812e3478654cfe51c7624a3e1
SHA1596a9265f299a6d2fcf9a6f26f34a16fc0381d43
SHA25658d03f748eea6b8ee9defdb3e4822682550afb5437fbdd234e0752e90d785caf
SHA51215c84af025ed5e54e3bf746a45c0d5b4347082cd09cd2298d604db255f6fa91b7b9f03dfb52cf3613c7fbd2e1c1935a34d11ac3ad8903b8ca25ef88dd6ce2b30
-
Filesize
1KB
MD5b909a4689c2fcd8f4689a9c7bc536e38
SHA18e424ecd6c805a20fb1eae1664f48e670fae25fb
SHA256f7450145caa4d07b5831b65331c4b22fed481efbd6f33e545e633ae00697b3ce
SHA512b103becd10162f4b8cdac6d9e42cf916f365cd7a1c762fcdd056d4cb9d58b962ebd7d93a599a3614aa3fda20b7feed8f8bb995526f07673a64c0df5923d0e5d8