Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 06:25
Static task
static1
Behavioral task
behavioral1
Sample
7c6145fc88e55d7bac1db14f71a9f30c.dll
Resource
win7-20231215-en
General
-
Target
7c6145fc88e55d7bac1db14f71a9f30c.dll
-
Size
1.6MB
-
MD5
7c6145fc88e55d7bac1db14f71a9f30c
-
SHA1
b799ed57dd7fcd9ab9cfe839a89f4cf802460e05
-
SHA256
0d2b503372e4dc3d29a19e708d6309e96fc04a5845900e890b883a4af1e22bb2
-
SHA512
02fcd9932d8464e0c88e5aaf4bca5658ff89cd1aa26c80f4ae30b410fc22d03beb63994591d7b7e2d88ead258a17d30d11007c01cf3d35dd9c755455a498aa17
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3524-4-0x0000000003060000-0x0000000003061000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dwm.exetabcal.exedccw.exepid process 2244 dwm.exe 4512 tabcal.exe 2216 dccw.exe -
Loads dropped DLL 6 IoCs
Processes:
dwm.exetabcal.exedccw.exepid process 2244 dwm.exe 2244 dwm.exe 2244 dwm.exe 2244 dwm.exe 4512 tabcal.exe 2216 dccw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\Y7\\tabcal.exe" -
Processes:
dccw.exerundll32.exedwm.exetabcal.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dccw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1416 rundll32.exe 1416 rundll32.exe 1416 rundll32.exe 1416 rundll32.exe 1416 rundll32.exe 1416 rundll32.exe 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3524 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3524 wrote to memory of 652 3524 dwm.exe PID 3524 wrote to memory of 652 3524 dwm.exe PID 3524 wrote to memory of 2244 3524 dwm.exe PID 3524 wrote to memory of 2244 3524 dwm.exe PID 3524 wrote to memory of 2020 3524 tabcal.exe PID 3524 wrote to memory of 2020 3524 tabcal.exe PID 3524 wrote to memory of 4512 3524 tabcal.exe PID 3524 wrote to memory of 4512 3524 tabcal.exe PID 3524 wrote to memory of 4244 3524 dccw.exe PID 3524 wrote to memory of 4244 3524 dccw.exe PID 3524 wrote to memory of 2216 3524 dccw.exe PID 3524 wrote to memory of 2216 3524 dccw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c6145fc88e55d7bac1db14f71a9f30c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:652
-
C:\Users\Admin\AppData\Local\sM1H\dwm.exeC:\Users\Admin\AppData\Local\sM1H\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2244
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2020
-
C:\Users\Admin\AppData\Local\rDs\tabcal.exeC:\Users\Admin\AppData\Local\rDs\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4512
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵PID:4244
-
C:\Users\Admin\AppData\Local\R3iKU8XX\dccw.exeC:\Users\Admin\AppData\Local\R3iKU8XX\dccw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD5cb9374911bf5237179785c739a322c0f
SHA13f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9
SHA256f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845
SHA5129d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be
-
Filesize
1.6MB
MD545578b1d86f6a6f8c4eca7e716e6e3fa
SHA182c555590f63db2394d97363b905604502caad7f
SHA2566b9f0f29d2c150fafebbbeeb4acf960549da235aeb1ad855dd220d37bf99b54e
SHA5122faa4760eb5c7d9fd55cdf383d645554f8dfbf55227365ac81bdb394a727b7c82f1e6cdc4aeb348a7478abc543281e5da2436aa1e210e7eb5be41826c4bab387
-
Filesize
1.6MB
MD5fa87db1abd4904173d0d203f561c43d6
SHA196b5c50922e65c0a16b016c678ea5e9477f5dc19
SHA25632602c9f7506484917ef9ae166b76f71e52bb18cc40314b87cba1c9a4cccf89a
SHA512c573bd4c0bb6bfeabafbcb7043a38f7ad30ba6a56abcb505af509a1cebb3add3ef79959557e7c49438c9c4c02b3bc9f322ab8e88e6a784f091d3dcc6d4282bde
-
Filesize
84KB
MD540f4014416ff0cbf92a9509f67a69754
SHA11798ff7324724a32c810e2075b11c09b41e4fede
SHA256f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
1.6MB
MD5c519942b597381e9b70d9a30247251a7
SHA1b0bc70255e4db35b850ae46176c92708cef0d681
SHA256f6e8d036d4969a1d4c0cc6e27a2966fe0f8f4dfe776820caed7a5154e2f73fca
SHA5120f349b510cbe96df7ddc11dd99eea9b0966d343fc3c641f84066cc3d27fe54733b3c76ed54db27d916e24a0f24ac1eed101346f54bd76645f5d3191b8d7524ce
-
Filesize
1KB
MD55abfd25ac1e6fea0ecb50a5d2e80a29a
SHA1f9647e2ca670269669b35f6ded4ca6a4fd756893
SHA256519b0c569e6b857a995ead2ccbc6ba66818ed464660ad6e7fe4bd0666a9ddced
SHA512c1bc76624900264b90f1671e26dccd8ad91bca141f2b9a7a9b5160987df2386123559b1bd53ce4402ba3e50bae443d4a7e528588a7632e59f43bbc82514b4404