Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 06:42
Static task
static1
Behavioral task
behavioral1
Sample
7c6984424b8af070581e59a97ed874d6.dll
Resource
win7-20231215-en
General
-
Target
7c6984424b8af070581e59a97ed874d6.dll
-
Size
1.7MB
-
MD5
7c6984424b8af070581e59a97ed874d6
-
SHA1
2a8e3182c1dbd840a4b040d12f0cddb218ea055c
-
SHA256
abe02436407d423ba7d2ee6fb54b60261b85fb70c076afc60d906b1b4a5f569a
-
SHA512
1362191bdc99468b21ee2b9060835afe60d345062d0806028ef5959535f4e03d29c0fae11a893ab0307afa7f5708005dd4fc61784ab4b31f4ec89e069bfe21ff
-
SSDEEP
12288:UVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:RfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1260-5-0x00000000029A0000-0x00000000029A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesPerformance.exerekeywiz.exeWFS.exepid process 2172 SystemPropertiesPerformance.exe 2960 rekeywiz.exe 1964 WFS.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesPerformance.exerekeywiz.exeWFS.exepid process 1260 2172 SystemPropertiesPerformance.exe 1260 2960 rekeywiz.exe 1260 1964 WFS.exe 1260 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\YSQ67Sam\\rekeywiz.exe" -
Processes:
SystemPropertiesPerformance.exerekeywiz.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1980 regsvr32.exe 1980 regsvr32.exe 1980 regsvr32.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1260 wrote to memory of 2284 1260 SystemPropertiesPerformance.exe PID 1260 wrote to memory of 2284 1260 SystemPropertiesPerformance.exe PID 1260 wrote to memory of 2284 1260 SystemPropertiesPerformance.exe PID 1260 wrote to memory of 2172 1260 SystemPropertiesPerformance.exe PID 1260 wrote to memory of 2172 1260 SystemPropertiesPerformance.exe PID 1260 wrote to memory of 2172 1260 SystemPropertiesPerformance.exe PID 1260 wrote to memory of 2844 1260 rekeywiz.exe PID 1260 wrote to memory of 2844 1260 rekeywiz.exe PID 1260 wrote to memory of 2844 1260 rekeywiz.exe PID 1260 wrote to memory of 2960 1260 rekeywiz.exe PID 1260 wrote to memory of 2960 1260 rekeywiz.exe PID 1260 wrote to memory of 2960 1260 rekeywiz.exe PID 1260 wrote to memory of 2160 1260 WFS.exe PID 1260 wrote to memory of 2160 1260 WFS.exe PID 1260 wrote to memory of 2160 1260 WFS.exe PID 1260 wrote to memory of 1964 1260 WFS.exe PID 1260 wrote to memory of 1964 1260 WFS.exe PID 1260 wrote to memory of 1964 1260 WFS.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:2284
-
C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2172
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exeC:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2960
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:2160
-
C:\Users\Admin\AppData\Local\xi3\WFS.exeC:\Users\Admin\AppData\Local\xi3\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
290KB
MD541c52b5ca619c4ced49806ce7ad5ef2d
SHA1233f7af949c44c60fad542e8c53c7a784d6599d6
SHA25669123a4c864aaf0c34223b31da3d88d3f5585b825b3c5062e4c213cfc637cc26
SHA512e96dacc3ba76e22a1725209acc6f79cc4cc899aa5683910beed907f0b7d27a58905169afc0e7b67614c62a579c679c021081f40d0cd772014a4df6ecf84eb0af
-
Filesize
132KB
MD56d92e7f1e7422bd578e15b4f34758a22
SHA1560317cfd786d0f8b85892ce015c0dfb630fd534
SHA256807f89bac60869749033a836fa1daab765fd2856402f49ad2f8843ff5a946b9d
SHA512de490d24d05c6969bf526fd77d8d203d4384db417146c18a8efc8f9e3a51f6a279a8994264bca58e48a58905311e64d250870549951a7a8a08783f4f572ed324
-
Filesize
884KB
MD58cfd4d317a8af7b13bd9c3897a67869e
SHA17ea9223a7a97f102846a92c639387595e90fea16
SHA2560e076e054e76859f009bedaf865be526dc537dbccedd8661d514b949ff0d5a25
SHA51299fcacbc843b4b674d3b762f5a30872ecffe759971aacdb9a734b0dd28aae886e5d3933cbb5eec9b715a433fb7f97307430fdc7de443d3bc135c26a668617617
-
Filesize
1.2MB
MD52b965e5f24e2fc2be8d4227f265f4fec
SHA11a5ee0bdf52c7c4c224985d1b6835fb66711d455
SHA2561ffffed27e437acfc7a6bfd4e9330fff94ad1c00d3ce0efcce57eb2c1b05a911
SHA512962819ae2594431256d62690a7fb01272b1bb1e7d85b8e7004df820ae591762be584b1964ed600e361da662d6836f45e485e04b0e47476ea19a9e93bdd527056
-
Filesize
1KB
MD598307f2c6dff9dcad14d67e824a0556f
SHA10adce53fa06183257146836c836c5a04a7272fe1
SHA2569464e15d9a256e7ca23034a0d4b3739c13c0fec42ae3c29aef90d61778668d5c
SHA5127d13d56659608c7979857a4342754a184a73e7f2a22120c4108268a34be0167de41ff4208086f986dd3839e273a7983327f35549e7853aac2d669c6b9190eb6d
-
Filesize
1.7MB
MD50ff469de21a414915f480faad5f9060f
SHA1228abc590d764546dc152f593f8639328a92d3ae
SHA25600f71c1d3c4fe28384ba0e8ba140259503a939e3b79dac4bea91212c3a167f96
SHA51262570014a2381196f42bc289edb6b886d53b1e50b1a812718144b573f375e947f72843a3fb3b2ff033dd2de2773f6b98573d7d41cfd1304244be8b86e366778a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YSQ67Sam\slc.dll
Filesize595KB
MD59701b5ab9601ef44a14345cf05b17a49
SHA1c094542aa6f3b35b2c40edf0eef77881232766e0
SHA256ee8a7d755de7e99110ab3c9d4e9ffb97eaed658f5bfbdb677411d54927742ad9
SHA512361b9859408a6ac7ea02e92fbef3e6322e3fe799d2b3f781649ef746443a34dd691aafce7a3e7eabd7d95e071f64bd305b95a0d54b05e869c77b61d0a55852c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\WFS.exe
Filesize363KB
MD52da433572d3974158a530ef148e5edb1
SHA1c94e62b0e62d3c5a9a142dd4244b1283bf2d5936
SHA256aaaa3fb247b21d8fabeadea5a6bb9f734c25893f60b5be45375985d7a31b6ed0
SHA5129cb493012b12a9892c225d07b24a81efa8acad5252f574d39af6095f8b5e409033ef086891c806c9e90b0640cea6afd4daee08747e48a306ee949d678f2c5b12
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\credui.dll
Filesize1.7MB
MD5d8674c78f2e0cf7d9e79cd3770950f6b
SHA1d68cfc620c78ae98f3095b4f6d1cd744e618a0f6
SHA2569c3b85aaf0196c7b8aead0cf7a5973286e1f11be91c0209cd0c4d860d3041203
SHA512da0f94081ac0e2672d41da65a7316efb9b14480dbc85edbbab1d4f60edb6f151f2925e1aa0e9b9a45bf83878b45b094f8e146c211276f90b26035cc04bfe3ed0
-
Filesize
206KB
MD5eb4e139975897eb7d432f96a4c087168
SHA12f54b8ae4ee0ddf3baec3abcc0e608a82b13ac06
SHA256b1198346dc21a6950316b810d0926be1f46f5fcc11ef4bac1cd8a960cf4a8d72
SHA51295a5e336509a5cbeb235dc3a56200ff6e5ceb2527813534ba88a3fdca44320cb86910e8279d92283f2f77ac8d5e13e1da0ec02d0096d0c3450e41a81c15eebf5
-
Filesize
92KB
MD586de1c98430c88f8b7e38a72d0a2818f
SHA1486daefa7f5c76e89081ae9e5b18f789c7672bf1
SHA256d3fd0394725fba04f44d2e617669ff3e2dda112a7f8260cb73abcc676a30952d
SHA512eaca93a8df66599f030a5fac4ee781030c3ef65c2400d5ba3e6c1c2ab13016cb8d2d42a7375cb7839c3c4d9d5db534921935b23d292614acab9166d0df344401
-
Filesize
80KB
MD5870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72
-
Filesize
951KB
MD5a943d670747778c7597987a4b5b9a679
SHA1c48b760ff9762205386563b93e8884352645ef40
SHA2561a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA5123d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934
-
Filesize
1011KB
MD53e1990217003de6f69c40882381d3f3a
SHA1e9920dd1f570b27e683431a24482ee6fd795d274
SHA2560da6de24e30a457974a2438d702285b54aa61a920141435329d9f944dd6617af
SHA5120f5b4afb1c9525513791c951b19d4b81c641f80b5a47882fe2b1a62255be71f8b77d469cfd78f7c1dba37d81f43ffebf0736e93bd0c1d06b3570ded451d9565b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\WFS.exe
Filesize304KB
MD5b26702799e644a19d52204db014aa11b
SHA1dd3159037ef59fc6a2f67e900d60f934f654e7dd
SHA256b345d4ffe79d4cd8d87ee0a579a9a58174ee570ca6ff5dd32f0a65ff032ed3c7
SHA51202d9e98b21985b81772aafcf38eb0b355ceab42c27faa2712498c22911ca21c9b3f5cc558163426dd333bd7cc026b9e1e57985d9b029dc957007a02280f7c699